TryHackMe Startup walkthrough

 

 

TryHackMe: Startup Write-Up

Abuse traditional vulnerabilities via untraditional means.


TryHackMe is an online platform for learning cyber security, using hands-on exercises and labs and is meant for people starting out in the infosec field. TryHackMe Startup walkthrough

This is write up for a TryHackMe room called Startup linked here.

Enumeration and Scanning

Using nmap, I found that this box had 3 ports open.

 

 

The webpage looked like it was still under development.

 

 

 

 I then ran gobuster and found a hidden folder.

 

 

 

 

Looking at the files directory, I saw the following:

 

 

 

 

Going back to the ftp service, I tried logging in via anonymous user.

 

 

 

 

The FTP and HTTP directory are the same. This means that we can upload files (read: reverse shell payloads) to the FTP directory which we can then execute on the browser.

 

Abusing the FTP/HTTP misconfiguration

To test this theory, we move into the /ftp directory as this is the directory where should have permissions to upload files; and upload a test file to see if we can display and execute it in the browser. To do this, I created a test.html page and uploaded it into the /ftp directory; 

 

 

 

 

 

Now, to get a shell, we use PentestMonkey’s Reverse-Shell-PHP payload, change the IP and Port and upload it.a

 

 

 

Stabilising the shell

To stabilise the shell, we execute the following steps;
 

1) python -c 'import pty;pty.spawn("/bin/bash")' 

 

This spawns a Bash shell

2) export TERM=xterm

This will give access to terminal commands like clear

 

3) Background the shell using Ctrl + Z;

 

In the native shell, use stty raw -echo; fg

This will turn off the terminal echo (giving access to tab autocompletes, arrow keys etc.) and foregrounds the shell
    

 

4) alias ll='ls -la'

This is a personal preference as it’s always better to list all current files with all the details which is always a good habit (which the following steps in this room would teach me)

As I would learn, stabilising the shell was extremely important because there was no way I’d actually get a real shell (SSH or otherwise).

 

Finding out the Secret Spicy Soup Recipe

Now that we have working shell with most of the features, we go to the / directory to see its contents with our ll command. As you view the contents, make sure to not rush and miss out on anything. If you do so, then you should notice some extra (Hint: Which don’t belong) folders and files here.

 

 

They are as follows:

drwxr-xr-x   2 www-data www-data  4096 Nov  9 02:12 incidents
-rw-r--r--   1 www-data www-data   136 Nov  9 02:12 recipe.txt
drwxr-xr-x   2 root     root      4096 Nov  9 02:10 vagrant

 

Opening up recipe.txt should help us with some clues on the Secret Spicy Soup Recipe

 

 

Thoughts: I was honestly stuck here for a little while as I didn’t know what to do and rushed over the directories. It was only after I took a step back and went through all the directories and files that I could notice the extra directories and files. Lesson/Pro-Tip: Take your time to go over each folder and file to see any sus discrepancies
 

 

1) What is the secret spicy soup recipe?

Ans :- love

 

 

Getting User privileges

There are more out-of-place folders here, namely, /incidents and /vagrant. Going into the /incidents directory we see a suspicious.pcapng packet capture file.

That’s pretty sus ngl.

To view it you could either cat it out onto the terminal (like a pleb lmao) Or you could copy it to the /ftp directory to download and view it onto your system (like moi). To do so, simply run;

www-data@startup:/incidents$ cp suspicious.pcapng /var/www/html/files/ftp/

 

We know that it’s an Apache Server on Ubuntu and /var/www/html is where the Apache Server files exist.

Now, download and view the file with Wireshark with

 

❯ wireshark suspicious.pcapng

 

The best way to find useful information from a packet capture is to go through each TCP/HTTP stream and try to find something which seems useful.

 

If you do so, you’ll come around a TCP Stream which seems like a packet capture of a Remote Connection session (telnet maybe?)

 

 

 

 We notice three things here;

•     They used the same shell stabilising techniques as us!
•     Seems like the user lennie is accessing the session and
•     He has entered his password!

 

Hence, we simply get user (lennie) privileges by;

www-data@startup:/incidents$ su lennie
Password: c4nt**************
lennie@startup:/incidents$ whoami
lennie

 

Going into /home/lennie we see the user.txt

 

 

2) What are the contents of user.txt?

Ans :- thm{03ce3d619b0ccbfb3b7fc81e46c0e79}

 

 

Getting the Root Privileges

In out home directory, we see that there are two directories, one which is owned by root. Maybe this can help us get root?

 

 

 The /scripts directory has the following files;

 

 

 

It’s important to take note of the permissions and last modified information here;

• Both the files here can only be modified by root
• startup_list.txt has been modified preettyyy recently (1 min ago)

The contents of planner.sh are as;


#!/bin/bash
echo $LIST > /home/lennie/scripts/startup_list.txt
/etc/print.sh


We see that it calls another script /etc/print.sh; which is owned by lennie!

 

 

 

The contents of /etc/print.sh are;


#!/bin/bash
echo "Done!"



To reiterate, we have a script owned by us which is run by another script owned by root.


If only there was a way for root to run that script… Surprise, surprise! Root does that for ourselves! In concise;

•     Root Cron Job runs planner.sh
•     Modifies startup_list.txt
•     Runs /etc/print.sh

Since we notice that startup_list.txt is being modified every minute by some cron job, it is safe to assume that it is planner.sh which does it.

 

 

 

Hence we can modify the /etc/print.sh script and wait one minute for root to run it!

So, we make a directory in the /tmp folder to store the flag;


mkdir /tmp/lol

And adding the following to /etc/print.sh;

cat /root/root.txt > /tmp/lol/flag

 

should do the job of getting the flag for us!


Thoughts: I was stuck here for over a day before I noticed that the file gets modified by some cron job. I tried finding cron jobs but since the cron running here is a user job and not a system one; something which I learnt because of this room; I couldn’t find one to confirm my suspicions about a cron job running and got sucked into unnecessary rabbit holes.

Wait for one minute for the cron job to run and;

 

 

 

3) What are the contents of root.txt?

Ans :- thm{f963aaa6a430f21022215ae15c3d76d}

 

 

 

 

 

Disclaimer

This was written for educational purpose and pentest only.
The author will not be responsible for any damage ..!
The author of this tool is not responsible for any misuse of the information.
You will not misuse the information to gain unauthorized access.
This information shall only be used to expand knowledge and not for causing  malicious or damaging attacks. Performing any hacks without written permission is illegal ..!


All video’s and tutorials are for informational and educational purposes only. We believe that ethical hacking, information security and cyber security should be familiar subjects to anyone using digital information and computers. We believe that it is impossible to defend yourself from hackers without knowing how hacking is done. The tutorials and videos provided on www.hackingtruth.in is only for those who are interested to learn about Ethical Hacking, Security, Penetration Testing and malware analysis. Hacking tutorials is against misuse of the information and we strongly suggest against it. Please regard the word hacking as ethical hacking or penetration testing every time this word is used.


All tutorials and videos have been made using our own routers, servers, websites and other resources, they do not contain any illegal activity. We do not promote, encourage, support or excite any illegal activity or hacking without written permission in general. We want to raise security awareness and inform our readers on how to prevent themselves from being a victim of hackers. If you plan to use the information for illegal purposes, please leave this website now. We cannot be held responsible for any misuse of the given information.






I hope you liked this post, then you should not forget to share this post at all.
Thank you so much :-)