TryHackMe - Anonymous (Medium)


The victim has port 21 open and it allows FTP anonymous login. There is a world-writable script that get executed by a cronjob. We overwrite the script with a reverse shell payload and get a user shell.
In the privilege escalation phase, we search for SUID binaries on the victim machine and find that /usr/bin/env is SUID. Using a privesc payload on GTFOBins, we get a root shell easily.


  • RHOST:
  • LHOST:



User Shell: FTP Anonymous Login => Reverse Shell

FTP login with username anonymous and empty password. Download all files:
Examine clean.sh:
Note that clean.sh is world-writable on the FTP server. The idea is to create a malicious clean.sh file containing a Bash reverse shell payload and upload it to the FTP server:
Malicious clean.sh
From the content of removed_files.log, we deduce that there exists a cronjob on the victim machine that executes clean.sh automatically in every time interval. All we need to do here is start a pwncat listener and wait for a reverse shell connection. At a while, we have a user shell as "namelessone":
User shell

Privilege Escalation: SUID env

Search for SUID binaries:
find / -perm -u=s -type f 2>/dev/null
It finds that /usr/bin/env is SUID:
Search env privesc payloads on GTFOBins:
env privesc payload
Get a root shell:
root shell