TryHackMe CTF (Kenobi)

By: Nicholas Werner

Starting off with an nmap scan.

We enumerated the SMB file shares and found 3.

Now we log into smb with the username anonymous and password anonymous as shown below. ls shows us log.txt

It appears that we cannot read log.txt with the cat command so we exit and type the command below followed by cat log.txt.

We are enumerating port 111 as shown below because it has access to the network file system, rpcbind. As you can see we can mount to /var.

We can see that the version of ProFTPD is 1.3.5 with the command below.

With the command below we can see that there are 3 exploits available for the version of ProFTPD.

We’re now going to copy Kenobi’s private key using SITE CPFR and SITE CPTO commands as shown below.

We knew that the /var directory was a mount we could see so we’ve now moved Kenobi’s private key to the /var/tmp directory.

Now we want to mount the /var/tmp directory to our machine with the commands below.

We now have a network mount on our deployed machine! We can go to /var/tmp and get the private key then login to Kenobi’s account with the commands below.

With ls -la we can see a user.txt file and when we cat user.txt we can see the flag.

To search files that have the SUID bit use the command below.

/usr/bin/menu looks out of the ordinary.

We use the command below to see that it presents 3 options.

Strings is a command on Linux that looks for human readable strings on a binary

We want to cd to our /tmp directory first. As shown below we copied the /bin/sh shell, called it curl, gave it the correct permissions and then put its location in our path. This meant that when the /usr/bin/menu binary was run, its using our path variable to find the “curl” binary which is actually a version of /usr/sh, as well as this file being run as root it runs our shell as root.

With cd /root and cat root.txt we get the flag!

Application Security Engineer | Penetration Tester