Tryhackme – Anonymous CTF Walkthrough

I love CTF boxes that run a mixture of different exploits to gain an initial foothold and then require you to dig further to find a good privilege escalation path. These types of CTF’s are very useful if you’re preparing for the OSCP or CPENT exams. Hands-on privilege escalation and exploit research is a fundamental skill when going up against those types of certifications. Let’s get started!

First, let’s start by booting our Kali VM, connecting to the VPN for TryHackMe and then joining the room and starting up the box. After all that is done, we can start by scanning to see what services and ports are open on the machine.

nmap results

So, we have 4 ports open. With FTP, SSH, and SMB services running. Right off the bat, we can answer questions 1, 2, and 3 with our nmap output.

So, we can take a couple approaches to this box. We can attempt to attack FTP or SSH services by brute forcing usernames and passwords, searching for an exploit within Metasploit, or trying default creds. Alternatively, we can take a look at this SMB service and see if there are any shares that we may be able to get to.

Considering that question 4 asks about a share, I’m going to take a look at this first.

This time, we ran an nmap script specifically for smb discovery.

SMB scan

Additionally, running nmap with the -sC options will give us additional information on the SMB service and the FTP service as well.

nmap -sC
nmap -sC

One thing that immediately sticks out about the SMB service is that signing is disabled. This is dangerous and perhaps something that we can exploit.

smb signing disabled

So, let’s try some quick brute forcing on SMB.

hydra brute force

Rather quickly we can see that Anonymous access appears to be enabled. So, I’ve canceled Hydra. Let’s run smbmap instead with username ‘Anonymous’.

smb shares

It looks like we do have access to the ‘pics’ share. This is also the answer to question 4.

smbclient connection

Just a couple of pictures. I did try to view them but this looks like it’s a dead end. So, let’s circle back to the FTP service.

As noted previously with the -sC options on our nmap scan, anonymous access is allowed through FTP as well. In fact, nmap connected anonymously to the ftp service. So, let’s try that.

ftp connection

No password needed, and we have a scripts folder.

Directory listing

A few files here. I looked at the log file and the txt file but nothing interesting. However, we do have the shell script. file

It appears that this file cleans up tmp files and writes the output to the removed_files.log file. The script is of no use to us…however, it is executable. Could we write to it and create a reverse shell back to our Kali VM? Let’s try it!

First, let’s start a listener on our Kali VM.

netcat listener

Listener is started, now let’s find a good reverse shell to insert.

We are going to use Pentestmonkey’s reverse shell cheat sheet linked here Reverse Shell Cheat Sheet | pentestmonkey. We will try with the top script for a Bash reverse shell.

So, I created a new file on my Kali VM with the Bash reverse shell script. I then uploaded it to the /scripts folder on the victim machine.

bash reverse shell

Now, let’s see if we get a shell.

reverse shell

We have a shell!

user flag

And we have the user flag now.

Now, we need to get root. There’s a few ways we can go about this. First, let’s just try a ‘sudo su –‘ and see what happens.

sudo su -

Ok, no winner there.

Alright, let’s use a neat little tool called linpeas. Linpeas, linux privilege escalation tool, is a great tool to run on a victim machine to find suitable ways to escalate your privileges to root. First, we’ll need to have the script set in a specific folder. I have a folder called pywww on my Kali desktop that I use. From there, we’ll run a simple http server in that folder to host the contents. This will allow us to curl and grab that script from our victim machine.

Simple http server

In the above screenshot you can see our victim machine requesting

linpeas script

And here is the view from our shell we got previously. We did a curl request to get the file and it auto-executed.

Scrolling through the results we see that the ftp scripts folder has root privileges, but we also see the below.

usr/bin/env PE

/user/bin/env is showing as a high chance for gaining root privileges.

Here is the color coded legend for linpeas. Just to understand what this color means.

linpeas legend

So, with it being a high chance at escalating our privileges. Let’s check it out.

A quick google search of “/usr/bin/env privilege escalation” leads me to a GTFO bins page, env | GTFOBins

So, let’s try it out.

After a couple failed attempts, it works!

privilege escalation

We now have root!

root flag

And with that, we have the flag.

This is a great box that I would highly encourage you to try out. I love the usage of local executable files that you can take over to get an initial shell as well as privilege escalation techniques that you can employ to get root. These types of techniques will come in very handy for exams like the OSCP and CPENT.

Hope you enjoyed it!

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.