Bonsoir, Elliot. It’s time to deal with anonymous machine from TryHackMe.
Information gathering.
As usual, first we use a port scanner to identify the services and services running on the machine. We will use nmap with the following command:
nmap -sC -sV <target IP>
We received a lot of information, found out the number of open ports and the services running on the machine. Of course we will be interested in ftp on 21 port. Especially considering that he has anonymous access. Also take a look at SMB.
Connecting to FTP is very simple. Type the ftp <ip> command, specify the ‘Anonymous’ username and press Enter instead of the password.
Let’s see what’s here:
Let’s use the get command to download these files.
We have a text file with a reminder to remove anonymous access, a log file with notes that there was nothing to delete and a script file.
Looking at clean.sh we can conclude that it was created on BASH and is used in cron to clean up the directory. Maybe it can be used.
Let’s see what is interesting in SMB. To do this, we will use smbmap. To begin with, let’s look at the list of all the shares.
smbmap -H <IP>
Excellent. There is an available share. Let’s see what’s there with smbclient:
smbclient //<IP>/<SHARENAME>
Here are photos of dogs. Nothing interesting for us. It’s time to get access.
Get shell.
As we remember, we have FTP with read/write access and a bash file used by the machine. Let’s take advantage of this. Go to PayloadsAllTheThings and look for reverse shell on bash.
The first line suits us. Insert your IP address and the desired port for the listener. Add this line to the end of the file clean.sh . Or you can completely delete the entire code and leave only it.
Now we need to place the updated clean.sh back to the attacked machine. Let’s do it the same way in FTP using the put command.
We may notice that the file size has changed, which means that it has been successfully written.
Launch the listener on our machine and wait a little time.
And let’s see the user flag:
Privilege escalation.
First of all, let’s check what can be run with sudo without a password: sudo -l. Unfortunately, this does not give results.
Then let’s look at the SUID files on this machine. You can upload LinEnum.sh to it and see the results, but we’ll do it faster.
We can look at SUID files using these commands:
find / -user root -perm /4000
or
find / -type f -a \( -perm -u+s -o -perm -g+s \) -exec ls -l {} \; 2> /dev/null
The first command will give you a large list in which to sort out for a long time. We use the second command, it will show only the files we need.
Even in this case, we get a fairly large list. But it seems there is what we need: /usr/bin/env
Go to GTFOBins and see how we can use it.
Run this command as specified and get root!
It remains only to see the last flag:
Thanks to the author of this challenge and to you for reading to the end.
