TryHackMe — Kenobi | CTF | Beginner Friendly Walkthrough

Hello, this is Nithin here. I’m a security researcher / enthusiast and I go by the handle @thebinarybot at most of the places online.

Kenobi is quite an easy CTF at TryHackMe. Here’s my write-up on how I solved this room.

1. Deploy the vulnerable machine

Q1. Make sure you're connected to our network and deploy the machine

(No answer needed)

Q2. Scan the machine with nmap, how many ports are open?

Sometimes, you just don’t need any switches :)

Ans : 7

2. Enumerating Samba for shares

Q1. Using the nmap command above, how many shares have been found?

Ans : 3

Q2. Once you’re connected, list the files on the share. What is the file can you see?

Ans : log.txt

Q3. What port is FTP running on?

Ans : 21

Q4. What mount can we see ?

Ans : /var

3. Gain initial access with ProFtpd

Q1. Lets get the version of ProFtpd. Use netcat to connect to the machine on the FTP port. What is the version?

Ans : 1.3.5

Q2. How many exploits are there for the ProFTPd running?

Ans : 4

Q3. We know that the FTP service is running as the Kenobi user (from the file on the share) and an ssh key is generated for that user.

(No answer needed)

The mod_copy expoit allows us to copy files from any part of the filesystem to a chosen destination.

Q4. We knew that the /var directory was a mount we could see (task 2, question 4). So we’ve now moved Kenobi’s private key to the /var/tmp directory.

(No answer needed)

Q5. What is Kenobi’s user flag (/home/kenobi/user.txt)?

Now, since we’ve copied the file to /var/tmp, let’s try to mount that dir to our local machine.

Copy the id_rsa file to your location, chmod 600 it and then ssh into kenobi using the private key obtained.

Ans : d0b0f3f53b6caa532a83915e19224899

3. Privilege Escalation with Path Variable Manipulation

Q1. What file looks particularly out of the ordinary?

find / -perm -u=s -type f 2>/dev/null (Use this to find all SUID files)

Ans : /usr/bin/menu

Q2. Run the binary, how many options appear?

Ans : 3

Q3. What is the root flag (/root/root.txt)?

Checking strings on /usr/bin/menu, we can find that the binary is running without full path.

Also, since it runs with root privileges, let’s try to manipulate the path to gain root.

Ans : 177b3cd8562289f37382721c28381f02

Feel free to contact me at @thebinarybot in twitter if you feel there’s any correction(s) to be made in this article or for help to solve this room. Cheers :)