Skip to main content

THM | Kenobi

· 3 min read

Basic Computer Exploitation | Kenobi | Summary:

This series of walkthroughs aims to help out complete beginners with finishing the Complete Beginner path on the TryHackMe website. It is based on the learning content provided in the Kenobi room.

Disclaimer: Please note that this write-up is NOT intended to replace the original room or its content, but rather serve as supplementary material for those who are stuck and need additional guidance.

Task | 1 | Deploy the vulnerable machine

Question 1: Make sure you're connected to our network and deploy the machine

No answer needed

Question 2: Scan the machine with nmap, how many ports are open?

7

Task | 2 | Enumerating Samba for shares

Question 1: Using the nmap command above, how many shares have been found?

3

Question 2: Once you're connected, list the files on the share. What is the file can you see?

log.txt

Question 3: What port is FTP running on?

21

Question 4: What mount can we see?

/var

Task | 3 | Gain initial access with ProFtpd

Question 1: Lets get the version of ProFtpd. Use netcat to connect to the machine on the FTP port. What is the version?

1.3.5

Question 2: We can use searchsploit to find exploits for a particular software version. Searchsploit is basically just a command line search tool for exploit-db.com. How many exploits are there for the ProFTPd running?

4

Question 3: We know that the FTP service is running as the Kenobi user (from the file on the share) and an ssh key is generated for that user.

No answer needed

Question 4: We knew that the /var directory was a mount we could see (task 2, question 4). So we've now moved Kenobi's private key to the /var/tmp directory.

No answer needed

Question 5: What is Kenobi's user flag (/home/kenobi/user.txt)?

<flag>

Task | 4 | Privilege Escalation with Path Variable Manipulation

Question 1: To search the a system for these type of files run the following: find / -perm -u=s -type f 2>/dev/null. What file looks particularly out of the ordinary?

/usr/bin/menu

Question 2: Run the binary, how many options appear?

3

Question 3: We copied the /bin/sh shell, called it curl, gave it the correct permissions and then put its location in our path. This meant that when the /usr/bin/menu binary was run, its using our path variable to find the "curl" binary.. Which is actually a version of /usr/sh, as well as this file being run as root it runs our shell as root!

No answer needed

Question 4: What is the root flag (/root/root.txt)?

<flag>