Startup is a CTF on Try Hack Me described as having “traditional vulnerabilities via nontraditional means”. I haven’t done this one before and am interested if this will point us towards Metasploit, setting up a reverse shell on a web server, or another go-to for CTF’s.
We start off with our nmap scan and directory fuzzing like usual. This has usually been a tried-and-true start for me ramp up on what information we have in a short time; in fact, we already found a /files directory. We see ports 21, 22, and 80 open, so let’s check out when comes up when we curl 80 and if anonymous ftp login is allowed on 21.
The default landing page shows they are under maintenance and has a link to send an email. But if we check under the files directory, we find an Among Us meme and a note that someone is not happy with them being posted there! A ‘Maya’ is mentioned to be sus, maybe we can use this later.
We are able to login under an anonymous user to ftp and see that brings us to the same directory as /files. We can also see the FTP directory has all rights. Im thinking if we can get a reverse shell sent over FTP we can get in as HTML user…
And we can! We can send a PHP shell over FTP and call it with curl or in the browser to get access as www-data. We cant use any su commands yet so lets upgrade our shell. We have python on this box so we can use the one-liner python -c 'import pty;pty.spawn("/bin/bash");'. Lets check out the root directory…and we have our recipe!
There is a user ‘lennie’ we can try to get into. We will need his user flag and he will probably lead us to root. On root directory we see a folder called incidents, inside there is a pcapng file. This isn’t a normal thing, especially considering it is called ‘suspicious’. We can check this out with wireshark… and this was recorded incident where someone did exactly what we did; upload a shell to ftp to connect to the machine. But this person had the password for www-data, and we can find this by following the TCP stream in wireshark!
Lets use this password c4ntg3t3n0ughsp1c3 to enumerate a bit more on www-data…. and it doesn’t work. Ok so nothing for www-data, but lets just try it as lennie’s password, this user was using it to try to get into lennie’s home directory after all. And it IS his password! Now we can grab the user flag from his home directory and start working on root.
Getting to root was difficult, but that’s because I didn’t know where to check at the time. See, looking in lennie’s scripts folder was planner.sh, which called /etc/print.sh. So naturally I tried spawning a shell as root in etc/print.sh but this just wasn’t working.
I was able to eventually get a shell using a named pipe, but even then it was trying to run as lennie. I just didn’t get it. As I was looking around for another angle I left my listener open and suddenly it connects as root! I didn’t understand, there were no cron jobs listed. But looking at the processes for lennie I saw that planner.sh was running every minute as root as an automated process, outside of cron initially. So go to root and grab the flag!
I really like this machine because everything really was a little different. I learned not just to check cron but check for other automated processes that may not be set up the traditional way. I had a lot of fun this one!