TryHackMe Kenobi Walkthrough

Reading Time: 8 minutes

Kenobi is another great room to improve your penetration testing skills. If you had liked the Pickle Rick room of the Tryhackme, there is a chance you will also like the Tryhackme Kenobi room. This room is named in honor of Obi-Wan Kenobi, a Star Wars character. A smart way to learn is to try everything by yourself, but there are some situations when you are stuck or do not know where to start. And in such a situation, this Tryhackme Kenobi walkthrough guide will help you.

So, let’s hit the Start Machine button on the Try Hack Me room’s page, and let’s start!

How to deploy the Tryhackme Kenobi machine

TryHackMe Kenobi Room Overview

This room has four tasks that focus on different Linux machine exploitation aspects.

Tryhackme Kenobi room focuses on Samba shares, proftpd exploitation and privilege escalation

There are a few different things that you have to solve in order to get the flag. Things that this room requires to do includes:

  • Enumeration of Samba shares
  • Vulnerable proftpd version manipulation
  • Variable path manipulation leading to privilege escalation

As you might see this room focuses on different things, so if you are stuck you can always reference this Tryhackme Kenobi walkthrough guide.

It is also worth keeping in mind that the room is based on Linux machine’s exploitation specifically.

Kenobi Walkthrough

Let’s start with the actual Kenobi solutions.

Task 1

The first step we have to do (as usual), is the enumeration. As the first question asks how many ports are open, an initial enumeration with Nmap will help us to answer it. A simple nmap command with -A option will give us a lot of information:

Initial enumeration will help us to answer to the question how many ports are open

We can see that ports 21, 22, 80, 111, 139, 445, and 2049 are open. In total, there are 7 ports open. And now we have the answer to our first question:

Seven ports are open in total

Nmap retrieved more than enough information to answer the first question. However, collecting as much information as possible can only benefit us. So the other information that Nmap found, is also very important and might help us in the other tasks.

Nmap scripts found beneficiary information

As we found that port 80 has an Apache webserver, a good idea would be to visit it.

Home page of the Kenobi room's served by webserver

As we made a Nmap scan with the -A option, we also found out that there is an admin.html page.

Admin page of the Kenobi VM

That’s weird, it seems that there are just pictures, there is also nothing additional in the page’s source code. As there is no need for deeper website enumeration (at least at this moment), let’s move on to Task 2.

Task 2

The second task focuses on enumerating the Samba shares. Even though -A flag that we’ve used in the previous task, fired some nmap scripts, we had not enumerated the Samba shares properly. For this purpose, we will use two scripts that will enumerate SMB shares and SMB users:

  • Smb-enum-shares.nse
  • Smb-enum-users.nse

We can start the SMB enumeration with a simple command:

nmap -p 445 --script=smb-enum-shares.nse,smb-enum-users.nse IP_ADDRESS

Even though port 139 is also open, we will execute the scripts for port 445, which is an SMB port used in the newer Windows versions (after Windows 2000). These executed scripts results in:

THM Kenobi SMB shares and users enumeration results

And we can see that three shares were found. So, the answer to the question we have is 3.

Nmap found three Samba shares

What can we do next after having this information about SMB shares, is to try logging in with anonymous access. We already know that this is enabled (Nmap results show us that anyone can read and write the \\\anonymous share). As the smbclient, a tool that we can use for connecting to share is installed on most of the Linux distributions, we can try to log in with a straightforward command:

smbclient //IP_ADDRESS/anonymous

When you will be asked for a password, just press Enter, as this is an anonymous login, you do not have to use any password.

You can login with anonymous user to Kenobi room's SMB share

After we’ve gained access to share, we can check what files are in the current directory. We can see that there is a file called log.txt, so now we have an answer to the question.

File you can see on the share is log.txt

As the file name intrigues us, we can check what are the contents of a file. To download the file to our local machine, we can use smbget. Just hit ENTER when asked for username and password:

smbget -R smb://IP_ADDRESS/anonymous

The file should be downloaded after a moment.

Log.txt file was downloaded from the SMB share

Now, open the file with nano or another editor, and take a look at what is inside it. You will notice that the file has information about the SSH key generation and ProFTPD server configuration file. The question asks what port FTP is running on, so you can find this information in the file:

ProFTPD is running on port 21 on Tryhackme Kenobi room's VM

And you can see that it is running on port 21, as it is set in the configuration.

Enter answer 21 to Tryhackme Kenobi task 2 question

Another thing we do know is that port 111 is open. as it is a server that converts RPC (remote procedure call) program numbers into universal addresses, it has an RPC service running. We can use some of the nmap scripts to enumerate network file system:

nmap -p 111 --script=nfs-ls,nfs-statfs,nfs-showmount IP_ADDRESS

It should show you the file folders and existing mounts.

NFS enumeration with nmap

We can see that there is a /var mount. And this is the answer to the last question of Tryhackme Kenobi room’s second task.

Var mount was found on Kenobi VMs NFS

Task 3

Let’s continue with the Tryhackme Kenobi walkthrough and let’s check the third task, which leads to ProFtpd exploitation. The first question asks for the ProFtpd version. Remember our initial nmap enumeration? Well, as we used service detection, we can go back to the nmap results. And we can see that ProFTPD 1.3.5 is running on port 21.

ProFTPD 1.3.5 is runnin on Kenobi VM

As we do know what is the version of ProFTPD we can use the command line tool searchsploit to search for the exploits:

searchsploit proftpd

It does returns as a very long list of the exploits. But as not all of them are relevant, and they are effective for different versions of ProFTPD, we can see that only 4 of the exploits are relevant:

Four exploits are relevant for ProFTPD 1.3.5

There are three specific to 1.3.5 version exploits and one that can be used for any 1.x version. So, in total there are 4 exploits that can be used for the ProFTPd version that Kenobi machine uses.

As we know that this version is vulnerable, we can try exploiting this service. We do not have to use Metasploit to exploit ProFTPd, as the vulnerability is pretty straightforward. The exploit we will use, is to make use of “1.3.5 – File Copy” vulnerability. We can overview the exploit’s contents by using searchsploit:

searchsploit -x linux/remote/36742.txt

Exploit description talks about using SITE CPFR and SITE CPTO commands that are implemented in the mod_copy module. We can use these commands to copy files from the filesystem with an unauthenticated client.

We can exploit mod_copy module methods on Tryhackme Kenobi room

Let’s try to do so. First of all, we have to start communication with port 21 of the Kenobi machine:


Our goal is to get Kenobi’s private key. From the previous tasks we already know that there is such a user as Kenobi, and he must have a private key, as we’ve seen the key generation logs. For this purpose let’s use SITE CPFR /home/kenobi/.ssh/id_rsa command. Now let’s copy it to /var directory (again, from the previous tasks we already know that there is a var directory) – SITE CPTO /var/tmp/id_rsa.

This is how everything looks in action:

Exploiting Kenobi machine's ProFTPd service

Great, we have copied the private key to the /var/tmp directory. And from Task 2 we know that /var directory is a mount that we can mount to our machine. Let’s create a directory in our machine for this purpose:

mkdir /mnt/kenobiNFS

Now let’s mount the /var/tmp:

mount IP_ADDRESS:/var /mnt/kenobiNFS

And let’s check the contents of the mount:

ls -la /mnt/kenobiNFS
Mount was attached successfully

As we have the whole filesystem mounted to our machine, we can copy SSH private key and login to Kenobi machine. Let’s start by copying the private key to our machine:

cp /mnt/kenobiNFS/tmp/id_rsa .

Add the needed for execution permissions:

sudo chmod 600 id_rsa

And finally, login to the system:

ssh -i id_rsa kenobi@IP_ADDRESS

As a result, you will gain access as Kenobi.

Successfull gained SSH access to Tryhackme Kenobi machine

The last thing we need to do to finish Task 3 of our Tryhackme Kenobi walkthrough, is to get the flag. Just simply print the contents to the terminal and copy the flag to the THM page – cat /home/kenobi/user.txt.

Flag of the task number 3

Task 4

The fourth task requires escalating privileges with SUID bits. To search for binaries that can be run with elevated privileges, you can use this command:

find / -perm -u=s -type f 2>/dev/null

And we get a list of such binaries.

Binaries with set SUIDS on Kenobi machine

It might be a little bit tricky to find a file that stands out if you do not have much experience, but you can always execute the same command on your THM attacker machine and compare it to the files you found on Kenobi machine. After a deeper investigation, you will probably come to the conclusion that /usr/bin/menu stands from others.

/usr/bin/menu stands out from other files

Try running it by entering /usr/bin/menu to the terminal. You will get a few options:

Menu binary has three options

Having this information we can answer the second question of Kenobi room’s fourth task.

There are three options

The last question requires manipulating the path to gain a root shell. Everything is pretty well documented on the THM task’s description, so let’s follow along and we should be able to get a shell:

cd /tmp
chmod 777 curl
export PATH=/tmp:$PATH

We’ve created a file with the name of curl, wrote shell path to this file, and added it to a path, /usr/bin/menu executed it when we choose a status check, so we got a root shell.

All these commands will results in the Tryhackme Kenobi room's VM privilege escalation

As a result, you will get a root access, and will be able to output the contents of a flag with cat /root/root.txt.

Final flag of the TryHackMe Kenobi room


In this room, you got familiar with the Samba shares enumeration, ProFTPd vulnerabilities, and finally, with a privilege escalation. I hope this Tryhackme Kenobi walkthrough helped you to learn faster.

1 thought on “TryHackMe Kenobi Walkthrough”

Leave a Comment