THM Startup Walkthrough
As usual, we can start with a Nmap scan.
We have 3 ports open. FTP, SSH, and a web server. Let’s run gobuster and check out FTP and see if we can do an anonymous login.
We were able to log in anonymously to the FTP server, the files that were on it didn’t have anything of interest. Let’s go check gobuster and see if it has found anything.
It looks as if gobuster has found a single directory named files.
Going to /files, we can see that it is the same stuff on the FTP server. Let’s see if we can upload something
Looks like the test file upload successfully, and we can see it on the webserver. Let’s upload a PHP web shell and see if it will render.
Everything works, and we have a functioning web shell!
Let’s start to enumerate the server and see what we can find.
Taking a look at the passwd file we can see that the only user is lennie.
Having a look at the root directory, we can see a few files that are not normally there and a very interesting folder. Let’s go take a look in the incidents folder and see what we can find.
Looks like we find a pcapng file. We can move this file to the FTP folder and download it and take a look. Let’s go ahead and do that.
Using strings, we can see the contents of the file. Looking over the file we can see a potential password. Let’s try using it to log in to lennie.
We can ssh into lennie’s account and get the user flag.
We got user, let’s enumerate some more to see if we can get root.
I uploaded pspy and it looks like planner.sh is ran every minute. Let’s go see what it is doing.
The script looks like it is echoing something to the startup_list.txt file, then running another script. Let’s take a look and see what this other one is.
Looking at this script, it is doing nothing important. However, it looks as if we can write to it. Let’s modify the script and make it send a shell back to us.
I added a simple command that will send a bash shell back to us when executed by the cronjob, then started up a listener.
After a few seconds, we get a connection and can get the root flag.
- @ September 12, 2021 6:19 am