Tryhackme: Anonymous
Walkthrough
Intro:
Hola folks! This time we’ll do Anonymous room which is rated as Medium on Tryhackme.
So let’s root :D
Initials
With my initials, includes storing the machine IP address to variable,
export IP=10.10.193.59Port scanning:
rustscan -a $IP --ulimit 5000 | tee rust.txtWith rustscan we found that 4 ports are open, i.e
21, 22, 139, 445
Let’s dig deep into these ports with nmap,
nmap -sC -sV -p21,22,139,445 -oN nmap $IP -Pn
Port - 139,445 (SMB):
smbclient -L $IP -NI found one share named “pics”, let’s dig into it
I checked the SMB share and found two images, did everything that I know about stenography and after wasting some time I got to know that it was just Rabbit Hole :/
Exploit
Port- 21 (FTP):
Since nmap scan revealed that anonymous login is allowed, it logged in as anonymous user and found some files.
My first attention was caught by clean.sh as it was an executable file and it was doing there.
Got that file into my local machine and found that it was automating the cleaning stuff.
So I changed the contents of the folder (added my reverse shell) and uploaded to machine. I suddenly saw that FTP share folder is writable on nmap scan
Few seconds later, I got the shell :D
Root
Now that we got user, Time to get root.
First thing to try is
sudo -l → no luck
suid binary → no luck
then I checked for groups and found wired group name “lxd”
It was my time see that, research the same on hacktricks and other websites and some privilege escalation techniques. This site was really helpful to me (:
and we are root!
Although I was root but not able to find the root.txt file. Only one file at /root
Later reading the article, found that whole / directory is inside /mnt/root Following this, got the root.txt file XD
