Startup

This room on TryHackMe.com is one of the old rooms and pretty much straight forward. It involves basic enumeration, gaining a foothold and privilege escalation. Though the privesc part is a bit confusing but still something that is interesting.

So, let's begin!

Enumeration

The first thing that we can do is run an nmap scan against the IP address of the deployed machine and check the open ports.

─[tester@parrot-virtual]─[~/Downloads/startup]
└──╼ $nmap -A 10.10.30.244
Starting Nmap 7.80 ( https://nmap.org ) at 2021-01-07 02:13 IST
Nmap scan report for 10.10.30.244
Host is up (0.18s latency).
Not shown: 997 closed ports
PORT   STATE SERVICE VERSION
21/tcp open  ftp     vsftpd 3.0.3
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
| drwxrwxrwx    2 65534    65534        4096 Nov 12 04:53 ftp [NSE: writeable]
| -rw-r--r--    1 0        0          251631 Nov 12 04:02 important.jpg
|_-rw-r--r--    1 0        0             208 Nov 12 04:53 notice.txt
| ftp-syst: 
|   STAT: 
| FTP server status:
|      Connected to 10.8.91.135
|      Logged in as ftp
|      TYPE: ASCII
|      No session bandwidth limit
|      Session timeout in seconds is 300
|      Control connection is plain text
|      Data connections will be plain text
|      At session startup, client count was 4
|      vsFTPd 3.0.3 - secure, fast, stable
|_End of status
22/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.10 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 b9:a6:0b:84:1d:22:01:a4:01:30:48:43:61:2b:ab:94 (RSA)
|   256 ec:13:25:8c:18:20:36:e6:ce:91:0e:16:26:eb:a2:be (ECDSA)
|_  256 a2:ff:2a:72:81:aa:a2:9f:55:a4:dc:92:23:e6:b4:3f (ED25519)
80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Maintenance
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 52.28 seconds

From the nmap result, we can see that three important ports are open 21 (FTP), 22 (SSH) and 80 (HTTP). The juiciest of all the three appears to be FTP as anonymous login is enabled on the same. So, we can go ahead and try to access the files present over there.

In the FTP server, we can see there are a few files named important.jpg and notice.txt. Along with that there is a folder named ftp as well. We can download all these files on our machine using the mget command.

Once, downloaded on our local machine we can check these files out. Along with downloading these files we can also check out the content of the ftp folder but it turns out to be empty.

The notice.txt file appears to be kind of a note but it is does not prove to be much useful.

Moving on to the image, when trying to open it gives an error that the file is not a JPEG file.

Img. JPEG Error

So, we can open the file in hexeditor and its magic value to determine its original file type.

Img. Image in Hexeditor

Here, we can see that the first few values correspond to .PNG suggesting this is a PNG file. Knowing the original file type we can rename the file and then again try to open it.

By changing the file extension, we can not open the image which appears to be a meme based on the game 'Among Us'.

Img. Important.png

Considering we have a PNG image, we can check it for steganography using the tool zsteg.

But even here we can't find any useful information. We have checked everything that we got from the FTP server but nothing appeared to be useful. So, we can move on to port 80 and check if we can find something useful over there.

Img. Web Page

When we access the IP address through our browser we get this page stating the website is not ready yet. Also, the source code of the page does not provide any useful information. The next thing that we can do is try to enumerate the directories on the web app. We can use ffuf or any other such tool to fuzz the directories.

Here, we get a directory named files that we can try to access.

Img. Files

It appears to be a bit surprizing that these are exactly the same files that we found on the FTP server. This gives us a hint towards uploading a reverse shell through FTP and then opening it through the browser. The next thing that we must do is: check if we can upload files on the FTP server.

To do so, the first thing that we must do is create a test file:

Now, after accessing the FTP server we can try to upload this test file.

Unfortunately, we can't upload it in the main directory but we can see that we have write permissions for the ftp folder. So, we can try to upload the file over there and then check on the browser if it appears there as well.

The file gets uploaded successfully, now we need to check if it can be access from the browser as well.

Img. FTP Folder

And, it does appear in the ftp folder. So, now we can upload a PHP reverse shell through the FTP server, open that file from the browser and get a reverse shell on our local machine.

Initial Foothold

For this purpose we can use the Pentest Monkey's Reverse Shell Payload, modify it with our local machine's IP address and then upload it on the FTP server.

To get a reverse shell, we need to start a listener for which we can use the command nc -nvlp 1234.

I only changed the IP address in the payload and kept the port number (1234) as it is. If you change the port number in the payload then start a listener for that port number.

Once the listener is started we can open the link for our payload in the ftp folder and wait for a reverse shell to start on our listener.

To get a stable shell we can use a python one-liner:

The first question asks about a secret ingredient which can be found in a file in the root directory itself:

Privilege Escalation From www-data

Currently, we are logged in as www-data and hence can't access the user flag. We can check some commands such as sudo -l, cronjob and a few other things to escalate our privileges.

sudo -l does not turn out to be helpful as we don't know the password for www-data. We can also check the /etc/crontab file to get an idea if there are any cronjobs running on the machine.

But even here we can't find any useful information. The next thing that we can check are the files that have SUID permission but even over there we won't find anything useful. Another thing that we can do is try to find the files to which we have access.

Here, we can see that there is a directory named incidents in the root directory which contains a PCAPNG file named as suspicious.pcapng. We can download this file on our machine and try to analyze the captured traffic using wireshark. But to do so, we need first start a python server on the target machine in the directory from where we want to download the file:

Now that our python server is running, we can download the file on our local machine using the wget command.

Now that we have the network capture file, we can analyze it and look for some hints in the same.

We can look for packets in which there is some text visible which usually are TCP protocol packet containing the Data part in them. Going through the flow of the packets we can quickly determine from the content of the packets that someone tried to gain a reverse shell on the machine and they were successful in doing so. Moving on further we can see that the attacker tried to run the command sudo -l and when asked for the password he entered some value.

To get a better understanding of the traffic flow use the Follow TCP Stream option by right clicking on any TCP packet -> Follow -> TCP Stream (or Ctrl+Alt+Shift+T)

Img. Traffic Steam

Apparently, when the password was entered for user www-data it didn't work but we can try to use the same password for user lennie.

And there we get escalated to the user lennie. Now, we can read the user flag.

Privilege Escalation to Root

Our next task is to gain the root privilege. Again we can check the commands that user lennie can run as sudoer using the command sudo -l.

But it appears that lennie can't run any commands with sudo privilege. So, we can look around in lennie's directory to see if we can find something useful.

We can see there are two directories which are Documents which is owned by lennie and scripts which is owned by root. We can check both these but in scripts we can find a bash script to which we have execute rights.

We can analyze the tasks performed by planner.sh.

It is pretty clear that the script prints out the content of variable LIST in the startup_list.txt file. So, we can try to set the LIST variable to the content of root flag and as this file gets executed by root we might be able to get root flag.

But this does not work, obviously as we don't have access to the /root directory. But we can see that this script is executing another script /etc/print.sh. We can go and check if this script can help us in some way.

This script does not do anything special but just prints out the "Done!". Even then there is one interesting thing about this file and that is lennie is the owner of this file. So, we can modify this file and when the planner.sh would get executed by root the print.sh file would also get executed with root's privileges.

This will create a file named abc in the /tmp directory and store the content of root flag in the same. We need to wait for some time when the script gets executed automatically by the system and once it is executed we will get our root flag.

NOTE

We checked the cronjobs and did not find anything over there but I had guessed that this script was being executed by the system at a fixed interval. But a more technical justification could be found by downloading the PSPY64 tool on the target machine and then checking all the processes running in the background.

That is it. We got both the user and root flag!

Reference Links

  1. TryHackMe Startup Room

  2. Zsteg

  3. PSPY64

PreviousThompsonNextIndex

Last updated

Was this helpful?