TryHackMe write-up: Anonymous


This is my write-up for TryHackMe’s Anonymous Room


Using nmap, we see that FTP, SSH and SMB ports are open.

One question asks for the name of the share. We can use smbclient to do so.


Trying to go through the SMB route seemed like a rabbit hole for me. An easier method was to check FTP.

We see that FTP allows for anonymous access. Digging deeper, we also see that there is a directory named “scripts”.

We see that the script has read and write and execute permissions! Looking at the script further:

We see that the script deletes files and writes the log to removed_files.log. Seeing that this the timestamp is relatively new means that the script is run probably by a cron job or called regulary.

We then replace it with the following script:

On a separate window, we run a netcat listener and wait patiently for the script to execute.

Privilege Escalation

Running find / -perm -u=s 2>/dev/null, we see that env has its SUID bit set.

Checking GTFOBINS, we see that it can be used to escalate our privileges!




I like breaking stuff.

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

If you use Rust, you need to see this

GeoPal’s Mobile Workforce Management App — part 2

Efficiently configuration, test, and manage multiple Linux servers with fh command

Exploring the internals of a public library's network

Programming Languages That Were Made By Apple

How to create a basic Flask web page

🏆The Strongest Pika🏆

“SDX: A Software Defined Internet Exchange Point” to Appear at SIGCOMM 2014

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store


I like breaking stuff.

More from Medium

Backdoor Hackthebox Write-up| Backdoor Hackthebox Walkthrough

KnightCTF-2022 Write-up

Valentine Write-up

Lame HTB Writeup