【THM】Startup-Practice

本文相关的TryHackMe实验房间链接:https://tryhackme.com/room/startup

Difficulty: Easy

We are Spice Hut, a new startup company that just made it big! We offer a variety of spices and club sandwiches (in case you get hungry), but that is not why you are here. To be truthful, we aren’t sure if our developers know what they are doing and our security concerns are rising. We ask that you perform a thorough penetration test and try to own root. Good luck!

Nmap

1
nmap -p- -sC -sV -T4 10.10.47.1
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
Not shown: 65532 closed tcp ports (reset)
PORT   STATE SERVICE VERSION
21/tcp open  ftp     vsftpd 3.0.3
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
| drwxrwxrwx    2 65534    65534        4096 Nov 12  2020 ftp [NSE: writeable]
| -rw-r--r--    1 0        0          251631 Nov 12  2020 important.jpg
|_-rw-r--r--    1 0        0             208 Nov 12  2020 notice.txt
| ftp-syst: 
|   STAT: 
| FTP server status:
|      Connected to 10.13.38.193
|      Logged in as ftp
|      TYPE: ASCII
|      No session bandwidth limit
|      Session timeout in seconds is 300
|      Control connection is plain text
|      Data connections will be plain text
|      At session startup, client count was 1
|      vsFTPd 3.0.3 - secure, fast, stable
|_End of status
22/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.10 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 b9:a6:0b:84:1d:22:01:a4:01:30:48:43:61:2b:ab:94 (RSA)
|   256 ec:13:25:8c:18:20:36:e6:ce:91:0e:16:26:eb:a2:be (ECDSA)
|_  256 a2:ff:2a:72:81:aa:a2:9f:55:a4:dc:92:23:e6:b4:3f (ED25519)
80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
|_http-title: Maintenance
|_http-server-header: Apache/2.4.18 (Ubuntu)
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

我们可以匿名登入ftp

image-20231209085045862

下载下来

1
mget *
1
2
└─# cat notice.txt                          
Whoever is leaving these damn Among Us memes in this share, it IS NOT FUNNY. People downloading documents from our website will think we are a joke! Now I dont know who it is, but Maya is looking pretty sus.

image-20231209085508848

Website

访问一下80端口

image-20231209085652799

GoBuster

1
gobuster dir --url http://10.10.47.1  -w /usr/share/wordlists/rockyou.txt -x html,php,cgi,sh,zip,bak,txt

image-20231209085929881

那这样不就可以上传文件

Reverse shell

ftp根目录不能上传,所以只能上传到ftp文件夹里

image-20231209091220626

image-20231209091255203

上传成功

image-20231209091348595

反弹成功

1
python -c "import pty; pty.spawn('/bin/bash')"

image-20231209091446578

image-20231209091720472

Privilege escalation I (www-data -> lennie)

image-20231209091935771

image-20231209092102025

image-20231209092513828

image-20231209092526526

方法二下载:

1
2
# 受害者机器上开启服务
python3 -m http.server
1
wget 10.10.47.1:8000/suspicious.pcapng

image-20231209093201133

image-20231209093156422

c4ntg3t3n0ughsp1c3

可以看到这个不是www-data用户的密码,但可能是lennie的密码

1
su lennie

image-20231209093512855

image-20231209093556998

Privilege escalation II (lennie -> root)

这里还有个Documents和scriptes的文件夹

image-20231209094016773

image-20231209094059076

我们有写的权限

1
cat /root/root.txt > /tmp/root.txt

image-20231209094700479

image-20231209094734004