πΆοΈ{THM}Startup
Last updated
Last updated
We are Spice Hut, a new startup company that just made it big! We offer a variety of spices and club sandwiches (in case you get hungry), but that is not why you are here. To be truthful, we aren't sure if our developers know what they are doing and our security concerns are rising. We ask that you perform a thorough penetration test and try to own root. Good luck!
So almost like a basic principle, let start with nmap to look any open ports and what services this machine are running on.
From this result we know that this machine accept anonymous login. In same time, notice that directory ftp are write-able. YOUKNOWWHATWECANDO..
Since the directory ftp are writeable, let put our payload.
Next, we need to open our payload in web, I do classic move where I scanning the web to find any directory (gobuster). Notice that /files are directory. So let move it.
It same as FTP port document. Let proceed to directory ftp and launch our payload.
VOILLA!!. WE got access as www-data. It show first directory and notice some notice there. I just move forward to /home and find lennie there. Unfortunately permission denied. Let go through from starting. Notice incidents directory got something valuable. Let download it.
From analysis on pcap file, I found something interesting. We got some credential here.
Lennie: c4ntg3t3n0ughsp1c3
Let proceed to lennie.
Before we go further, let make it stable first. There we can access into lennie directory and got first flag.
I just go deep into lennie folder and notes that it have scripts file. Why scripts?? let check what its.
It show like task schedule (cronjob). Since it run every one minute, let modify print.sh file by adding reverse shell on it.
After that, just wait for that schedule run. And we in as root.
There is root flag.