Writeup of THM Machine called “Anonymous”

Enum

I started with the nmap scan:

2 things caught my attention:

• Anonymous login to FTP
• Samba share

I decided to start with the FTP, but since the SMB is required to answer the 4th room question, I’ll show it first.

To enumerate SMB further, I used the smbmap tool:

Of course, this share is a rabbit hole since there are only cute puppies.

Going back to the FTP share, we actually can Anonymously login and see several files in the /scripts directory.

The most interesting one is the clean.sh

It looks like the script deletes some files and then logs everything to the removed_files.log file. At this point I was already suspecting that this might be some cronjob, or another system timer, and to check if my assumptions are right, I simply looked into the .log file.

Here we can clearly see that every minute or so, the file is appended with the message from the clean.sh

So I thought that the obvious way to exploit it, is to put some malicious code to the clean.sh or to replace it with our own file. But it turned out that we weren’t allowed to change permissions of the files uploaded by us, so I began to look for any way to edit the already existing file. I found this question on the askubuntu, and it worked perfectly.

Using the tool called curlftpfs. I ran this command, that mounts the FTP share to the local directory.

curlftpfs [email protected] /home/silen/Desktop/THM/Anonymous/ftp 

And from there I simply edited the clean.sh, that it will connect to my listener, and give me a bash shell.

In the meantime, I prepared the netcat listener.

And got the foothold! Now, there is only the PrivEsc left.

PrivEsc

After quick enumeration, I found this interesting SUID binary.

the command I used:

find / -type f -perm -04000 -ls 2>/dev/null

Looking up this binary in gtfobins, I found quick exploitation here.

Another machine PWNed!

Thanks for reading.