100 Days of Hacking — DAY 9
Objectives of day 9 :
- Do a tryhackme room without seeing the hints or solutions
Reports of day 9 :
So I did this https://tryhackme.com/room/startup the enumeration part showed FTP port is open and anonymous upload is acceptable so I uploaded a reverse shell
we can’t access the user.txt as www-data doesn’t have permission. I found a suspicious directory called incidents and opened it to find a pcapng file (forensics time babyy!).
I analyzed it with wireshark and saw the tcp flow stream where some user had tried to perform a reverse shell using www-data as default user and forgot to switch user. So we can see their password which wasn’t accepted because it wasn’t the www-data’s password. The only user in this machine was lennie so probably this should be her password.
And yeah we got the user.txt now it’s time for gaining root access
at first I didn’t know what this planner.sh would do but I learned about cron jobs and how root can run a specific script periodically and inside the planner.sh we have print.sh which can be modified by the user
so I inserted a cat command inside print.sh since we have permissions to execute and get the root flag .
echo “cat /root/root.txt > /tmp/flag/f” >> print.sh
sbin/shutdown(day9)