# TryHackMe-Kenobi

This room will cover using accessing a Samba share, manipulating a vulnerable version of proftpd to gain initial access and escalate your privileges to root via an SUID binary.

## 信息收集

nmap -p445,139 --script=smb-enum-shares.nse,smb-enum-users.nse 10.10.45.140

smbclient //10.10.45.140/anonymous

smbget -R smb:10.10.45.150/anonymous/

searchsploit ProFTPD 1.3.5

## 漏洞利用

The mod_copy module implements SITE CPFR and SITE CPTO commands, which can be used to copy files/directories from one place to another on the server. Any unauthenticated client can leverage these commands to copy files from any part of the filesystem to a chosen destination.
mod_copy

## 连接后门

ssh -i id_rsa [email protected]

## 提权

Linux系统中，会有部分命令的权限位是rws而不是rwx这些文件被称为SUID文件

SUID 权限仅对二进制可执行文件有效

SGID文件同理，只不过SGID,是出现在用户组的x权限位中。

This shows us the binary is running without a full path (e.g. not using /usr/bin/curl or /usr/bin/uname).
As this file runs as the root users privileges, we can manipulate our path gain a root shell.