Anonymous Walkthrough | TryHackMe
Port scanning:
rustscan -a $IP --ulimit 5000 | tee rust.txtWith rustscan we found that 4 ports are open, i.e
21, 22, 139, 445
Let’s dig deep into these ports with nmap,
nmap -sC -sV -p21,22,139,445 -oN nmap $IP -Pn
nmap scan results
Port — 139,445 (SMB):
smbclient -L $IP -NI found one share named “pics”, let’s dig into it
smb share
I checked the SMB share and found two images, did everything that I know about stenography and after wasting some time I got to know that it was just Rabbit Hole :/
Exploit
Port- 21 (FTP):
Since nmap scan revealed that anonymous login is allowed, it logged in as anonymous user and found some files.
FTP share
My first attention was caught by clean.sh as it was an executable file and it was doing there.
Got that file into my local machine and found that it was automating the cleaning stuff.
clean.sh
So I changed the contents of the folder (added my reverse shell) and uploaded to machine. I suddenly saw that FTP share folder is writable on nmap scan
Few seconds later, I got the shell :D
shell
Root
Now that we got user, Time to get root.
First thing to try is
sudo -l → no luck
suid binary → no luck
then I checked for groups and found wired group name “lxd”
It was my time see that, research the same on hacktricks and other websites and some privilege escalation techniques. This site was really helpful to me (:
and we are root!
root!!
Although I was root but not able to find the root.txt file. Only one file at /root
/root
Later reading the article, found that whole / directory is inside /mnt/root Following this, got the root.txt file XD
so there is it
DM me if you have query or stuck on it
