Anonymous (Not the hacking group)
A boot-to-root machine aimed at testing our knowledge of the fundamentals. Acquiring both flags will require some basic knowledge of Linux and privilege escalation methods.
Boot 2 Root
I performed an nmap scan to find open ports on the machine.
$ nmap -A -T4 -p- 10.10.17.76 -Pn
This is what the nmap flags stand for:
-A All i.e. Enable OS detection, version detection, script scanning, and traceroute
-T4 the speed template, these templates are what tells nmap how quickly to perform the scan. The speed template ranges from 0 for slow and stealthy to 5 for fast and obvious.
-p- Scan all Transmission Control Protocol (TCP) ports: 1-65535
-Pn Treat all hosts as online -- skip host discovery
We can see the machine has anonymous login for ftp. I am going to try that first and see what I can find.
From the screenshot below, we see that we have some interesting files.
I decide to download them using the get command to my local machine in order to read them.
I get nothing major from the to_do.txt file. Just a to-do for disabling anonymous login.
The removed_files.log also shows me nothing helpful.
And clean.sh is the cleanup script. We notice that clean.sh is a script file (cronjob) which is executed at regular intervals, and the output is printed to the “removed_files.log” file. Maye this could be helpful somewhere.
After some googling and searchsploit searching, it seems the vsftpd 2.0.8 has nothing I can exploit for the moment.
I'll now concentrate on enumerating smb.
I'll use the following command to list all the available shares:
$ smbclient -L 10.10.17.76
The -L flag stands for: --list=HOST Get a list of shares available on a host
Going back to the clean.sh file, we know that its a cronjob.
Q: What is a cron job?
A: Cron is one of the most useful utility that you can find in any Unix-like operating system. It is used to schedule commands at a specific time. These scheduled commands or tasks are known as “Cron Jobs”. Cron is generally used for running scheduled backups, monitoring disk space, deleting files periodically which are no longer required, running system maintenance tasks and a lot more.
We can change the code inside “clean.sh” file to get a reverse shell.
We are going to use a python reverse shell found at Pentest Monkey. I create another clean.sh file on my attacking machine and copy paste the python reverse shell to it (after substituting the ip address with the one given to me by TryHackMe). Then I use the append command to append my edited clean.sh file to the ftp diretory.
Now this file will execute at regular intervals. Therefore, we need to setup “netcat” listener to listen for incoming connections to get a reverse shell.
$ nc -lvnp 1234
Success!
And from there we get the user.txt flag.
Now let's attempt to get the root flag. Let's run sudo -l to see what commands we can run as root.
So that doesn't work. Let's search for SUID Binaries.
Q. What are SUID file types?
SUID is a special file permission for executable files which enables other users to run the file with effective permissions of the file owner. Instead of the normal x which represents execute permissions, you will see an 's' (to indicate SUID) special permission for the user.
This command will search for only the SUID files which are executable by current user.
We see “/usr/bin/env”.
We can use it to get root access. For more information, refer to the following link :- https://gtfobins.github.io/gtfobins/env/#sudo
Ok, back to task.
Let’s input the following command.
/usr/bin/env /bin/sh -p
We can go ahead and retrieve the root flag!
Final Thoughts
It was an interesting and challenging box. A break from the 'usual' machines of exploiting a web server. My knowledge of SMB and priv-esc is a bit wanting, but now I know where to read up on.
Further Research On My Part
Familiarize myself with cron-jobs and set up a demo one on my laptop.
Familiarize myself with SUID.
Read up on SMB and look for more machines where we have to enumerate or exploit the protocol.
Last updated
Was this helpful?