Anonymous Room (TryHackMe)
Introduction:
"Anonymous" is a medium level virtual machine, designed for beginners who have a basic knowledge of Linux fundamentals..
What we are going to learn –
· Linux fundamental tools for Reconnaissance.
· Techniques used to enumerate the system.
· Exploitation of the system to gain access to it.
· User-level escalation to obtain the user flag.
· Privilege escalation to obtain the root flag.
List of Tools Used:
nmap
ftp
smbclient
netcat
Machine details:
Room URL : TryHackMe
Machine IP : 10.10.46.81
Reconnaissance:
Command run: nmap 10.10.46.81 -sVC -Pn
nmap: Network scanning tool, used for network exploration, host discovery, finds open ports & their vulnerabilities.
-sVC: Probes open ports to determine version info & runs a basic script scan.
-Pn: Treats all hosts as online, skips host discovery.
Output:
Port | State | Service |
21/tcp | open | ftp |
22/tcp | open | ssh |
139/tcp | open | smb |
445/tcp | open | smb |
Now, we see that ftp service has anonymous login. So, we will try to enumerate it.
Enumeration:
Enumeration of ftp service-
Command run: ftp 10.10.46.81
ftp: File Transfer Protocol allows users to upload, download and manage files on a remote server.
I logged into the ftp server (Name: Anonymous, Password:). Commands run after logging in:-
· ls: lists directory elements.
· cd scripts: change directory to scripts
After another ls, I see 3 files in scripts. I copy them into my machine by running mget *
Running the cat command reveals that to_do.txt is a reminder for disabling Anonymous login(not useful for us) and removed_files.log is a log file from clean-up script which shows there is nothing to delete (this is also not useful for us). The clean.sh shell script seems to delete files. This script file will be helpful for us.
Enumeration of smb service-
Command run: smbclient -L 10.10.46.81
smbclient: tool that allows users to access SMB(Server Message Block)/CIFS(Common Internet File System) resources on servers. Can be used to look at share names.
-L: gives a list of what services are available on a server.
Exploitation:
User-Level Escalation/Initial Access:
As seen earlier, it is possible to upload files in the scripts directory. I will create a new clean.sh file with reverse shellcode inside it and replace it with the original one in scripts directory (Go to revshells.com)
Commands run after getting reverse shellcode:
nano clean.sh
Opens a new page, where I paste reverse shell script. Then Ctrl+X, Ctrl+Y, Enter.
Before uploading new file, I will start Netcat listener on the same port number used in the shellcode.
Command run: nc -nvlp 9001
nc: listen to requests/packets sent to 9001
-n: numeric only IP address
-v: verbose output
-l: listen mode, for inbound connects
-p: local port number (here, 9001)
To replace the clean.sh script with my shellcode, I will run:
· put clean.sh: insert lines from current file to another file.
Now, netcat listener has established a shell on victim’s machine. I will run the following commands:
· whoami: prints effective user name
· ls: shows two files “pics” and “user.txt”
· cat user.txt: reveals the user flag!
Privilege Escalation:
To gain root access, I will run the command to search for files:
find / -type f -user root -perm -4000 2>/dev/null
-type f: searches for regular files
-user root: files owned by root
-perm -4000: setuid permission bit is set to 4000
2>/dev/null: suppresses errors like Permission Denied
Among all the listed files, /usr/bin/env is an interesting one because an environment file typically contains every information about all types of users.
For Privilege escalation, I will use GTFObins which is used to bypass local security restrictions in misconfigured systems. Go to SUID tab, copy the command without the “./env” part.
In the shell, paste the command to give root access:
· /usr/bin/env /bin/sh -p
· whoami shows I am root
· cd /root changes directory to root
· ls lists out the root.txt file
· cat root.txt reveals the root flag!