Anonymous TryHackMe (Writeup)

Difficulty: Medium

https://tryhackme.com/

Machine: https://tryhackme.com/room/anonymous

#NMAP:

Ok we find that port 21 is enabled as user “anonymous” let’s enter !!

Let’s go into the “scripts” directory and grab all the files inside! with the command mget * we have two file and one script.

This script appears to remove files from / tmp (temporany directory) and this script, also has execution permissions by everyone!

There are the other two files.. but we still have little information, so let’s go and enumerate samba!

We note that “pics” is readable, let’s try to log in samba without a password!

Ok we are IN! And we can extract the two pics. Now lets enumerate more. In the two photos I downloaded it was simply a rabbit hole, so let’s continue with ftp. Since we saw that the “clean.sh” file is executable on the machine, azni is doing its duty on the machine, we can inject some malicious code into it.

To do this injection, I use my faithful friend who will post you here: http://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet Since the script is in bash, we inject some malicious code bash.

We can also create a script, obviously with the same name, to put inside, so as to have it run automatically by the script itself.

Ok once this is done re-enter ftp, cd scripts, and finally put clean.sh, it must have the same name, because that script is running continuously. We are simply injecting the malicious code. Listen on the given door of course.

ANDDDDDDDDD we are IN!!!!!!

#ENUMERATION:

First flag!! Let’s go.

Exploiting SUID binary. Command: find / -perm -u=s 2>/dev/null

#Horizontal Privilege Escalation:

/usr/bin/env seems to be exploitable for info visit: https://gtfobins.github.io/

Command: /usr/bin/env /bin/sh -p

Anddddd WE ARE ROOT!! I hope I have been useful to you. Good luck guys.

--

--

--

| eCPTX | C|EH Master | CompTIA Security + | eJPT |

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Let’s talk about bulk creating 1500+ certificates. For Free.

The Non-technical Members of the Application Team

Kanban — Classes of Service

CS373 Fall 2021: Week of Sep. 6

READ/DOWNLOAD=$ Spark: The Definitive Guide: Big D

YooShi Farm 2.0

Mulesoft Automate Deployment

Getting referrals in product based companies.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
0xJin

0xJin

| eCPTX | C|EH Master | CompTIA Security + | eJPT |

More from Medium

roottusk/vapi Writeup

OWASP-LPU Writeup (Beginner Friendly Walkthrough) : b3b0p 7h3 c0wb0y

TryHackMe — IDE

HackPark TryHackMe Write-Up