TryHackMe write-up: Anonymous

Introduction

This is my write-up for TryHackMe's Anonymous Room

Enumeration

Using nmap, we see that FTP, SSH and SMB ports are open.



One question asks for the name of the share.  We can use smbclient to do so.


Exploitation

Trying to go through the SMB route seemed like a rabbit hole for me.  An easier method was to check FTP.
We see that FTP allows for anonymous access.  Digging deeper, we also see that there is a directory named "scripts".  


We see that the script clean.sh has read and write and execute permissions!  Looking at the script further:


We see that the script deletes files and writes the log to removed_files.log.  Seeing that this the timestamp is relatively new means that the script is run probably by a cron job or called regulary.

We then replace it with the following script:


On a separate window, we run a netcat listener and wait patiently for the script to execute. 


Privilege Escalation

Running find / -perm -u=s 2>/dev/null, we see that env has its SUID bit set.


Checking GTFOBINS, we see that it can be used to escalate our privileges!



at
Labels: ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)