[EN] TryHackMe — Anonymous Write-Up

Hi guys, its Anil Celik, a.k.a your friendly pwner 0xpr0N3rd on TryHackMe.

In this write-up, I will share the walkthrough of the room named “Anonymous”, which was released yesterday.

First things first, let’s start with nmap scan:

From our nmap scan, we see that there are 4 ports open: 21, 22, 139 and lastly 445.

Let’s enumerate the SMB service first:

So, as we can see, anonymous access to SMB service is possible. We see there is a share named “pics”. That could be interesting. Let’s try to see what is inside there:

Seems like there are two pictures located in pics share, what a surprise. I tried to check those pictures to see whether there is a hidden information inside them but I couldn’t find anything. Next stop, FTP!

So, anonymous login to FTP service is also possible. Let’s enumerate the FTP share:

Seems like there is a directory named scripts and there are 3 files inside this directory and they all look interesting. From this moment, let’s download those files into our local system and inspect them:

Now that we’ve downloaded the files, let’s see what we can find from them. First, I choose to look on the file named “to_do.txt”:

It gave us a message like this. Let’s see the second file, “clean.sh”:

Alright, what we see here is as following:

• Initially, in this bash script, the variable “tmp_files” is set as 0.
• In if check, the script checks whether value of tmp_files is equal to 0. If so, it echoes a message like: “Running cleanup script: nothing to delete” into “removed_files.log” file. Now that’s interesting. Because; if we look on the removed_files.log file, maybe we can get some valuable information.
• Lastly, in else condition, if the value of tmp_files is other than 0, it removes the file and prints another message.

We’ve seen the script, let’s inspect the last file, “removed_files.log”:

Well, that wasn’t helpful at all. From here, with further enumeration, we can see that there may be a cronjob set for clean.sh to be executed. Then, if we put a bash reverse shell script inside our clean.sh file, it will give us a shell. To do that, create a new clean.sh in your local system and try to over-write the one on FTP share. Basically we can do this because we have write permission with anonymous login on FTP share:

Now, let’s try to create our reverse shell and over-write the script on FTP share. To create a bash reverse shell, we can always use Pentest Monkey’s Reverse Shell Cheat Sheet . Let’s try to create our shell:

Now that we’ve created our payload, it’s time to replace the file on FTP share:

In here, the first clean.sh represents the one I have created on my local system, and the second clean.sh file represents the one that is currently on the FTP share. After executing this, the file is changed with the one we’ve modified. Now, it’s time to set our nc listener:

You may notice that I have used “rlwrap” prefix before the command. The reason why I did that is; in normal netcat shell, the shell just don’t let us to use our arrow keys or the scroll button on the mouse. With “rlwrap”, we can make it happen.

Note that cronjob executes at each x0s and x5s, which means its in each 5 mins (jeez, wait much?). After waiting a while, we get our shell:

Now that you may like nc shell and continue from here but I simply don’t like nc shell. Because if I do something wrong and need to cancel it simply hitting CTRL+C, the shell drops and I need to get the shell again. To prevent this, I upgrade my nc shell to a meterpreter shell. To do that, first I upload the payload file which I’ve created previously with msfvenom. Then, I set up my multi handler module and get my meterpreter shell after executing the file:

Here we are. Now, let’s find the user.txt:

That wasn’t so hard. Now, for privilege escalation, I prefer to use linPEAS. What I am going to do is upload the linPEAS to the machine then simply execute it:

When we check the SUID permissions, we see that there is a SUID bit set which is a %99 privilege escalation vector. It’s time to go our old friend GTFOBins:

Let’s try to use the one for SUID:

Yup, nice and easy.

Thanks to NamelessOne for this cool box, I liked it while I was solving it ❤

BTW: There was also an unintended way to escalate your privileges to root with vim.basic by using the following logic in here. But, don’t get excited, it’s patched now ¯\_(ツ)_/¯

Thanks for reading my write-up, hope you enjoyed it.

See you on the next one!