Startup

Novemeber 24, 2022

TryHackMe | StartupTryHackMe

What is the secret spicy soup recipe?

First I simply enumerated the page by scanning open ports and directories. I found ports 21, 22, and 80 open with nmap. With gobuster I found a directory named /files that had a text file, .png file, and ftp directory. The text file had some information and concern about a user named Maya. However, Maya and the .png proved to not be helpful in this box. What was helpful is the text file mentions the server has anonymous users uploading memes. With that information in mind, I log onto the ftp server with the username: 'anonymous' and password: '<can be anything here>'.

A side note, I had no idea you could anonymously access ftp. Only a few days ago did I see it in a book I was reading called, "The Linux Command Line". In chapter 16 the author mentions this, "After the login prompt(anonymous), a password prompt will appear. Some servers will accept a blank password; others will require a password in the form of an email address. In that case, try something like user@example.com." This information saved me some time finding a solution since we already know the permissions are incorrectly set.

Once I uploaded the reverse shell, ran my netcat listener from my attacker machine, and clicked the appropriate file, I established a connection.

Once in, I stabilized the shell with python3 -c 'import pty; pty.spawn("/bin/bash")'.

I then found the secret spicy soup recipe.

Contents of user.txt?

As www-data, I found a username 'lennie' and another interesting directory named 'incidents'. The incidents directory had a .pcap file of an incident with a user. I copied the .pcap file from the target to my attacker machine with netcat and used Wireshark to investigate further.

It looks like the .pcap file had a password.

Logging on via ssh with these credentials gives us access to the user.txt file.

Contents of root.txt?

To read the contents on root.txt I noticed some other directories that had given lennie execution permissions. I added some text to the file with execute permissions and was able to read the final flag in my directory.

echo 'cat /root/root.txt > /home/lennie/root.txt' >> /etc/print.sh