Tags: wireshark, cron, gobuster, enumeration, security, easy, FTP, privesc, cronjob, crontab, forensics, packet capture
I created startup with the intention of having people exploit very popular and well known vulnerabilities, however, incorporating these vulnerabilities in very untraditional and unusual ways. The room is meant for beginners and its purpose is to make players take a hatchet and swing at their roots with an analytical mind at hand. If you have concerns or questions regarding Startup, please relay them to me here: firstname.lastname@example.org
I am excited to see where this goes!
As with all fairytales, this one starts with an nmap scan.
FTP with anonymous access and HTTP. This looks to be a relatively friendly attack surface. Let's have a look at the webserver. Anything interesting?
Nothing appears to be out of the ordinary here, nothing interesting in the source either, but looks can be deceiving, let's run gobuster and visit the FTP server whilst those threads run.
We saw earlier from the nmap scan that there are two files in the transfer. It's smart to grab them and see if they contain anything interesting. It is also smart to do ls -la to view hidden files, however in this case, there are none.
notice.txt appears to contain a message directed at users of the FTP server.
This notice is revealing several key pieces of information. Such being the ability to download files from the share via the webserver. This could lead to a reverse shell. We can check if the FTP server is located in the webroot directory by simply browsing to an item in the FTP server from the webserver.
This doesn't appear to be so. We should have a look at gobuster to see if it found anything.
It found something! Let's have a look at what it is.
As we can see, the files/ folder appears to be sharing locations with the FTP server. Meaning the aforementioned attack would still work since we can still load an arbitrary file in the webserver. Let's take a shot at this and upload pentestmonkey's php reverse shell.
This is unsuccessful. However, we can see from the file listing there is a directory called, 'ftp' with full perms. We should try uploading it there.
Success! Now we can set the corresponding listener and trigger the payload.
A shell is popped.
Before we fully dip our toes in the pool, we should upgrade the shell using the standard python -c "import pty;pty.spawn('/bin/bash')"
After that, let's grab our user flag!
Of course it wouldn't have been that easy. Lennie is inaccessible by www-data. Looks like horizontal privesc will be necessary. We can start our search for paths by going to / and looking for any out of the ordinary files or folders. (stuff that isn't there by default) A script such as linpeas would also work.
The odd two out. Let's have a peek at recipe.txt first.
With this new data, we can correctly answer the first question.
The second interesting area is the /incidents folder. I hope no one minds if I let myself in.
A capture file. We should transfer this to a local machine. There are many methods used to transfer files, however in this example, I use scp and the amazingly handy in-browser attack boxes TryHackMe hosts.
The attack box is assigned a private IP on the network and SSH creds, so we can transfer the file to this machine with scp.
It is now possible to inspect the capture file on the local attack box.
This particular packet jumps out quickly, suggesting we may not be the only ones here. It seems a shell was previously uploaded. Maybe we could find something interesting in the commands the attacker issued. We can see a connection to an address on port 4444 after the file upload. Let's view these packets.
It seems the attacker tried to authenticate with the above password on www-data and the password was incorrect. Does www-data even have a password by default? Perhaps he got passwords mixed up and this is actually Lennie's password. There is only one way to be certain.
Success, user.txt is ours.
Lennie's home folder has some interesting stuff. However the real juicy stuff is probably in the scripts directory. Let's have ourselves a look.
A bash script and text file are present. However, what is interesting is both of these files are owned by root. It is safe to assume that the script will eventually be run by root, or in this case, a cronjob. Another problem surfaces though, we cannot edit the planner.sh script, we can only read and execute it. Furthermore, having a look at the script may prove to be fruitful.
The last line of this script is intriguing, it seems another program named, 'print.sh' is also being ran. Perhaps we can edit that one?
The script is owned by our user and can be edited in the current context. Let's overwrite the script's contents with a reverse shell.
After a few seconds, we got root!
Before I end this post, I would like to take a moment to thank you. Yes you. Your support has inspired me to work hard and persevere throughout the development of this room, during the making of which I encountered troubles I had never faced. In the end though, it was all worth it. Seeing my work materialize into a tangible substance right before my eyes. So to the readers of my blog, thank you. To my friends thank you. You are all my brothers.
Additionally I'd like to thank the amazing team over at TryHackMe for their consideration and offering me the chance to give back to the community with my work. I appreciate all you guys do. If anyone at TryHackMe has a concern regarding Startup, please do not hesitate to contact me whenever or wherever you see fit.
Discord: elbee#9122 (I am in your server)