TryHackMe - Anonymous (Medium)
{"author" : ["ret2basic"]}

Summary

The victim has port 21 open and it allows FTP anonymous login. There is a world-writable script that get executed by a cronjob. We overwrite the script with a reverse shell payload and get a user shell.
In the privilege escalation phase, we search for SUID binaries on the victim machine and find that /usr/bin/env is SUID. Using a privesc payload on GTFOBins, we get a root shell easily.

IP

    RHOST: 10.10.29.80
    LHOST: 10.13.12.2

Nmap

Nmap

FTP Anonymous Login

FTP login with username anonymous and empty password. Download all files:
FTP
Examine clean.sh:
clean.sh
Note that clean.sh is world-writable on the FTP server. The idea is to create a malicious clean.sh file containing a Bash reverse shell payload and upload it to the FTP server:
Malicious clean.sh
From the content of removed_files.log, we deduce that there exists a cronjob on the victim machine that executes clean.sh automatically in every time interval. All we need to do here is start a pwncat listener and wait for a reverse shell connection. At a while, we have a user shell as "namelessone":
User shell

Privilege Escalation: SUID env

Search for SUID binaries:
1
find / -perm -u=s -type f 2>/dev/null
Copied!
It finds that /usr/bin/env is SUID:
/usr/bin/env
Search env privesc payloads on GTFOBins:
env privesc payload
Get a root shell:
root shell
Last modified 2mo ago