TryHackMe - Anonymous (Medium)
The victim has port 21 open and it allows FTP anonymous login. There is a world-writable script that get executed by a cronjob. We overwrite the script with a reverse shell payload and get a user shell.
In the privilege escalation phase, we search for SUID binaries on the victim machine and find that
/usr/bin/env is SUID. Using a privesc payload on GTFOBins, we get a root shell easily.- RHOST: 10.10.29.80
- LHOST: 10.13.12.2
Nmap
FTP login with username
anonymous and empty password. Download all files:
FTP
Examine
clean.sh:
clean.sh
Note that
clean.sh is world-writable on the FTP server. The idea is to create a malicious clean.sh file containing a Bash reverse shell payload and upload it to the FTP server:
Malicious clean.sh
From the content of
removed_files.log, we deduce that there exists a cronjob on the victim machine that executes clean.sh automatically in every time interval. All we need to do here is start a pwncat listener and wait for a reverse shell connection. At a while, we have a user shell as "namelessone":
User shell
Search for SUID binaries:
find / -perm -u=s -type f 2>/dev/null
It finds that
/usr/bin/env is SUID:
/usr/bin/env
Search
env privesc payloads on GTFOBins:
env privesc payload
Get a root shell:
root shell
Last modified 8mo ago