Anonymous WalkThrough TryHackMe

Hello guys TryHackMe released a room about 2 days ago called Anonymous and i decided to try it. Essentially the owner of the box left ftp directory writable to guests and it has a bash script called clean.sh that basically cleans the tmp directory. The script is being run by a cron job(we’ll see after successfully getting a shell on the box) and since we can modify files in ftp share we can add malicious line of code that give us a shell on the box part 1 done. For privilege escalation the user we log into the box as is a member of box sudo group. Lxd considers them as admin and we can leverage this to get root on the box it isn’t an issue in a server so long as the user is not a member of sudo group. Without much say let’s jump in

As always we’ll start off with a nmap scan

And we get only two ports are open and what’s weird is that there is no web server. So i decided to expand my nmap scope scan by doing a full TCP scan maybe we missed some open ports that might have easily exploitable services

And we get two more ports are open the standard SMB ports

So i decided to analyze the output of nmap maybe we might be lucky and find an exploitable service

I decided to do a searchsploit on the ftp and all the vulnerable versions are 2.*. But we get a really sensitive information that can help us exploit the box . we find that anonymous ftp login is allowed. Just by using the username anonymous and the password doesn’t matter we are able to log into the box also the ftp is writable this is seen from nmap

So i decided to see what files might be present on the ftp share maybe we might get lucky and find some credentials lying around

i downloaded all the files to my box and examined them

  1. To_do.txt just a reminder that the owner of the box need to disable anonymous login

2. Clean.sh is a bash script that delete file that are in /tmp directory

3. removed_files.log is a log file showing if files were remove from /tmp directory

But we didn’t have a way to execute the bash script and it seemed like a dead end so i decided to enumerate the SMB share

And we get a SMB share called pics

Since NULL authentication is allowed i logged into the share

I decided to view them and they were just images of puppies

My first though was it must be a stenography challenge but got nothing from them so i hit a dead end

Looking back at my enumeration i remembered the ftp files were writable and there was a script that was being executes somehow we don’t know how till now. I decided to download the log file a second time and see if the logs had increased and voila we find that the lines in the log files had increased meaning probably there was a cron running that was executing the script and since we can write to the script why not add a malicious bash reverse shell line that will give us a shell on the box once the cron executes the script

I edited the clean.sh script and added a bash reverse shell line with my IPAddress

Now i again logged into ftp and tried to find a way to add that code to the clean.sh script

And using the help command we find append that can allow us to append a file

And i successfully appended my edited bash script to the one in ftp direcory

Then i created a listener on my box using netcat and all i had to do was wait for a callback

And after a few second a got a callback to the box we have a shell

And we have the user flag

Now i looked in the passwd file to see other users that are in the box

And we get only two users have a shell on the box root and namelessone

Now we had to escalate out privileges to root. I decided to run linpeas which is a Linux local Privilege Escalation Awesome (You can find it from the link provided)Script that will automatically identify any possible privilege escalation vectors. I hosted a web server on my local box and downloaded the script to the compromised box

And then i executed it

And we see we are a member of sudo and adm group

Meaning if we had the password for namelessone we could just escalate to root by using sudo command

So my first through was that probably we had to find a credential that was left somewhere in the box but it was a dead end

While i was going through the output of linpeas i found some directory that indicate the privilege escalation might be through lxd. Since we are in the sudo group we can exploit it to gain root priviledge on the box

LXD is Ubuntu’s container manager utilizing Linux containers. It could be considered to act in the same sphere as docker,

The lxd group should be considered harmful in the same way the docker group is. Under no circumstances should a user in a local container be given access to the lxd group. This is because it’s entirely trivial to exploit.

First i’ll download lxd alpine builder from GitHub because we need an image but Ubuntu image is really big and due to this we’ll build our own Linux image which has a small size in our local box and then copy to the vulnerable box

  • -a specifies the architecture that want to build a 32 bit image

After it finishes building you should you should have a alpine gzip compressed data

Now we upload that image to the target machine

Next we import the image to lxc

Now we create the container

If you get the error above you need to use the configuration below

Then try the command again

And voila we have successfully created the container

Now we can list the device

Next we hard a storage device to this device

Now we initialize the device and execute it

And we are root on the box

We can now submit the flag and get the points

That’s it for now guys hope you’ve learnt something new from it I’ve left some articles below that you can read

  1. Privilege Escalation via lxd

2. Linux Privilege Escalation via LXD & Hijacked UNIX Socket Credentials

If you like the walkthrough you can clap for me below

Penetration Tester/Analytical Chemist who Loves Cybersecurity. GitHub(https://github.com/musyoka101), ExploitDB(https://www.exploit-db.com/?author=10517)