# Kenobi

![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-Mcu4MhOwNDSGo7AJY-y%2F-Mcu4Y57TdtOW8L8O6jT%2Fimage.png?alt=media\&token=4cca2003-ce2f-4451-abaf-89ce265dd3b2)

## Deploy the vulnerable machine

Lets run nmap scans to find open ports and what services are running on them

![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-Mcu5Z4VEGwh3Lkm5cQT%2F-Mcu5aSO9n9xbo_HQW3O%2Fimage.png?alt=media\&token=c2fee31f-4a49-4121-a411-f7306e515909)

![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-Mcu5Z4VEGwh3Lkm5cQT%2F-Mcu5hap3I_WNVuJhelw%2Fimage.png?alt=media\&token=5adf2590-7c4e-4e15-b606-2cf2dfdadf1f)

![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-Mcu5Z4VEGwh3Lkm5cQT%2F-Mcu60IaVTL5UYimDby8%2Fimage.png?alt=media\&token=997eeff9-af3b-4c42-98fc-a297444de203)

## Enumerating Samba for shares

![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-Mcu5Z4VEGwh3Lkm5cQT%2F-Mcu6PE4MTyWoHHZKQKm%2Fimage.png?alt=media\&token=a09a7763-badf-477b-89dc-8ab410f11b93)

![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-Mcu5Z4VEGwh3Lkm5cQT%2F-Mcu6nz7syHQv0rOluie%2Fimage.png?alt=media\&token=b2cf0532-c21c-4bf0-a850-624ef1ee7e8e)

![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-Mcu5Z4VEGwh3Lkm5cQT%2F-Mcu6rghe4Ptzt-DZjUl%2Fimage.png?alt=media\&token=39405102-af05-4627-8d3d-7c0853f7af43)

![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-Mcu5Z4VEGwh3Lkm5cQT%2F-Mcu777346ENzpCgkmSN%2Fimage.png?alt=media\&token=70431b25-4868-458d-83f4-07cece22e14f)

![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-Mcu5Z4VEGwh3Lkm5cQT%2F-Mcu7AhTBJ4IuY5q3TrJ%2Fimage.png?alt=media\&token=679c9bec-6ab5-4010-9bbe-8f495d35e7ee)

Lets read the file

![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-Mcu5Z4VEGwh3Lkm5cQT%2F-Mcu7QWd0CeVRXhDXJaI%2Fimage.png?alt=media\&token=9f91dd4d-1f48-4ae5-af36-ac577a63829b)

![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-Mcu5Z4VEGwh3Lkm5cQT%2F-Mcu7YKAxpqG7RbGhm7E%2Fimage.png?alt=media\&token=e4006b6d-b3c6-4b27-90e6-b00276535ef6)

![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-Mcu5Z4VEGwh3Lkm5cQT%2F-Mcu7anRSA2Itcz-oB0-%2Fimage.png?alt=media\&token=4b9bb96d-bff5-4e41-8cee-e3485dabcf71)

## Gain initials access with ProFtpd

![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-Mcu5Z4VEGwh3Lkm5cQT%2F-Mcu7m2hfp3Gt0kfyEDM%2Fimage.png?alt=media\&token=b63f6071-ad09-4756-877c-b1702b7fd410)

Lets connect to FTP using Netcat

![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-Mcu5Z4VEGwh3Lkm5cQT%2F-Mcu7xOm0Gx-dtaEBPjK%2Fimage.png?alt=media\&token=fb3ead13-f3f7-4adc-b38e-b30c1e740b16)

![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-Mcu5Z4VEGwh3Lkm5cQT%2F-Mcu8-cXhdYFxVRlmWBn%2Fimage.png?alt=media\&token=8c33bfb8-f358-4806-82f2-1c5f20926e4b)

Lets go to searchsploit and look for exploits on this particular version of FTP

![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-Mcu5Z4VEGwh3Lkm5cQT%2F-Mcu8Awkwh0V8gAy8gyU%2Fimage.png?alt=media\&token=b8ff8ca9-60b1-436f-b5d7-54dd10dfa4ab)

![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-Mcu5Z4VEGwh3Lkm5cQT%2F-Mcu8EnK-U5uv-_1dHBP%2Fimage.png?alt=media\&token=3c787f62-60d1-4c6f-8659-b098e3306bcf)

Lets follow the steps they gave in the room to get an initial foothold on the machine

![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-Mcu5Z4VEGwh3Lkm5cQT%2F-Mcu8ePRGvNj1t5JJRck%2Fimage.png?alt=media\&token=c99d29a1-8043-4da9-b38d-d234a644b7e9)

![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-Mcu5Z4VEGwh3Lkm5cQT%2F-Mcu9_0iIPFAp726JweM%2Fimage.png?alt=media\&token=6d500b60-17e2-4b61-b0c8-7f750be7d446)

We are logged in, lets read the user flag.

![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-Mcu5Z4VEGwh3Lkm5cQT%2F-Mcu9lyV25_d87v6HCB1%2Fimage.png?alt=media\&token=24edad26-c78a-4dd3-af35-80d9c38ed83e)

## Privilege Escalation with Path Variable Manipulation

![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-Mcu5Z4VEGwh3Lkm5cQT%2F-Mcu9zvDiwb_q2WHXN2d%2Fimage.png?alt=media\&token=035708a3-4145-43da-87b8-ead2b1c3f58f)

Lets follow the steps

![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-Mcu5Z4VEGwh3Lkm5cQT%2F-McuAIYy_mt34kvv-Wl6%2Fimage.png?alt=media\&token=7b1d64f2-768b-48dc-9038-28085092e12e)

![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-Mcu5Z4VEGwh3Lkm5cQT%2F-McuANOneUXxaMQs7TPp%2Fimage.png?alt=media\&token=82b53478-5b37-4f9d-8021-b52a8c328f6d)

![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-Mcu5Z4VEGwh3Lkm5cQT%2F-McuAfEihNzAejemutKq%2Fimage.png?alt=media\&token=8c02d124-dcfd-478a-8398-9129f610b89a)

![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-Mcu5Z4VEGwh3Lkm5cQT%2F-McuAiroWBimLBTcSCw4%2Fimage.png?alt=media\&token=d2cb4233-5bf4-4842-95d1-391cd9c8e64b)

![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-Mcu5Z4VEGwh3Lkm5cQT%2F-McuAmHBlSIGljsG1Opw%2Fimage.png?alt=media\&token=258450b2-0566-4bbe-9cc9-6e80b641531b)

![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-Mcu5Z4VEGwh3Lkm5cQT%2F-McuBLLNXemKsiTSfjEQ%2Fimage.png?alt=media\&token=150be412-99dc-4ac7-a00b-1bd41cc4cf75)