Having fun with TryHackMe again. So, here is the write up and guideline to pass this Easy Peasy challenge.

Room: https://tryhackme.com/room/wgelctf
Level: Easy

Task: Can you exfiltrate the root flag?

As usual, open the browser with the machine IP

Lets see if something is hidden in the source code.

There is a comment there. Someone name as jessie there. Could be the login username. Lets see which port is open for this IP

Only 2 port opened — 22 and 80. Tried hydra to brute ssh password using username ‘jessie’ but it took so long for easy task. Canceled it and run gobuster then,

Found hidden path. Let’s see it

Spent 15 minutes here finding a clue in this sitemap but there is no form / file upload. Just a plain HTML code. So, run the gobuster once again, if there is any hidden path which not showing here

Aha! I knew it.

Download the private key then and create the public key from it.

Now, enter the machine using jessie username

The usual place, there is no sign of flag. Just find all in every directory for all existing text file

Found the path!

Found the user flag! Now hunt for the root flag

Ok now, referring to GFTObins

From wget command, we can replace any root file. Let see if cron is running so that we can replace the file

Alright! It’s running. Create simple a shell script named as “root.sh” and save

From your machine, create new crontab file

and serve folder that contain edited crontab file

Now, new crontab available to download from victim machine. Using sudo command,

And wait the command to trigger….

Ahak! it’s working. Lets see if flag file available in root folder

Ok now, edit the root.sh file back and output the content of the file

And wait the command to trigger….

Found the root flag!! Now the mission is completed!!

Software Engineer at Teratotech.com

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store