Kenobi | Nmap, smbclient, smbget

Walkthrough on exploiting a Linux machine. Enumerate Samba for shares, manipulate a vulnerable version of proftpd and escalate your privileges with path variable manipulation.

Enumerating Samba for Shares

  1. using nmap to enumerate smb shares
  2. nmap --script=smb-enum-shares.nse,smb-enum-users.nse -p 445 <ip>
    • smb has to ports, 445, 139
  3. try to connect to one of the shares
  4. smbclient //<target ip>/<>
  5. recursively download smb shares
  6. smbget -R smb://<ip>/<>
  7. scan PRCbind ports for volumes
  8. nmap -p <port of rpc> --script=nfs-ls,nfs-statfs,nfs-showmount <ip>

Gain Initial Access with ProFtpd

  1. get proftpd server version using netcat
  2. nc <ip> 21
  3. search for possible exploits
  4. ???
  5. Profit

Privilege Escalation with Path Variable Manipulation

  1. use SUID bits to elevate privileges
  2. find / -perm -u=s -type f 2>/dev/null
Last modified 2023.11.02