 |
| https://tryhackme.com/room/startup |
Begin enumeration using GoBuster and NMAP.
 |
| Notice under "FTP server status:" "connected". This very likely means we can login as "anonymous" without a password. |
There is a directory containing a set of interesting files located at "/files".
SSH and FTP are also running on this host.
 |
| Someone is having a good time at work. |
Notice the subfolder "ftp/" which is currently empty. Let's pivot our efforts to the FTP service. Login as anonymous; when prompted for a password, simply press enter.
Once logged in, let's have a look around.
Running "ls -la" we see that the "ftp" folder from earlier is located here and we have full permissions over this directory. We will "put" a PHP reverse shell to this location, start a netcat listener on our machine and select the file from our browser to have the server execute our payload.
Perfect, we have a reverse shell as "www-data". Now, per usual, let's upgrade this to a fully interactive TTY.
which python python2 python3
python3 -c 'import pty;pty.spawn("/bin/bash")';
ctrl-z
stty raw -echo
stty size
fg
export SHELL=bash
stty rows $x columns $y
export TERM=xterm-256color
Now that we can make full use of our environment, let's find the first flag.
For the second flag we will need to change directories to "/incidents" where a ".pcap" file is located. Host a simple python server from the victim machine and wget it to the attacking machine.
Now, open the ".pcapng" file with wireshark.
This output seems daunting at first, but after some time I found a TCP stream I could right-click and follow to find where an individual with the IP address of "192.168.22.139" accessed the server as www-data as well.
On line 178, right click, and "follow TCP stream".
This bad actor attempted to perform some basic enumeration on the system, upgrade their shell (like us) and attempt to access the directory "/home/lennie", where he was denied. This user also attempted to run "sudo -l" to see what commands "www-data" could run as other users, where they entered a password we can see in the clear.
We can see this is not the password for www-data, but maybe for another user (lennie)?
Back in our reverse shell, let's attempt to switch users with that password.
Success! Let's navigate to "/home/lennie".
We've found the second flag!
Taking a look in "/home/lennie/Documents" we do not find anything of interest.
"/home/lennie/scripts" contains two files.
We have read only permissions for "planner.sh". Let's look under the hood of "planner.sh".
If we use "ls -la /etc/print.sh" we can see that we have write permissions for this file.
Let's overwrite this script with bash reverse shell one liner and start a netcat listener on our attacking machine.
After a moment, you will receive a root shell on your netcat listener.
Rooted! Now, simply "cat /root/root.txt" for the final flag.
While this room was very straightforward and deserving of it's "Easy" rating, it was still a fun way to practice FTP exploitation.