TryHackMe StartUp Walkthrough: FTP Upload, PCAP Analysis & Cron to Root
TryHackMe StartUp Walkthrough: FTP Upload, PCAP Analysis & Cron to Root (Step-by-Step)
StartUp (the "SpiceHut" room) is an Easy TryHackMe room with a fun, realistic chain: abuse an anonymous FTP share with write access to drop a PHP reverse shell, get a foothold as www-data, recover a user's password from a captured Wireshark packet trace, then escalate to root by abusing a writable script run by a cron job.
It's a brilliant beginner room because it adds packet-capture analysis to the usual upload-and-escalate flow. This guide shows the commands and real output at every stage.
Output below is from a live run — your IP and timing will differ. Replace
<IP>with the target IP and<YOUR_IP>with your TryHackMe VPN IP (tun0). Flag values shown are from this run; yours will match (they're static for the room).
Tools you'll use: rustscan, nmap, gobuster, an FTP client, a PHP reverse shell, netcat, and Wireshark.
Task 1 — Recon
Step 1 — Fast port scan with Rustscan
Rustscan races through all ports quickly so you know where to focus:
Step 2 — Detailed scan with nmap
Feed those open ports into nmap for service/version detection:
Reading the results: three ports — FTP (21, vsftpd 3.0.3), SSH (22), and an Apache web server (80). FTP is the obvious first target, so let's see if anonymous login is allowed.
Task 2 — Enumerate FTP
Log in anonymously (username anonymous, blank password):
Login works, and notice the ftp folder is world-writable (drwxrwxrwx). Download the files to inspect them:
Reading notice.txt:
Don't get rabbit-holed.
important.jpgis just a meme (strings/exiftool/steghide turn up nothing), and "Maya" is a red herring — the real user is revealed later in the packet capture. There's also a tiny.test.log(contents:test) confirming write activity. The key takeaway is simply that you can write to the FTP folder.
Task 3 — Web Enumeration
Browse to http://<IP>/. The homepage gives nothing obvious, so brute-force directories:
Open http://<IP>/files/ — it shows the same ftp/ folder you can write to over FTP. That means anything you upload via FTP can be executed through the browser. That's our foothold.
Task 4 — Get a Shell (FTP Upload → Reverse Shell)
1. Prepare the reverse shell
Use the pentestmonkey PHP reverse shell — grab it from GitHub: https://github.com/pentestmonkey/php-reverse-shell (or /usr/share/webshells/php/php-reverse-shell.php on Kali). Edit two lines:
2. Upload it via FTP
3. Catch the shell
Start a listener:
Then trigger the shell by visiting it in the browser:
Your listener catches a shell as www-data:
Stabilise the shell:
Look around — the filesystem root holds a recipe.txt (the room's "secret ingredient" question) and a directory called /incidents.
Task 5 — Analyse the Packet Capture (Find Lennie's Password)
/incidents contains suspicious.pcapng. You can't run Wireshark on the target, so copy it into the web-accessible folder and download it:
Open it in Wireshark and follow the TCP streams (right-click a packet → Follow → TCP Stream). One stream shows an earlier attacker's reverse-shell session, and in the raw bytes you'll spot a password being typed in cleartext:
That spells out the password c4ntg3t3n0ughsp1c3, which belongs to the user lennie.
Task 6 — Switch to Lennie & Get the User Flag
Switch user (or, more stably, SSH in):
Or over SSH:
Task 7 — Privilege Escalation (Writable Cron Script)
Lennie can't run sudo (lennie may not run sudo on startup), so look at the scripts/ folder in his home directory:
planner.sh is owned by root and runs on a schedule (a cron job, firing every minute). The thing it calls — /etc/print.sh — is owned by lennie and writable by you:
You can see the cron job firing because startup_list.txt updates every minute. Since root runs /etc/print.sh for you, just put your payload in it.
Option A — print the root flag
Option B — get a root reverse shell
Start a second listener on your machine (nc -lvnp 5555), then overwrite /etc/print.sh with a reverse shell. The box runs /etc/print.sh under /bin/sh (dash), which doesn't support bash's >& /dev/tcp/... syntax, so use the shell-agnostic mkfifo + netcat payload (point it at your tun0 IP):
Within a minute the root cron job runs your line and connects back:
🎉 Box rooted!
Summary: The Attack Path
| Stage | Tool / Technique | Result |
|---|---|---|
| Recon | rustscan -> nmap | FTP (21, anon), SSH (22), HTTP (80) |
| FTP enum | Anonymous login | World-writable ftp folder |
| Web enum | gobuster | /files/ftp/ = the writable folder |
| Initial access | FTP upload + PHP reverse shell | Shell as www-data |
| Pivot | Wireshark TCP stream analysis | Lennie's cleartext password |
| User | su / ssh lennie | user.txt |
| Privilege escalation | Writable cron script /etc/print.sh | Root + root.txt |
What You Learned (and How to Defend It)
- Disable anonymous FTP — and never make a share both anonymous and writable, especially one served by the web server.
- Validate and isolate uploads. A writable web directory that executes PHP is an instant foothold.
- Use encrypted protocols. The whole pivot relied on a password sitting in cleartext inside a packet capture; FTPS/HTTPS/SSH prevent that.
- Lock down cron jobs. A root cron job that runs a user-writable script (
/etc/print.sh) hands over root. Scripts run by root must be root-owned and not writable by anyone else.
Handy Reference Commands
For educational use only. TryHackMe is a legal, sandboxed lab. Never use these techniques against systems you don't own or aren't explicitly authorised to test.
Tags
Keep Reading