TryHackMe write-up: Startup

Introduction

This is my write-up for TryHackMe’s Startup Room

Enumeration

Using nmap, I found that this box had 3 ports open.

The webpage looked like it was still under development.

I then ran gobuster and found a hidden folder.

Looking at the files directory, I saw the following:

Going back to the ftp service, I tried logging in via anonymous user.

Exploitation

Checking the ftp service, I found that I could upload a php file to the /ftp folder. I tried uploading the php reverse shell script found at pentestmonkey.net.

Looking back during the enumeration phase, I recalled that there was a folder named ftp inside the website’s files directory. I was able to access the uploaded php file.

Checking the netcat listener I opened prior to accessing shell1.php, I found that I now have a shell back to the target.

Checking the directory, I found that there is a file named recipe.txt. This contained the answer to the first question.

Looking back at the files and folders shown above, I saw an “incidents” folder. On looking further, it contained a pcap file. I was then able to transfer this file to my attacker machine via ftp.

Checking the traffic, I found that another hacker had a shell (same as what I had), and was trying to run sudo. However, the password used would not work.

But maybe the password would work for a different user? I tried switching to a different user and the password was correct for said user.

Privilege Escalation

Finding a way to escalate privilege was a bit tricky. I couldn’t run sudo as the current user and passwords weren’t available at accessible files.

Checking the files on the scripts folder, I found a script file and a text file. Planner.sh wrote something to startup_list.txt and then called /etc/print.sh. The thing is, after about a minute, startup_list.txt was modified by root.

Given that the text file was modified by root, it means that there must be another root process (maybe a cron job or something) that calls planner.sh. However, given that I didn’t have write privileges to planner.sh, I had to write somewhere else. It’s a good thing that I had write permissions to /etc/print.sh. I then overwrote it to run a reverse shell back to my attacker machine.

After a while, I found that the target has connected back to my netcat listener and I had root permissions.

--

--

--

I like breaking stuff.

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Everything You Need to Know About Malware

Social listening reveals public feelings about facial recognition technology

Public Key Algorithms in Cryptography

{UPDATE} Chess Deluxe Hack Free Resources Generator

Do You Know If You Have An Insider Threat?

Creating Strong Passwords

Verasity Appoints New Director Of Business Development to Advance Enterprise Adoption

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
m0ndzon3

m0ndzon3

I like breaking stuff.

More from Medium

KnightCTF-2022 Write-up

TryHackMe: Internal walkthrough

TryHackMe Writeup —  VulnNet Internal

TryHackMe Osquery Walk-Through