# [[Kenobi]]
---
## Port Scanning and Enumeration (Nmap, SMB, FTP)
---
```
nmap -sV -oN nmap/init -sC -vv $IP
```
![58597e24fb080e3528b99cd79a32ead2.png](0b048f9ff32b4954bfd5347d985a056a.png)
![d25343d50a701fb95d33ba646c920db8.png](e0ceb90440d34b4faedefb0a3b619ea5.png).
```
nmap -p 445 --script=smb-enum-shares.nse,smb-enum-user.nse #IP -oN nmap/smb
```
![01776e3ba381c5b83ca2ce1b2511ab07.png](266c7a2019da4727922a51f4846e69f2.png)
using `smbclient`
```
smbclient //10.10.181.253/anonymous
```
![ef1613dc458c742573fdac08e4d20424.png](633982717f1c44d0ba20a3bd9043ca25.png)
the `log.txt` file shows an ssh key pair being created and the basic `ProFTPD` configuration file
Using nmap again to enumrate that port 111, we notice a mounted share
`nmap -p 111 --script=nfs-ls,nfs-statfs,nfs-showmount 10.10.181.253`
![b21e672db6633606da85b40d8610ef89.png](3ad39d6597324568929eb9d4f7f29d7e.png)
connecting to the FTP server on port 21
`nc 10.10.181.253 21`
![8701e4ef4c0ed25e70d20b9267e7248e.png](fbd97e7cf41b47bab51c9d489489edc0.png)
## Foothold (Metasploit, Mount)
---
searchsploit for exploits
![70243c5f3857125a9f6970afcbcfa793.png](fcc9f33b37c74367946710baf8ef2360.png)
![771805a87f1f15e01d1cb3a178d68843.png](0417b1c6f7744176aad80733c749f4c1.png)
SITE CPFR = copy from, SITE COPYTO = copy to. This allows us to move files around on the system.
In the log file it said that there was a ssh keypair created and gave it's location. Let's copy that key to a location in the `/var` directory since we have access to that mount
![b69ae81492ff52847e70e4575e1b8b8f.png](5238d2ce5aa44a0f8f871d20b8a3e030.png)
`mkdir /mnt/kenobiNFS`
`mount 10.10.181.253:/var /mnt/kenobiNFS`
![7e198cfb39bf4f02197e671257d2393e.png](d74e5671d1b94f40a04084aabbca0f09.png)
We now have access to the `tmp` folder where we copied the key to. we can now log in as kenobi
![44b4d904ea815d40d130d3f0e37328c0.png](ad32ca8ddb2847768b2227c1df571f5c.png)
## Privilege Escalation (SUID)
---
Now that we have access we want to get root. Let's do a search for SUID binaries
![5495e49f75fb0cc3e16c7ec14bd87d85.png](1c8d1bf1610d4974b0ad0313d34c8718.png)
`find / -perm -u=s -type f 2>/dev/null`
![4f89a4cc3d3233a32e8fa47ff8337dc4.png](bd2e01dd02e74a638d3e2189ef19a14d.png)
The odd one out is `/usr/bin/menu`
![876983616782adbf5a76accc41965df4.png](d1bb78dee9cc4369844860195f89be6d.png)
let's use `strings` on it and see what it has
the interesting part is:
![1db3096e7cb58b67e091a350df1d45bb.png](ffbb2052bc464d58ab86de44b595500c.png)
Since it's not calling `curl` using the full path, maybe we can hijack it
![ee689c09ab026f7be01e621be66f4c8f.png](eefab14aec2340e4bafc74a149dad133.png)
by creating our own `'curl'` and adding it to the `PATH` we can use the `/usr/bin/menu` binary to call *our* `curl`. Since the `/usr/bin/menu` binary is running with elevated privs, we are able to get root
Switching the `PATH` back to the default
`source /etc/environment`
we can now cat the root flag
---
Back to [[TryHackMe Index|TryHackMe Index]]
Tags: #thm #tryhackme #box_writeups #smbclient #smb #nfs #ssh #suid
Related: