TryHackMe is an amazing platform to learn cyber security and it’s an amazing asset if you are new to it and don’t know where to start. They have these rooms that are basically vulnerable machines that you can deploy and practice your skills. The best part about TryHackMe is that it’s pretty hands on. If you are new to security, make sure you give it a try.
So after deploying the machine on TryHackMe portal, we get an IP to access this machine. It is going to different for every time you deploy it, so your
ROOM-IP might be different from mine.
We need to know what services are running behind the scenes and what ports are open. So we are going to use a tool called nmap.
Having ports 80 and 443 indicates we have a website running, so we open
https://10.10.71.122 on our browser.
The website is Mr. Robot themed website. Running the commands mentioned in the picture just redirects to other pages which have images and videos from Mr. Robot TV show.
Since we have a website, we would like to enumerate the directories of the website to see things like login page, admin portal, and etc exist or not.
So we will be using a tool called gobuster, which uses an existing wordlist of possible common directories name and will try to load every directory name in that wordlist and would then look at status code. (If you are using Kali or ParrotOS, then you can find these wordlists at
Now let’s take a look directories with status code 200
Key 1 : Captured!
Now’s let’s take a look at fsociety.dic
Let’s use this dictionary to perform dictionary attack on the login page we saw earlier.
Let’s try admin:admin to login:
Using BurpSuite to intercept the login request packet.
The username and password fields by
Perfoming dictionary attack using Hydra
The dictionary would be
fsocity.dic . In this case we have received a file from them, for other cases we would try to use comman usernames and then password. You can find these and all the other lists at https://github.com/danielmiessler/SecLists.
So, first we will try to find the username with password as constant, then we will use the found username to get the password.
Username changes, password constant
We get username as Elliot.
Let’s try to login with Elliot:test
Username constant, password changes
We get a 9 digit password : *********
Elliot:********* to login:
The site is running WordPress 4.3.1.
Now we need to open a reverse shell, so let’s try to open a
php-reverse-shell . Kali and ParrotOS already have it. All you have to do is
If you do not have Kali or ParrotOS, you can simply google it and find it easily.
Opening a reverse-shell
In wp-admin, go to left navigation bar and select
Appearance → Editor and then select
Archives (archive.php) on the right
Once, Archives are open. Paste the
php-reverse-shell.php in the Edit section
Now we will have to edit the value of variable
IP . We will have to set it to our IP, so that when the reverse shell is opened, it knows which IP to connect to.
You can change the port if you want, just remember the port you change it to.
Click Update and let’s open netcat to listen to the
port 1234 .
Now let’s open
archive.php. Check what theme it’s running and open the theme as shown below.
We need to user
robot to read
key-2-of-3.txt but we can still read password.raw-md5. So let’s do that.
Let’s use John-The-Ripper, to crack this MD5 hash
Switching to user robot
Key 2 : Captured!
Now to capture the 3rd flag, we need to get to root, so we will perform privilege escalation, so we need to figure out which programs have SUID of at least 4000
Privilege escalation using nmap
Nmap has SUID bit set. A lot of times administrators set the SUID bit to nmap so that it can be used to scan the network efficiently as all the nmap scanning techniques does not work if you don’t run it with root privilege.
However, there is a functionality in nmap older versions where you can run nmap in an interactive mode which allows you to escape to shell. If nmap has SUID bit set, it will run with root privilege and we can get access to ‘root’ shell through it’s interactive mode.
Key 3 : Captured!
I’ve had an amazing time in this room and learned a lot. TryHackMe has tons of other rooms, each different from another which gives a huge learning opportunity as well. Would try to upload writeups of rooms that I found interesting. For know, I hope you also learned something from this writeup. Cheers! 🍺
Now, let me shamelessly ask you to
- Opening php-reverse-shell for wordpress (https://pentaroot.com/exploit-wordpress-backdoor-theme-pages/)
- Opening terminal using Python(https://blog.ropnop.com/upgrading-simple-shells-to-fully-interactive-ttys/)
- Privilege escalation using nmap(https://payatu.com/guide-linux-privilege-escalation)