TryHackMe_Kenobi

## Kenobi ### 1. Deploy the vulnerable machine 1. Scan the machine with nmap, how many ports are open? 使用 nmap -A 確認目標資訊，總共有7個port是有使用的。 ![](https://hackmd.io/_uploads/BkIPvppp2.png) ![](https://hackmd.io/_uploads/BylODTaT2.png) ans:7 其中有掃到一個 /admin.html ![](https://hackmd.io/_uploads/rJ0BmfNCn.png) 進去後發現它直接告訴你是一個陷阱 ### 2. Enumerating Samba for shares 1. Using nmap we can enumerate a machine for SMB shares. Nmap has the ability to run to automate a wide variety of networking tasks. There is a script to enumerate shares! nmap -p 445 --script=smb-enum-shares.nse,smb-enum-users.nse 10.10.25.151 SMB has two ports, 445 and 139. Using the nmap command above, how many shares have been found? 根據題目要求，使用nmap指令掃描目標得到3個共享資料夾與用戶，也得知server為kenobi ![](https://hackmd.io/_uploads/HyDM0paT2.png) ans:3 2. On most distributions of Linux smbclient is already installed. Lets inspect one of the shares. smbclient //10.10.25.151/anonymous Using your machine, connect to the machines network share. Once you're connected, list the files on the share. What is the file can you see? ![](https://hackmd.io/_uploads/HkpmlCaan.png) ans:log.txt 3. What port is FTP running on? nmap掃描結果顯示,port 21 為ftp服務 ans:21 4. Your earlier nmap port scan will have shown port 111 running the service rpcbind. This is just a server that converts remote procedure call (RPC) program number into universal addresses. When an RPC service is started, it tells rpcbind the address at which it is listening and the RPC program number its prepared to serve. In our case, port 111 is access to a network file system. Lets use nmap to enumerate this. nmap -p 111 --script=nfs-ls,nfs-statfs,nfs-showmount 10.10.25.151 What mount can we see? ![](https://hackmd.io/_uploads/Bk_ie0pan.png) ans:/var ### 3.Gain initial access with ProFtpd 1. Lets get the version of ProFtpd. Use netcat to connect to the machine on the FTP port. What is the version? ![](https://hackmd.io/_uploads/r1puWATah.png) ans:1.3.5 2. We can use searchsploit to find exploits for a particular software version. Searchsploit is basically just a command line search tool for exploit-db.com. How many exploits are there for the ProFTPd running? ![](https://hackmd.io/_uploads/S1k7fA6T3.png) ans:4 這邊顯示目標有能夠任意複製檔案的漏洞 3. What is Kenobi's user flag (/home/kenobi/user.txt)? ![](https://hackmd.io/_uploads/HkswkiER2.png) ![](https://hackmd.io/_uploads/Sy8HJjVCn.png) ![](https://hackmd.io/_uploads/H1QHkjEAn.png) 成功登入目標靶機 ![](https://hackmd.io/_uploads/Skw5Js4An.png) ans:d0b0f3f53b6caa532a83915e19224899 嘗試使用john拿到kenobi的密碼，發現金鑰並中並沒有密碼 ![](https://hackmd.io/_uploads/H1Ok7iNC3.png) ### 4. Privilege Escalation with Path Variable Manipulation 1. What file looks particularly out of the ordinary? ![](https://hackmd.io/_uploads/rkPU7s40h.png) ans:/usr/bin/menu 這邊發現 /usr/bin/menu 是有權限使用的 2. Run the binary, how many options appear? ![](https://hackmd.io/_uploads/ryCNLoNC3.png) ans:3 What is the root flag (/root/root.txt)? 使用strings指令查看發現 status check為運行 curl -I localhost ![](https://hackmd.io/_uploads/HyoSJsLCh.png) 將menu中的 status check 執行路徑改為開啟shell ![](https://hackmd.io/_uploads/SJhBJ3E02.png) 成功拿到root ![](https://hackmd.io/_uploads/SJ0H12NA2.png) ans:177b3cd8562289f37382721c28381f02