# **KENOBI WRITE-UP BY ABDULLAH BIN OWAIS! (Tryhackme)**  **Quick whoami: Hello guys my name is Abdullah Bin Owais and my goal is to help you guys as much as posiible in ethical hacking and pentesting!** **github:** https://github.com/abdullahbinowais21-boop/ # **Enumeration:** **Nmap Scan:**  **interesting finding:** * port 80 is open * Smb service is running(455, 139) **We are going to focus on SMB in this write-up!** # **Getting the user access:** we are going to be using **smclient** and **smbmap** to look into **Samba!** **smbmap:**  **we might be able to login as anonymous using smbclient!** **command to run:**   **as you can see we were able to login to FTP!**  **we found a file named log.txt!**  **we transfered the file into our system by the help of using get!** # **what did file told us:** * **it gave us information on the machine such as groups!** * **it also told us there is a ssh key in the machine!** **We might be able to copy the key into tryhackme machine and mount it!** **we can us netcat to copy id_rsa file to the tryhackme machine**  **first we are going to copy the key!**  **after that we are copy it to the tryhackme machine!**  **as you can see the copy was successful!** **now we can make i dir and then mount it!**   **The mount was successful!**  **we can cd to tmp and copy the id_rsa to our system:**  **now we can finally access the machine as a unprivelleged user!**  **now we successfuly got the user access!** # Privellege Escellation: **We are going to start off by searching for SUID's!**  **usr/bin/menu looks suspicious, lets try to run it!**  **it looks like a program in which it asks us some option and for those questions it gives us different answers, we can exploit this!** **step 1:**  **step 2:**  **step 3:**  **Now lets run the program again!**  **as you can see we were able to get the root access.** **From Abdullah Bin Owais**