Hello Everyone
This is a machine on TryHackMe and it was released by ReddyyZ. It is a CTF for beginners.
Let’s deploy the machine:
Let’s start with checking whether the VM is alive or not?
As you can see in the image mentioned below that the machine is reachable.
Now let’s move ahead and check whether it has something on web page:
Let’s move ahead to Task 2:
Scan the machine, how many ports are open?
What version of Apache is running?
What service is running on port 22?
Find directories on the web server using the GoBuster tool.
What is the hidden directory?
So, as you can see Task 2 is completed:
Let’s move to Task 3:
Let’s move to /panel directory:
Also I checked the /uploads directory:
Let’s try uploading a reverse shell code and try to get the shell on the target system.
I tried uploading .php but I got error as shown below:
The message was in Portuguese and it means php not allowed.
Then I tried uploading the same file by renaming it to file.php2 and uploaded successfully but I didn’t got the shell:
Then I renamed the file to file.phtml:
And I started netcat listener and accessed the file uploaded and got the shell on the target system:
Then I tried searching for user.txt and I found the location of User.txt:
And then I grab the user.txt flag and completed the Task 3:
Let’s move to Task 4:
Now that we have a shell, let’s escalate our privileges to root.
Search for files with SUID permission, which file is weird?
The command for that is:
find / -type f -user root -perm -4000 2>/dev/null
Find a form to escalate your privileges.
root.txt
Let’s make our shell a stable one:
python -c ‘import pty; pty.spawn(“/bin/bash”)’
Check the privilege escalation commands at https://gtfobins.github.io/ and do some research.
python -c ‘import os; os.execl(“/bin/sh”, “sh”, “-p”)’
Let’s search for root.txt and the command for that is:
find / -name root.txt
Hey I got the root.txt
Amazing writeup! Everything is explained very clearly 😀
Hello Bhavika, thanks for taking the time to read the post,glad that you liked it.