Madness — TryHackMe — WriteUp
Hello. I’m Rahmos. Here is my Madness — TryHackMe — WriteUp. Check it out!
First, deploy the machine and nmap for opened ports.
nmap -A -T4 -v <ip>
As port 80 (HTTP) is opened, let’s access the website. It’s a default Apache website. Ctrl + U to view page source.
It’s a jpg image. However, we cannot view the image as it contains errors. So let’s use wget to download this image to our machine.
wget http://<ip>/thm.jpg
Then use hexeditor to check for error in this image.
hexeditor thm.jpg
The first line is the header file, and it’s not in the correct format of jpg image. So you can search Google for correct jpg hex format and change the same as it. After that, press Ctrl X to save the image.
Now you can view this image.
We’ve got the hidden dir: /th1s_1s_h1dd3n. Let’s access it.
Again Ctrl+U to view page source
Well here you go! His secret is between 0–99. So let’s pass an argument like this:
http://<ip>/th1s_1s_h1dd3n/?secret=0
Well now we just have to replace the ?secret=0 to 99. Let’s just code a simple python script to do that for us. I will show you my code here, but you can write it your own way!
After a while, we will get the result:
So the correct number is 73. Now we’ve got a weird string: y2RPJ4QaPF!B Maybe it’s a password for something?
Let’s take a look again at the thm.jpg. Maybe there is some hidden data inside it. Use steghide to find it out.
steghide extract -sf thm.jpg
Paste the above string when it prompt you for a password, and it worked!
Now get our hidden data in hidden.txt
Now we’ve got the username: wbxre. But it’s again not the real username but some kind of encoded string! 😡 Like the room’s name, it’s MADNESS!!
Look at the hint it said something about “ROTten”. After a while of guessing, I found a ROT13 encoding algorithm. Let’s use this page to decode this encoded string:
So it’s joker. Let’s try login to ssh with joker and the password above.
!!!Not working!!! Seriously?? It’s all of our hint!! Where can I get the password?
Thanks to my friend who has done this room, I found another hint: it’s inside the main photo of this room! OMG!!
https://i.imgur.com/5iW7kC8.jpg
Let’s wget this image and steghide to get hidden data. Luckily there’s no password needed.
Now login to ssh!
ssh joker@<ip>
Success! Now we’re in. Get our first flag.
Now try to get root. First sudo -l to see which cmd can joker run as root.
Well, joker cannot run any cmd as root. So let’s try another way. sudo -V to get sudo version.
It’ 1.8.16. And also there is gcc inside this machine. So search Google for CVE and it led me to this link:
Download the file, use gcc to compile and transfer to the ssh machine using scp.
gcc file-name.c -o sudo1.8.21p2exploit
*I named the file sudo1.8.21p2exploit, so remember to change it to your file’s name.
Then:
scp sudo1.8.21p2exploit joker@10.10.62.155:/tmp/
After that on ssh machine cd to /tmp/ and execute this shell.
Failed!! We still can’t get root! Find another way. This time take a look at SUID.
find / -perm -u=s 2>/dev/null
This find will search for all commands with special SUID permission.
We found a screen-4.5.0. Search for it on Google and we found a CVE:
Again like above, download the code to your machine, compile and transfer to the ssh machine.
OMG it failed again!! 😔
I take a look at the code and create the /tmp/libhax.c and /tmp/rootshell.c myself. Follow the code and now I’m root.
Get my root flag.
The end.
HAPPY HACKING
