Open in app

Sign in

Write

Sign in

Madness | TryHackMe Writeup

Nihir Zala
9 min readMar 13, 2023

--

Create a directory for your CTF machine on Desktop and a directory for Nmap within the CTF directory.

Let’s dive in the madness!! Enjoy the flow!

Tasks List

Nmap Scan :

nmap -sC -sV -p- -oN nmap/madness <TARGET_IP>

-sC : Default scripts
-sV : Version detection
-p- : All ports to scan
-oN : Output to be stored in the directory ‘nmap’ you created earlier

There are 2 ports open:
22/ssh- OpenSSH 7.2p2
80/http- Apache/2.4.18
OS Detected- Ubuntu Linux

Navigate to http://<TARGET_IP>

Its the Apache default page. Its always good to check the source code of the page for any interesting information laid out that could be helpful in our enumeration process. View Source of the URL page [Ctrl+U].

There is a comment that states they will never find me. Nevermind as we will find him eventually. Above the comment, we can see there is ‘thm.jpg’ file therefore it is the file that we are provided to inspect. We will open the thm.jpg to see its contents but it won’t as the image contains errors.

We can download the image using ‘wget’ on our host machine.

Analyse the file with ‘file’ command.

An image file i.e. png,jpg,jpeg etc is corrupt or contains errors means the file signatures are not correct as per the extension type and incorrect file signatures won’t allow us to open the file. In other words we will have to modify the file signature of ‘thm.jpg’ in hexeditor and match it accordingly to the extension type of the image.

I have linked the list of file signatures below:

List of file signatures

Many file formats are not intended to be read as text. If such a file is accidentally viewed as a text file, its…

en.wikipedia.org

Scroll down and we can find the file signatures for jpg/jpeg.

We have to modify the hex of the jpg file using ‘hexeditor’ command.

After replacing the hex in the first line to match it with the hex we found earlier will make the image work for us and we will be able to look inside the image. To save the hex [Ctrl+O] and exit the editor [Ctrl+X].

thm.jpg

We are provided with a hidden directory.

Navigate to http://<TARGET_IP>/<hidden directory>

Let’s look at the source code.

There is a comment which means that there is a specific number between 0 and 99 that will be considered as correct by the page and upon inputting the correct key we will be given the information for moving onto the next steps.

Burpsuite will take care of this problem pretty easily as we will be able to use the intruder option to brute-force the URL including the parameter with a numbers payload list from 0–100.
Firstly we have to set up Burpsuite proxy on the browser. Let’s do that.

Install FoxyProxy Add-on.

Click on Options.

Click on Add.

Configure Burp proxy on IP=127.0.0.1 and port=8080.

Turn on Burp proxy.

In Burpsuite make sure the intercept is on, refresh the hidden directory page [F5] and burp will capture the request.

In Intruder option under Positions tab make sure the parameter we want to brute-force is between § characters.

In Intruder option under Payloads tab we can select the Numbers Payload Type from the drop-down and set the options for the payload to range from 0 to 99 and 1 step meaning use each number one-by-one.

Start the attack and wait for it to finish.

Click on Length to arrange in descending order and we will see that there is a number that has the highest length. The higher the length is the higher the chance is to get the correct number which will be bypassed or get validated by the page.

Number 73 is a the number of interest for us therefore we will use it as the secret number in the URL with the parameter ‘secret’.

Great!! We have got it right. Let’s decode this hash. WAIT. You may have thought too that it’s a hash. No, it isn’t. It’s a passphrase which we will use to extract hidden files/information in the ‘thm.jpg’ file using steganography tools.

My go-to steg tool is steghide. If you haven’t installed it go ahead install it on your machine.

We will use the passphrase to extract information from the ‘thm.jpg’.

Awesome!! It contains a user name and the password is confirmed.

The username is short yet rotated and it clearly indicates to me that it is ROT13 encoded. We want to decode it. My go-to for cracking hashes is CyberChef. It cracks the hashes flawlessly and works like a charm.

CyberChef

The Cyber Swiss Army Knife — a web app for encryption, encoding, compression and data analysis

gchq.github.io

Decoded the username: XXXXX
We have obtained the username and now we need the password.
If you remember from the https://tryhackme.com/room/madness Madness CTF Main Page there is clear instruction that the challenge does not require SSH Brute-forcing.

But notice the picture above. MADNESS WE’RE ALL MAD HERE. It was put there for a purpose. Maybe this image contains something in it, Let’s find that out. Download the image.

We can use steghide to extract information from the file.

steghide info <FILE>

steghide extract -sf <FILE>

Superb!! We got a password.txt file. It will contain the password.

Oh I see why they instructed us not to brute force SSH. Surely the wordlists couldn’t crack it. And off we go gain SSH shell with the credentials.

Let’s do SSH.

We are in. Let’s capture the user flag.

Submit it. Nicely done. Now what next. Yes you thought it right.
We have to escalate privileges and become root. My go-to for doing automated enumeration of any potential attack vectors on the box is ‘Linpeas’ — genuinely a brilliant script.

carlospolop/privilege-escalation-awesome-scripts-suite

PEASS — Privilege Escalation Awesome Scripts SUITE (with colors) …

github.com

Using python we can start a simple http server by default on port 8000 but you can specify any port you want.

On the target machine ‘wget’ the linpeas script and make it executable using ‘chmod +x linpeas.sh’ and execute it.

You can also save the output by piping the command to tee <OUTPUT_FILE>

The best part of this script is when something which is highlighted in RED&YELLOW has 99 percent chance of an attack vector that could escalate the privileges. The attack vector is a binary owned by root with ‘s’ permission meaning super-user.
My go-to for finding exploitable binaries

GTFOBins

GTFOBins is a curated list of Unix binaries that can be exploited by an attacker to bypass local security restrictions…

gtfobins.github.io

The commands somehow will not work on the shell and it won’t escalate the privileges as we do have the SSH Shell but we don’t have the password for the user we are therefore any commands with sudo won’t execute.

We can look for any exploit for ‘screen-4.5.0’ and yes we got one. Link below for the exploit. I will ‘wget’ the exploit on to my machine.

Offensive Security’s Exploit Database Archive

GNU Screen 4.5.0 — Local Privilege Escalation.. local exploit for Linux platform

www.exploit-db.com

We will analyse the script.

We need to execute the script inside the /tmp directory for it properly work and escalate the privileges.

Copy the script.

Use nano and create ‘exploit.sh’ file.

Paste

Save it [Ctrl+O] and exit [Ctrl+X]

Make it executable.

And watch the magic.

Confirm are we root.

Indeed we are. Magnificent.

Let’s capture the root flag and give this madness a happy ending.

Voila.
Submit it. We have successfully rooted the box. I had a lot of fun rooting it. I hope you would have fun reading through it.

If you liked the writeup and the writeup has helped you in any way possible, let me know in the comments or sharing the love by claps.

Tryhackme
Tryhackme Walkthrough
Madness
Ctf Writeup
Cybersecurity

--

--

Nihir Zala
Nihir Zala

Written by Nihir Zala

38 Followers
1 Following

Hi there, I'm Nihir Zala—a Laravel developer from Gujrat, India, with over 2.5 years of professional experience. I also learning Penetesting from THM and HTB.

No responses yet

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams