# WriteUp for THM-Anonymous ## :memo: Steps followed: ### Step 1: Enumerate the machine IP *`nmap -v -sC -sV 10.10.27.33 -T4`*  We find FTP port 21 open and SMB service running. So let's explore them. :rocket: ### Step 2: Enumerating SMB I enumerated SMB using: *`smbclient -L <ip>`* We explore pics shares and get 2 images , thought of steganography but found nothing out of it. ### Step:3 Enumerating FTP *`ftp <ip>`* We proceed by anonymous login: Username:anonymous Password:password  We transfer the three files from FTP server to our machine using get command. Reading clean.sh and .log file we get an idea that the script is being run at time intervals. So, now we get an idea of modifying and uploading clean.sh so as to get a reverse shell as we have the write permissions on it. We head over to revshells.com Select bash as shell and put our tun0 ip and the port that we are going to listen to. Copy the command and paste it in clean.sh and upload it back to ftp server using "put clean.sh" command.    now open another terminal and do `*nc -lnvp <port>*` to listen to connections Boom bam we get the shell! ### Step 4: We find user.txt which contains the flag ## Privilege Escalation(root.txt) We check for SUID bit binaries. ``` find / -perm -u=s -type f 2>/dev/null ``` We find /usr/bin/env. On gtfobins.github.io says if SUID bit is set then we can get root by : ``` /usr/bin/env /bin/sh -p ``` Hence running this and doing whoami, we get "root" Finally we do cd /root cat root.txt