search
Personal WebsiteGithubLinkedIn

Anonymous

https://tryhackme.com/room/anonymous

hashtag
Task 1: Pwn

hashtag
Enumerate the machine. How many ports are open?

Let's perform a simple nmap scan against the target machine.

$ nmap -p- 10.10.94.176 -T5
Starting Nmap 7.92 ( https://nmap.org ) at 2024-02-02 20:19 IST
Warning: 10.10.94.176 giving up on port because retransmission cap hit (2).
Nmap scan report for 10.10.94.176
Host is up (0.13s latency).
Not shown: 65503 closed tcp ports (conn-refused), 28 filtered tcp ports (no-response)
PORT    STATE SERVICE
21/tcp  open  ftp
22/tcp  open  ssh
139/tcp open  netbios-ssn
445/tcp open  microsoft-ds

Nmap done: 1 IP address (1 host up) scanned in 530.35 seconds

We can now perform an in-depth scan only on the open ports.

$ nmap -A -p 21,22,139,445 10.10.94.176    
Starting Nmap 7.92 ( https://nmap.org ) at 2024-02-02 20:30 IST
Nmap scan report for 10.10.94.176
Host is up (0.14s latency).

PORT    STATE SERVICE     VERSION
21/tcp  open  ftp         vsftpd 2.0.8 or later
| ftp-syst: 
|   STAT: 
| FTP server status:
|      Connected to ::ffff:10.17.48.138
|      Logged in as ftp
|      TYPE: ASCII
|      No session bandwidth limit
|      Session timeout in seconds is 300
|      Control connection is plain text
|      Data connections will be plain text
|      At session startup, client count was 2
|      vsFTPd 3.0.3 - secure, fast, stable
|_End of status
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_drwxrwxrwx    2 111      113          4096 Jun 04  2020 scripts [NSE: writeable]
22/tcp  open  ssh         OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 8b:ca:21:62:1c:2b:23:fa:6b:c6:1f:a8:13:fe:1c:68 (RSA)
|   256 95:89:a4:12:e2:e6:ab:90:5d:45:19:ff:41:5f:74:ce (ECDSA)
|_  256 e1:2a:96:a4:ea:8f:68:8f:cc:74:b8:f0:28:72:70:cd (ED25519)
139/tcp open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open  netbios-ssn Samba smbd 4.7.6-Ubuntu (workgroup: WORKGROUP)
Service Info: Host: ANONYMOUS; OS: Linux; CPE: cpe:/o:linux:linux_kernel

Host script results:
|_nbstat: NetBIOS name: ANONYMOUS, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| smb2-time: 
|   date: 2024-02-02T15:00:15
|_  start_date: N/A
| smb2-security-mode: 
|   3.1.1: 
|_    Message signing enabled but not required
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb-os-discovery: 
|   OS: Windows 6.1 (Samba 4.7.6-Ubuntu)
|   Computer name: anonymous
|   NetBIOS computer name: ANONYMOUS\x00
|   Domain name: \x00
|   FQDN: anonymous
|_  System time: 2024-02-02T15:00:15+00:00

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 18.88 seconds

There are four open ports:

Port
Service

21

ftp

22

ssh

139

netbios-ssn (smbd)

445

netbios-ssn (smbd)

hashtag
Answer

hashtag

hashtag
What service is running on port 21?

hashtag
Answer

hashtag

hashtag
What service is running on ports 139 and 445?

hashtag
Answer

hashtag

hashtag
There's a share on the user's computer. What's it called?

We can list out the SMB shares on the target using smbclient.

hashtag
Answer

hashtag

hashtag
user.txt

Looking back at our nmap scan, we can see that anonymous login is allowed on the FTP server.

Let's perform some enumeration on the server.

We can use the get command to download the files from the FTP server to our attacker machine.

Let's catout the removed_files.log file.

Let's check the clean.sh script next.

So it seems like this script is a cronjob that runs after a particular time interval and adds the output into the ``removed_files.log` file.

In that case we can replace the content of the file to a reverse shell in order to obtain a shell on the target machine. We can get the script from Pentest Monkey.

Once the clean.sh file has been modified, we can log back into the FTP server and upload the file using the put command.

Now all we have to do is set up a nc listener and wait.

After a while we would have connected to the target machine using our reverse shell.

Let's get the user.txt flag.

hashtag
Answer

hashtag

hashtag
root.txt

Let's search for files with the SUID bit set.

For this particular lab we will be using the /usr/bin/env to escalate our privileges. The exploit can be found on GTFOBinsarrow-up-right.

Let's use the exploit.

We can now read the root flag.

hashtag
Answer

Last updated