search

🌶️Startup

hashtag
Introduction

Room name: Startup

Room link: https://tryhackme.com/r/room/startup

hashtag
1- Scanning

sudo nmap -sS -sV 10.10.218.124

hashtag
1a- Scan results:

hashtag
1b- Ports open:

21/tcp open  ftp     vsftpd 3.0.3
22/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.10 (Ubuntu Linux; protocol 2.0)
80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))

hashtag
2- Port 80 (http)

hashtag
2a- Nikto

Nikto results:

This might be interesting: /files/

hashtag
2b- Gobuster

Results:

Here also, there is directory "/files/"

hashtag
2c- Lets check out the website on firefox

Type in the url: http://http://10.10.218.124/

hashtag
Source code:

Nothing interesting here.

hashtag
/files/ directory

First, lets check "notice.txt"

notice.txt: "Whoever is leaving these damn Among Us memes in this share, it IS NOT FUNNY. People downloading documents from our website will think we are a joke! Now I dont know who it is, but Maya is looking pretty sus."

From "notice.txt", there are 2 hints:

  • user named Maya

  • there is a share, in which when employees are uploading to it, it is uploading to the website

hashtag
3- Port 21 (ftp)

hashtag
3a- Anonymous login

First, lets try to login anonymously username: anonymous password: anonymous

Successful login!

hashtag
3b- Let's enumerate this share

When we type ls, we notice that the second hint is correct; there are the same files here, and on the website /files/ directory.

what we notice also, is that in the ftp directory, we can read and write to it, so, lets try to upload a php reverse shell from pentest monkey.

(Don't forget to change the ip to your ip)

Upload successful, lets now check the website:

hashtag
4- Netcat

hashtag
4a- Netcat session

Lets now open a netcat session:

Now, we should click and open the reverse shell we uploaded to the website.

Successful connection!

Lets stabilize the shell using python3:

hashtag
4b- Netcat enumeration

whoami

ls

hashtag
recipe.txt

we notice that there is a file named recipe.txt

cat recipe.txt: "Someone asked what our main ingredient to our spice soup is today. I figured I can't keep it a secret forever and told him it was lo**."

First answer found: "lo**"!

hashtag
incidents

There is also a directory named "incidents", which is not common. Let's check it out!

cd incidents ls

We found a file named suspicious.pcapng!

Lets download the file:

in the netcat session:

on our machine:

The file downloaded successfully!

hashtag
Analyze .pcapng on wireshark

Lets filter by http, and follow stream:

This is interesting. So we can see that someone also tried to open a reverse shell on the website.

Popular shells that people use to trigger a shell is 4444, so lets filter by this port, and follow stream:

We found a password:

Password: c4ntg3t3n0ughsp1c3

hashtag
Login to Lennie

Let's try to login to lennie with this password:

password: c4ntg3t3n0ughsp1c3

Successful!

Let's go to the home directory.

ls

cat user.txt

THM{03ce3d619b80ccbfb3b7fc81xxxxxxxx}

hashtag
5- Privilege Escalation

hashtag
5a- Escalate privileges

There is a directory named "scripts"

The "planner.sh" calls a script called "print.sh"

We can only read the planner.sh, we cant modify it, only root can.

Lets check if we can edit print.sh.

We can!

So now, lets modify the shell print.sh:

This modified print.sh will Change permissions on /bin/bash to add the SUID bit, allowing any user to execute /bin/bash with root privileges.

Now, with lennie, we can run:

It worked!

We are root now.

hashtag
5b- Find root flag

Now lets find the root.txt

Root flag: THM{f963aaa6a430f210222158ae1xxxxxxx}

PreviousGamma CTFNextAll in One

Last updated