Tryhackme: Anonymous

Walkthrough

Intro:

Hola folks! This time we’ll do Anonymous room which is rated as Medium on Tryhackme.

So let’s root :D

Initials

With my initials, includes storing the machine IP address to variable,

export IP=10.10.193.59

Port scanning:

rustscan -a $IP --ulimit 5000 | tee rust.txt

With rustscan we found that 4 ports are open, i.e

21, 22, 139, 445

Let’s dig deep into these ports with nmap,

nmap -sC -sV -p21,22,139,445 -oN nmap $IP -Pn

nmap scan results

Port - 139,445 (SMB):

smbclient -L $IP -N

I found one share named “pics”, let’s dig into it

smb share

I checked the SMB share and found two images, did everything that I know about stenography and after wasting some time I got to know that it was just Rabbit Hole :/

Exploit

Port- 21 (FTP):

Since nmap scan revealed that anonymous login is allowed, it logged in as anonymous user and found some files.

FTP share

My first attention was caught by clean.sh as it was an executable file and it was doing there.

Got that file into my local machine and found that it was automating the cleaning stuff.

clean.sh

So I changed the contents of the folder (added my reverse shell) and uploaded to machine. I suddenly saw that FTP share folder is writable on nmap scan

Few seconds later, I got the shell :D

shell

Root

Now that we got user, Time to get root.

First thing to try is

sudo -l → no luck

suid binary → no luck

then I checked for groups and found wired group name “lxd”

It was my time see that, research the same on hacktricks and other websites and some privilege escalation techniques. This site was really helpful to me (:

and we are root!

root!!

Although I was root but not able to find the root.txt file. Only one file at /root

/root

Later reading the article, found that whole / directory is inside /mnt/root Following this, got the root.txt file XD

root.txt

With this we completed Anonymous room. Thanks for reading this article (:

|| Room || Twitter ||