Anonymous TryHackMe (Writeup)

Difficulty: Medium

https://tryhackme.com/

Machine: https://tryhackme.com/room/anonymous

#NMAP:

Ok we find that port 21 is enabled as user “anonymous” let’s enter !!

Let’s go into the “scripts” directory and grab all the files inside! with the command mget * we have two file and one script.

This script appears to remove files from / tmp (temporany directory) and this script, also has execution permissions by everyone!

There are the other two files.. but we still have little information, so let’s go and enumerate samba!

We note that “pics” is readable, let’s try to log in samba without a password!

Ok we are IN! And we can extract the two pics. Now lets enumerate more. In the two photos I downloaded it was simply a rabbit hole, so let’s continue with ftp. Since we saw that the “clean.sh” file is executable on the machine, azni is doing its duty on the machine, we can inject some malicious code into it.

To do this injection, I use my faithful friend who will post you here: http://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet Since the script is in bash, we inject some malicious code bash.

We can also create a script, obviously with the same name, to put inside, so as to have it run automatically by the script itself.

Ok once this is done re-enter ftp, cd scripts, and finally put clean.sh, it must have the same name, because that script is running continuously. We are simply injecting the malicious code. Listen on the given door of course.

ANDDDDDDDDD we are IN!!!!!!

#ENUMERATION:

First flag!! Let’s go.

Exploiting SUID binary. Command: find / -perm -u=s 2>/dev/null

#Horizontal Privilege Escalation:

/usr/bin/env seems to be exploitable for info visit: https://gtfobins.github.io/

Command: /usr/bin/env /bin/sh -p

Anddddd WE ARE ROOT!! I hope I have been useful to you. Good luck guys.

--

--

--

| eCPTX | C|EH Master | CompTIA Security + | eJPT |

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Embed Medium Blog Posts in Website

What a difference a few months makes…

Laravel: the best framework out there?

Automation in Testing and Production Environment using Jenkins and Docker

Brief Update

Overcoming Top 5 Challenges in Facilities Management

Automated Application Deployment using Nutanix Xi IoT Python SDK

Decoding the BFS questions

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
0xJin

0xJin

| eCPTX | C|EH Master | CompTIA Security + | eJPT |

More from Medium

Exploitable CTF 1 Writeup

TryHackMe: Mr Robot CTF

TryHackMe : Boiler CTF

Wekor: TryHackMe