TryHackMe : Kenobi

Difficulty level: Easy

Room: Kenobi

“Today we will be looking at Kenobi from TryHackMe. “

Info : Walkthrough on exploiting a Linux machine. Enumerate Samba for shares, manipulate a vulnerable version of proftpd and escalate your privileges with path variable manipulation.

Task 1 : Deploy the vulnerable machine

Scan the machine with nmap, how many ports are open?

We can see 7 ports open.

Task 2 : Enumerating Samba for shares

Using the nmap command above, how many shares have been found?

We found 3 shares result on nmap scan.

\\10.10.29.238\print$:

\\10.10.29.238\anonymous:

\\10.10.29.238\IPC$:

Once you’re connected, list the files on the share. What is the file can you see?

On most distributions of Linux smbclient is already installed. Lets inspect one of the shares.

smbclient //<ip>/anonymous

Using your machine, connect to the machines network share.

We can see log txt.

What port is FTP running on?

You can research what port is ftp on google.

What mount can we see?

We can see nfs-showmount.

Task 3 : Gain initial access with ProFtpd

Lets get the version of ProFtpd. Use netcat to connect to the machine on the FTP port.

What is the version?

We can use netcat.

We found ftp version.

We can use searchsploit to find exploits for a particular software version.

Searchsploit is basically just a command line search tool for exploit-db.com.

How many exploits are there for the ProFTPd running?

We can see searchsploit result.

You should have found an exploit from ProFtpd’s mod_copy module.

The mod_copy module implements SITE CPFR and SITE CPTO commands, which can be used to copy files/directories from one place to another on the server. Any unauthenticated client can leverage these commands to copy files from any part of the filesystem to a chosen destination.

We know that the FTP service is running as the Kenobi user (from the file on the share) and an ssh key is generated for that user.

No answer needed.

We knew that the /var directory was a mount we could see (task 2, question 4). So we’ve now moved Kenobi’s private key to the /var/tmp directory.

No answer needed.

We’re now going to copy Kenobi’s private key using SITE CPFR and SITE CPTO commands.

What is Kenobi’s user flag (/home/kenobi/user.txt)?

Lets mount the /var/tmp directory to our machine

We now have a network mount on our deployed machine! We can go to /var/tmp and get the private key then login to Kenobi’s account.

We can found user.txt.

Task 4 : Privilege Escalation with Path Variable Manipulation

What file looks particularly out of the ordinary?

Run the binary, how many options appear?

We can see 3 options.

Strings is a command on Linux that looks for human readable strings on a binary.

This shows us the binary is running without a full path (e.g. not using /usr/bin/curl or /usr/bin/uname).

As this file runs as the root users privileges, we can manipulate our path gain a root shell.

We copied the /bin/sh shell, called it curl, gave it the correct permissions and then put its location in our path. This meant that when the /usr/bin/menu binary was run, its using our path variable to find the “curl” binary.. Which is actually a version of /usr/sh, as well as this file being run as root it runs our shell as root!

no answer needed.

What is the root flag (/root/root.txt)?

You can see how you can find it above.

So I completed it all.

This box was really fun! I love the ones that have a story/theme that goes along with them.

Hope you guys enjoyed this tutorial, let me know if you try this out. Follow me for more projects like this!