TryHackMe — Kenobi

Task 1

1-)Make sure you’re connected to our network and deploy the machine

No Answer Needed

2-)Scan the machine with Nmap, how many ports are open?

Task 2

1-)Using the Nmap command above, how many shares have been found?

2-)Once you’re connected, list the files on the share. What is the file can you see?

log.txt

3-)What port is FTP running on?

4-)What mount can we see?

/var

Task 3

1-)What is the version?

1.3.5

2-)How many exploits are there for the ProFTPd running?

3-)We know that the FTP service is running as the Kenobi user (from the file on the share) and an ssh key is generated for that user.

No Answer Needed

4-)We’re now going to copy Kenobi’s private key using SITE CPFR and SITE CPTO commands.

We knew that the /var directory was the amount we could see (task 2, question 4). So we’ve now moved Kenobi’s private key to the /var/tmp directory.

No Answer Needed

5-)We now have a network mount on our deployed machine! We can go to /var/tmp and get the private key then login to Kenobi’s account.

6-)What is Kenobi’s user flag (/home/kenobi/user.txt)?

d0b0f3f53b6caa532a83915e19224899

Task 4

1-)What file looks particularly out of the ordinary?

/usr/bin/menu

2-)Run the binary, how many options appear?

3-)We copied the /bin/sh shell, called it curl, gave it the correct permissions, and then put its location in our path. This meant that when the /usr/bin/menu binary was run, it's using our path variable to find the “curl” binary.. Which is actually a version of /usr/sh, as well as this file being run as root it runs our shell as root!