Having fun with TryHackMe again. So, here is the write up and guideline to pass this Madness challenge.

Room: https://tryhackme.com/room/madness
Level: Easy

Task: Use your skills to access the user and root account!

As usual, open the IP in the browser and do NMAP also

There is 2 port open SSH and HTTP. Never mind. We can look back again. So, proceed to the webpage. There is nothing suspicious string in this page except the dead link on top. Lets see the code

Okay now, there is a hint there. Might be related to the dead link. So, lets download it.

Its wrong format. I tried to rename its not working. For quite some time searching for solution, I found there is problem with file header. I’m refering here to fix the header https://www.file-recovery.com/jpg-signature-format.htm

Fix the first line according to the jpg signature and save

The image show hint to the hidden directory. Lets open it in browser

Just dead end. Its say to guess his secret. “Secret Entered” is suspicious there. Where is the input??

Lets see gobuster first

Still no luck. Might be query string? but what query string is used? So I’m using Arjun tools to brute query string available in this page

Ok now it make sense. The hint shows the “secret” parameter only in range 0–99. Lets create simple python code

Got the secret: y2RPJ4QaPXXX. Hmm.. But what for?? Try to decode first using Cyberchef but no luck. So which secret is this? I think its related to the images

Lets try this image first using steghide, without and with secret code earlier

Wait what? LOL..

This image actually contain secret password in it.. okay, save it for later then. Then no need to try with this secret code (y2RPJ4QaPXXX).

Lets try another image (binary look image).

Without secret code failed,

Ok now, the username is found! It might be related to the password in the “madness” image. I think we found the SSH credentials. Lets try

Sh*t what happen? The hint says something with “ROT with this name”. Okay now understand, using Cyberchef to get the real username

Okay yes, success to gain access into the user. Now the user flag is found! Time for the root.

Check if any running in crontab

Not luck here. “This room is part of the Turmoil series”. So lets see we can find any word with turmoil in this server

Also no luck.

There is no vulnerability recorded in exploitdb.

Tried all of them. Not working 😅 The newer version already fix it. Browsing the folders what can be done right now… After 4 hours….

Found something that, the gnu screen application has been replace. Googling the gnu screen, found exploit for that version. https://www.exploit-db.com/exploits/41154

So, follow the scripts step. Create 2 file libhax.c and rootshell.c

Then, run following command,

Now, we offically root!!!

Done!!! Its harder than I expected. LOL

Software Engineer at Teratotech.com

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store