This is a write-up for the “Startup” lab, an easy room on TryHackMe. This is a free room located at https://tryhackme.com/room/startup. I am documenting the process I used to find all information in this writeup WITHOUT including any flags, in the spirit of the game. However, following this process exactly should result in a full compromise of the target system.
Recon, Scanning, and Enumeration #
My first step was to ping the box to ensure that it was alive and ready for enumeration:
Next, I ran a quick nmap scan to enumerate the service versions and run some basic nmap scripts against found ports:
We see that we have anonymous FTP access on this machine, which is a great place to start! We also have SSH, which will help us if we find some credentials to use, and an Apache web server running on port 80.
First, we can try out our anonymous FTP access:
We have a few files to check out here. Let’s go ahead and grab them so we can check them out in a minute:
The other directory, “ftp,” was found to be empty, so let’s check out the files we downloaded:
Not much to go off of here. Maybe a potential username, but let’s look elsewhere.
The next best candidate from our nmap scan is the Apache web service:
Not much to speak of on the landing page, so let’s pivot to gobuster to see if there are any other directories we can take a look at:
We pretty immediately find a directory called “/files” on the web server:
This looks very familiar! It seems like both the web server and the FTP server are hosting the same directory. This might be a foothold for us if we are able to use the FTP server to write to this page.
Initial Access #
Because we know that the web server is running Apache, we want a PHP payload. We can use the webshell payload that is already present in Kali by copying it from /usr/share/webshells/php/simple-backdoor.php to our local directory and uploading it to the ftp share:
It looks like we’re not allowed to write to this directory. Let’s try the “ftp” directory that we found earlier:
Looks like a successful upload! Let’s navigate to this page in our browser and see if we are able to run commands:
We are able to run system commands. Since we have python3, we can use revshells.com to craft a reverse shell payload and get a more interactive shell on the host:
I personally like the “Python3 #2” payload, but this is not the only one that will work. We just need to make sure that we target our tun0 IP address, since that is the one the machine can access over the TryHackMe VPN.
We will need to start a listener using nc to catch our reverse shell, then we can run our payload and see the shell run in our listener:
Now that we have an (unstable) reverse shell, we can stabilize using python3, which we already know that we have on this machine:
python3 -c 'import pty;pty.spawn("/bin/bash")'
Ctrl + Z #(to background the shell, taking us back to our host machine's shell)
stty raw -echo;fg #(on the host shell - gives us a raw terminal with no input or output processing, then foregrounds the reverse shell from the victim machine)
export TERM=xterm #(sets the TERM variable so that we can use commands like clear in the reverse shell)
Lateral Movement #
Now that we have a more stable foothold on the machine, it’s time to start looking around for ways to move laterally and vertically. A good place to start is the /home directory:
We can see here that we don’t have access to read the “lennie” user’s directory. We can note the username and continue to other methods.
Rather than starting our checks manually, we can get help from LinPEAS. Because TryHackMe machines are not connected to the Internet, we will need to source our own version of the file on our attacking machine and transfer it to the host with a method of our choosing. We can use the FTP server from earlier, but I am going to host the file on a local HTTP service with python3 -m http.server 80 and then download the file on the victim machine with wget:
From our linpeas output, we can see some interesting directories in /:
Let’s check out /incidents:
There is a “suspicious” packet capture file that we can examine back on our attack machine. Since we are the “www-data” user, we should be able to move this file to the web server and download it from there:
Once we’ve downloaded the packet capture file, we can open it using wireshark:
This is a lot of output, but we can filter for a clear text protocol that we recognize:
Note here that one file is more interesting than the others. This is NOT the shell.php that we uploaded earlier; this is someone else’s shell. Let’s right-click this packet and follow the HTTP stream to see what happened here:
Here we can see that this attacker used a reverse shell payload that was pointing to port 4444. Let’s filter for traffic on port 4444 and see what else we can find:
If we right-click one of these packets and follow the TCP stream, we can see the commands that this attacker was running and the output. Interestingly, this attacker is trying a password:
We can try this password with a known username and see if we are able to connect:
Now that we have the user, we are able to grab the user flag:
Privilege Escalation #
After striking out on some of the easier privilege escalation methods, I decided to try looking at running processes with pspy64, uploaded and run the same way as we did earlier with LinPEAS.
After watching the pspy64 output, we can see that every couple of minutes, a script from the “lennie” user’s home directory is being run by UID 0, also known as root!
If we can modify this file, we can affect what the file does, or even modify it to give us shell access. Let’s check out the file:
It turns out we can’t write to this script. However, we are in luck! The script is running a second script that is owned by the “lennie” user. We can modify this file to do our bidding - in this case, we can add in the reverse shell command that we used earlier to send ourselves a new shell, this time running as root!
Once we catch our shell as root, we can grab the final flag:
Extra flag #
This didn’t fit neatly into the walkthrough, but there is another flag on the TryHackMe flag submission panel for this machine. This asks what the secret ingredient is, and can be found at any point in our enumeration of the machine:
Thanks to elbee for the creation of this challenge!