STARTUP

 

Startup is a TryHackMe room where there is a fictional new start up company called Spice Hut, their website is under development and they have some security concerns that they wish to test.


I began by heading to the website and began manual enumeration of the site. The site had very minimal functionality, I checked the source code and found nothing of interest. There is a contact link, and I was hoping to be able to get an email address by following it, but it was empty.
'
I then performed a Gobuster scan to look for any pages that I may be able to access. There is a page with the name files that is of particular interest. 



Here I can see there is an FTP folder, upon opening it I can see that it is empty. I made a note of this as I may be able to upload files to it at a later stage,


I then opened important.jpg which seemed to be of no particular interest, and notice.txt had the below text. I made a note of the name Maya, which could be a potential user or username in the future. the notice also mentioned that people were able to download files from the website, which suggests there may be a way of uploading files too.



The next step was to do an Nmap scan to check for open ports on the target IP. There was an open FTP port that allowed anonymous access. I immediately thought of Pentestmoney's php reverse shell because of the ability to access files through the targets website.



I then edited the PHP reverse shell so it had the appropriate IP address and port number, accessed the targets FTP using anonymous credentials and uploaded the PHP reverse shell using the put command.



I set up a Netcat listener to listen for my reverse PHP reverse shell that I had uploaded via FTP to the target machine. I then opened the PHP reverse shell by visiting it via the target website in the FTP folder. 



Using the ls -la command, I was able to find the file recipe.txt. I then used the command cat recipe.txt to find the first flag.
 



 I then upgraded my shell using python pty module, more info can be found here, in order to stabilise the shell and give it more functionality. to find the first flag.



Using the ls command to take another look at the available directories and the incidents directory caught my eye. Within it there was a file called suspicious.pcapng which seemed of interest. I also found a directory called lennie which needed a password to be accessed.

I was unaware of the .pcapng file extension, but after some research I found it was packet capture format, which contains information on packets (more details can be found at https://fileinfo.com/extension/pcapng). I then learned that a way to read these files was wireshark, which came pre-installed on the TryHackMe virtual machine. 

I copied the suspicious.pcapng file to /var/www/html/files/ftp and downloaded the file to my machine.



Wireshark is a piece of software I haven't used before, so I refered to a walkthrough for this room written by Medium, which can be found here. By clicking Follow>TCP on one of the packets and looking through the streams, we can see some activity where a user has tried to use sudo commands and attempt a log in. 



I then tried this password with lennie's username and I was able to gain access. 



With this new escalated access, I was able to find the next flag.



Whilst continuing to explore what I now had access to I found directories named scripts and Documents. Documents did not have anything of particular interest and scripts contained files called planner.sh and startup_list.txt. The startup_lists.txt is empty.



Planner.sh is a script that echo's a variable in to the startup_list.txt and then executes /etc/print.sh. I made a note of the location of print.sh for further investigation.



I then navigated to /etc/print.sh and found that all the script was currently doing was echoing Done!. 



I thought I would try changing the script so it instead executed one of pentestmonkey's reverse shells when the print.sh script executed. This would give me a root reverse shell.



I set up a netcat listener to catch the reverse shell which gave me root access to the machine and allowed me to find the root flag! 




Conclusion

I really enjoyed doing this room and I still feel like I have a lot to learn. I compared the rest of my methods to the steps taken on the walkthrough by Medium and found that they had spent more time finding what privileges users had or what privileges the planner.sh and print.sh scripts had. I had put in the reverse shell to print.sh mostly based on intuition, but for the future it would be better to spend more time taking note of the privileges files have. 









Comments

Post a Comment

Popular posts from this blog

NMAP POST PORT SCANS

In this post we will talk about the steps that follow port-scanning, including service detection, OS detection, Nmap scripting engine and saving the scan results. Service Detection Once Nmap discovers open ports, they can be probed to detect running services and therefore for vulnerabilities. Adding the -sV option to an Nmap scan will collect and determine service and version information for the open ports. --version-intensity LEVEL will specify the intensity of the scan, with 0 being lowest and 9 being highest. Using -sV will force Nmap to use the TCP 3 way handshake. This is because Nmap needs to fully communicate with the target to get information and therefore cannot use the stealth scan -sS . NOTE : In order to run -sV we need root privileges.  OS Detection Nmap can detect the OS based on its behaviour and any telltale signs in its responses by using the -O option. Whilst the OS detection is very convenient, many factors affect its accuracy. In order to have an accurate
Read more

BURPSUITE IN-DEPTH

Image
NOTE: This post will be a much deeper and in-depth dive in to some of the functionality of Burp Suite. If you need a quicker overview, please visit my  Burp Suite Basics  post.  Repeater The repeater function of Burp Suite allows us to take a request captured by Proxy, edit it and send the same request repetitively. This makes repeater ideal for any manual poking around at an endpoint. Basic Usage: The repeater interface can be split in the 6 main sections. Refer to the image above: List of requests that are going through Repeater. Controls for the current request, these allow us to send/cancel a hanging request and go forwards/backwards in a request history. Request/Response view. Requests are edited in the Request view and Responses will show up in the Response view. Allows us to change the layout for the Request and Response view. The inspector allows us to break requests apart and analyse and edit them in a more intuitive way than the raw editor. The IP address or domain that is ou
Read more