TryHackME Room Kenobi
@ Animesh Roy | Thursday, Jun 10, 2021 | 2 minutes read | Update at Thursday, Jun 10, 2021

kenobi

Task 01 : Deploy the vulnerable machine

Flag-IDquestion
1Make sure you’re connected to our network and deploy the machine
2Scan the machine with nmap, how many ports are open?
img

Task 02: Enumerating Samba for shares

samba

cheat sheet

  • nmap -p 445 --script=smb-enum-shares.nse,smb-enum-users.nse [IP]
  • smbclient //<ip>/anonymous
    • img
  • smbget -R smb://<ip>/anonymous #recursive download files
  • nmap -p 111 --script=nfs-ls,nfs-statfs,nfs-showmount 10.10.233.45 #show mounts
Flag-IDquestion
1Using the nmap command above, how many shares have been found?
3
2Once you’re connected, list the files on the share. What is the file can you see?
refimg
3What port is FTP running on?
ref21
4What mount can we see?
ref/var

Flag-2.2

anonymous auth is enbled, just hit enter when it askes for password.

Flag-2.3

  • Step 1: Download log file img
  • Step 2: read the log.txt to find FTP config img

Flag-2.4

ProFtpd

Task 04: Gain initial access with ProFtpd

Flag-IDquestion
1What is the version?
ref1.3.5
2How many exploits are there for the ProFTPd running?
ref3
3We know that the FTP service is running as the Kenobi user (from the file on the share) and an ssh key is generated for that user.
n\a
4We knew that the /var directory was a mount we could see (task 2, question 4). So we’ve now moved Kenobi’s private key to the /var/tmp directory.
n\a
5What is Kenobi’s user flag (/home/kenobi/user.txt)?
d0b0f3f53b6caa532a83915e19224899

Flag-3.1

┌─[anir0y@thm][~/share/thm/room/kenobi]
└──╼ $cat nmap/kenobi 
# Nmap 7.91 scan initiated Thu Jun 10 21:19:17 2021 as: nmap -sC -sV -oN kenobi 10.10.233.45
Nmap scan report for 10.10.233.45
Host is up (0.20s latency).
Not shown: 993 closed ports
PORT     STATE SERVICE     VERSION
21/tcp   open  ftp         `ProFTPD 1.3.5`

Flag-3.2

img

Task 04: Privilege Escalation with Path Variable Manipulation

suid

Flag-IDquestion
1What file looks particularly out of the ordinary?
/usr/bin/menu
2Run the binary, how many options appear?
3
3We copied the /bin/sh shell, called it curl, gave it the correct permissions and then put its location in our path. This meant that when the /usr/bin/menu binary was run, its using our path variable to find the “curl” binary.. Which is actually a version of /usr/sh, as well as this file being run as root it runs our shell as root!
n\a
4What is the root flag (/root/root.txt)?
177b3cd8562289f37382721c28381f02

© 2010 - 2024 Classroom

Reading Stuffs

Social Links

YOU CAN REUSE MY CONTENT