✅TryHackMe - Anonymous (Medium)

Summary

The victim has port 21 open and it allows FTP anonymous login. There is a world-writable script that get executed by a cronjob. We overwrite the script with a reverse shell payload and get a user shell.

In the privilege escalation phase, we search for SUID binaries on the victim machine and find that /usr/bin/env is SUID. Using a privesc payload on GTFOBins, we get a root shell easily.

IP

• RHOST: 10.10.29.80

• LHOST: 10.13.12.2

Nmap

Nmap

User Shell: FTP Anonymous Login => Reverse Shell

FTP login with username anonymous and empty password. Download all files:

FTP

Examine clean.sh:

clean.sh

Note that clean.sh is world-writable on the FTP server. The idea is to create a malicious clean.sh file containing a Bash reverse shell payload and upload it to the FTP server:

Malicious clean.sh

From the content of removed_files.log, we deduce that there exists a cronjob on the victim machine that executes clean.sh automatically in every time interval. All we need to do here is start a pwncat listener and wait for a reverse shell connection. At a while, we have a user shell as "namelessone":

User shell

Privilege Escalation: SUID env

Search for SUID binaries:

find / -perm -u=s -type f 2>/dev/null

It finds that /usr/bin/env is SUID:

/usr/bin/env

Search env privesc payloads on GTFOBins:

env privesc payload

Get a root shell:

root shell