TryHackMe write-up: Anonymous

Introduction

This is my write-up for TryHackMe’s Anonymous Room

Enumeration

Using nmap, we see that FTP, SSH and SMB ports are open.

One question asks for the name of the share. We can use smbclient to do so.

Exploitation

Trying to go through the SMB route seemed like a rabbit hole for me. An easier method was to check FTP.

We see that FTP allows for anonymous access. Digging deeper, we also see that there is a directory named “scripts”.

We see that the script clean.sh has read and write and execute permissions! Looking at the script further:

We see that the script deletes files and writes the log to removed_files.log. Seeing that this the timestamp is relatively new means that the script is run probably by a cron job or called regulary.

We then replace it with the following script:

On a separate window, we run a netcat listener and wait patiently for the script to execute.

Privilege Escalation

Running find / -perm -u=s 2>/dev/null, we see that env has its SUID bit set.

Checking GTFOBINS, we see that it can be used to escalate our privileges!

--

--

--

I like breaking stuff.

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

TOP 10 MICROSOFT TEAMS KEYBOARD SHORTCUTS.

NAVIGATION IN TEAMS SIDEBAR

Untangle SQL Murder Mystery

Protect function from illegal input value

READ/DOWNLOAD$^ Missile Design and System Engineering (AIAA Education) FULL BOOK PDF & FULL…

Insights from our Intelligent Automation roundtable v.2

Hosting Webflow Sites for Free: The Definitive Guide

An illustration of Github pages and netlify

Kingdom Swap Weekly Update 2 – 28th September

EXPERIENCE AT HACK ON 2.0

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
m0ndzon3

m0ndzon3

I like breaking stuff.

More from Medium

HackTheBox: Horizontall Writeup

Jack-of-All-Trades Writeup

Steel Mountain TryHackMe Write-Up

TryHackMe: Alfred Write up