Skip to main content

Kenobi Room WriteUp

This is my write ups for Kenobi Room on Try Hack Me.

This room is a Walkthrough type of room

I will not go deep into why the answer is "x" or "y", that part is your job to understand what the room is trying to teach you.

Somewhat challenge

This room is also kind of CTF room so i will try go deep into technical details of the technique(s) we use.

Task 1 - Deploy the vulnerable machine

  • Scan the machine with nmap, how many ports are open? 7

    Default Nmap Scan
    nmap -sV -sC $IP

    PORT     STATE    SERVICE     VERSION
    21/tcp   open     ftp         ProFTPD 1.3.5
    22/tcp   open     ssh         OpenSSH 7.2p2 Ubuntu 4ubuntu2.7 (Ubuntu Linux; protocol 2.0)
    | ssh-hostkey: 
    |   2048 b3:ad:83:41:49:e9:5d:16:8d:3b:0f:05:7b:e2:c0:ae (RSA)
    |   256 f8:27:7d:64:29:97:e6:f8:65:54:65:22:f7:c8:1d:8a (ECDSA)
    |_  256 5a:06:ed:eb:b6:56:7e:4c:01:dd:ea:bc:ba:fa:33:79 (ED25519)
    80/tcp   open     http        Apache httpd 2.4.18 ((Ubuntu))
    |_http-server-header: Apache/2.4.18 (Ubuntu)
    | http-robots.txt: 1 disallowed entry 
    |_/admin.html
    |_http-title: Site doesn't have a title (text/html).
    111/tcp  open     rpcbind     2-4 (RPC #100000)
    | rpcinfo: 
    |   program version    port/proto  service
    |   100000  2,3,4        111/tcp   rpcbind
    |   100000  2,3,4        111/udp   rpcbind
    |   100000  3,4          111/tcp6  rpcbind
    |   100000  3,4          111/udp6  rpcbind
    |   100003  2,3,4       2049/tcp   nfs
    |   100003  2,3,4       2049/tcp6  nfs
    |   100003  2,3,4       2049/udp   nfs
    |   100003  2,3,4       2049/udp6  nfs
    |   100005  1,2,3      36343/tcp   mountd
    |   100005  1,2,3      39395/udp6  mountd
    |   100005  1,2,3      46069/udp   mountd
    |   100005  1,2,3      54077/tcp6  mountd
    |   100021  1,3,4      36169/tcp   nlockmgr
    |   100021  1,3,4      37562/udp6  nlockmgr
    |   100021  1,3,4      41013/udp   nlockmgr
    |   100021  1,3,4      45613/tcp6  nlockmgr
    |   100227  2,3         2049/tcp   nfs_acl
    |   100227  2,3         2049/tcp6  nfs_acl
    |   100227  2,3         2049/udp   nfs_acl
    |_  100227  2,3         2049/udp6  nfs_acl
    139/tcp  open     netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
    445/tcp  open     netbios-ssn Samba smbd 4.3.11-Ubuntu (workgroup: WORKGROUP)
    1038/tcp filtered mtqp
    2049/tcp open     nfs_acl     2-3 (RPC #100227)
    Service Info: Host: KENOBI; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Task 2 - Enumerating Samba for shares

  • Using the nmap command above, how many shares have been found? 3

    • Instead of using nmap i will use smbclient for faster enumeration
    Smbclient to enum SMB
    smbclient -L=$IP

    Sharename       Type      Comment
    ---------       ----      -------
    print$          Disk      Printer Drivers
    anonymous       Disk      
    IPC$            IPC       IPC Service (kenobi server (Samba, Ubuntu))

  • Once you're connected, list the files on the share. What is the file can you see? log.txt

    Login into the SMB
    smbclient //$IP/anonymous

    smb: \> ls
    .                                   D        0  Wed Sep  4 17:49:09 2019
    ..                                  D        0  Wed Sep  4 17:56:07 2019
    log.txt                             N    12237  Wed Sep  4 17:49:09 2019

    get log.txt

  • What port is FTP running on? 21

  • What mount can we see? var

    Use Nmap to enumerate
    nmap -p 111 --script=nfs-ls,nfs-statfs,nfs-showmount $IP

    PORT    STATE SERVICE
    111/tcp open  rpcbind
    | nfs-showmount:
    |_  /var *

Task 3 - Gain initial access with ProFtpd

  • What is the version? 1.3.5

    Banner Grabbing with nc
    nc -v $IP 21
    10.10.76.172: inverse host lookup failed: Unknown host
    (UNKNOWN) [10.10.76.172] 21 (ftp) open
    220 ProFTPD 1.3.5 Server (ProFTPD Default Installation) [10.10.76.172]

  • How many exploits are there for the ProFTPd running? 4

    Searchsploit for exploit
    searchsploit ProFTPD 1.3.5

    ----------------------------------------------------------- ---------------------------------
     Exploit Title                                             |  Path
    ----------------------------------------------------------- ---------------------------------
    ProFTPd 1.3.5 - 'mod_copy' Command Execution (Metasploit)  | linux/remote/37262.rb
    ProFTPd 1.3.5 - 'mod_copy' Remote Command Execution        | linux/remote/36803.py
    ProFTPd 1.3.5 - 'mod_copy' Remote Command Execution (2)    | linux/remote/49908.py
    ProFTPd 1.3.5 - File Copy                                  | linux/remote/36742.txt
    ----------------------------------------------------------- ---------------------------------
    Shellcodes: No Results

  • What is Kenobi's user flag (/home/kenobi/user.txt)? d0[REDACTED]99

Task 4 - Privilege Escalation with Path Variable Manipulation

  • What file looks particularly out of the ordinary? /usr/bin/menu

  • Run the binary, how many options appear? 3

  • What is the root flag (/root/root.txt)? 17[REDACTED]02

Last updated on