TryHackMe | Startup
TryHackMe is an online platform for learning cyber security, using hands-on exercises and labs!
So without further hesitation we head on over to our trusty nmap:
Okay so here we have FTP, SSH and a Webserver running at 80.
First thing I want to do is check if anonymous login is allowed on the FTP server,
well before even trying, nmap has told us that it is allowed and writeable, with a file inside:
So let’s see if we can actually write to this directory of ftp/ by uploading their notice.txt back:
Yes we can! so this is a potential vector for uploading a reverse shell.
Okay so next let’s check out what is in the text:
Okay so we have a potential username here which is awesome.
Now I want to take a look at the web side of things while keeping in mind that we can write to that ftp server.
Upon visiting the page we get this little message:
And the only thing that was somewhat interesting in the “View page source” is:
So let’s gobuster this and see what we can find:
Okay well this is interesting as when visiting the link it clearly shows the FTP server.
Well remember from our nmap scan what the FTP permissions was before? the FTP server was writeable!
So, time to upload a reverse shell. I used pentest monkey’s php reverse shell and uploaded it to the ftp directory:
And now thats uploaded and ready to go, all we need to do is use a nc listener and view this on the web page:
NOTE: I did spend some time on trying to get the php script to upload, it seems it was me being fumbly not specifying a output name properly.
Now we run this and over on our nc listener we should gain our initial foothold:
And we are in! now this shell is not fully functional so we are going to upgrade this shell:
And now to continue to enumerate on this machine and look for the recipe:
Okay so we have our first recipe! Awesome let’s continue
After a fair bit of enumeration I managed to find something with linpeas.sh that looked interesting:
(If you noticed this in the previous image first, well done to you!)
Checking out incidents we find something interesting:
Now this definitely feels like where I need to be looking
NOTE: I also did my usual checking of the crontab, sudo -l and check for other users but came back with nothing other than the user lennie.
So that means our first potential username we found is scrapped, with those things in mind lets continue.
I downloaded the “suspicious.pcapng” using a python3 server and wget, now time to analyse it using wireshark.
After some digging I found what looked like directory listings, so upon following the TCP stream I find this juicy info:
Now this password isn’t for www-data so it only leaves 1 other person! lennie:
And it does work with the user lennie!
Now let’s just try to normally login as this user on SSH for a fully functional shell:
Awesome we can login instead of using a reverse shell and run bash with full functionality
Now we can begin to find the user flag and escalate our privileges to root and from the looks of it, its from the “scripts” directory
But first the user flag:
Now to take a look at the scripts directory:
Okay so we can run planner.sh but we cannot remove or edit the files in the scripts directory but we can edit this one called print.sh
As we can see it just echo’s “Done!”
Let’s try to get a bash reverse shell in there and see if we can trigger it as root in some way (if it doesn’t already do so).
NOTE: This file does run on a timer but doesn’t show in /etc/crontab
And over on our netcat listener:
And voila we put a bash reverse shell in print.sh and ran a nc listener and waited for it to trigger!
Now we can get the root flag and some coffee as we now own this machine :)
And we are done! Congratulations and thank you for reading!
Please feel free to follow me on twitter if you like the write up: https://twitter.com/amec0e