TryHackMe - Kenobi type
status
date
slug
summary
tags
category
icon
password
Catagory
Materials
Retired
Due date
Oct 17, 2025 03:49 AM
Status
Belong in
Progress
Enumerate
Scan the machine with nmap, how many ports are open?
7
Enumerating Samba for shares
search the nmap script about enumerate the samba shares
Once you're connected, list the files on the share. What is the file can you see?
log.txt,ProFTP 的 config檔以及金鑰位置
What port is FTP running on?
21
Enumerating NFS service
search the nmap script about the nfs share
What mount can we see?
/var
Initial Access
Gain initial access with ProFtpd
Lets get the version of ProFtpd. Use netcat to connect to the machine on the FTP port. What is the version?
1.3.5
Search the exploit How many exploits are there for the ProFTPd running?
4
Using the proftpd_modcopy_exec exploit to get the foothold
mod_copy allows these commands to be used by *unauthenticated clients*:
根據前面可以知道private key跟public key的路徑
connect to ftp & use the SITE CPFR/SITE CPTO commands to get the file
mount the diretory
user Flag
Privilege Escalation
Privilege Escalation via SUID binary with Path Variable Manipulation
What file looks particularly out of the ordinary?
/usr/bin/menu
Run the binary, how many options appear?
3
使用strings查看binary file,可以看到該code使用三個工具分別是
curl 、uname、ifconfig呈上,可以看到不是呼叫絕對位置,故可以藉由改變檔案路徑來取得權限
root Flag
Reference
- 作者:ji3g4gp
- 網址:https://gpblog.vercel.app//article/Try-Hack-Me-Kenobi
- 著作權聲明:本文使用 CC BY-NC-SA 4.0 著作權許可,使用請標注出處。
相關文章