TryHackMe: Road

Today we will take a look at TryHackMe: Road. Please try to understand each step and take notes. This time, our machine has an Application Logic vulnerability. We can access the admin panel by making small changes to the outgoing request.

Information Gathering

First of all, let’s look at the necessary information on the website.

We found an email address extension, let’s save it.

When we press the Merchant central button, we are greeted by a panel. Let’s register.

Exploitation

When you want to upload a reverse shell to a profile photo from the settings section, we see that it will only be possible by the admin.

When we check other sections, we see the password change section.

Let’s change our password and track traffic with burp.

We know the admin email address. Why not check?

And booom. Password changed. Let’s check

Let’s check to get reverse shell

Let’s take a look at the answer that comes with Burp.

We found the directory. It’s time to get the reverse shell

Perfecto

User.txt

Privilege escalation

The first thing I do when I get a shell is check the gcc. If the target machine is running, I run CVE-2021–4034 (pwnkit) vulnerability. But of course you can find another way as linpeas.sh or manually.

And now we are the root

“If you have any questions or comments, please do not hesitate to write. Have a good days”

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store