Madness
https://tryhackme.com/room/madness
Nmap
The default page for http://<IP> resolves to the Apache2 Ubuntu page.
Looking at the page source code we find something of interest.
We can then use Curl
to download the JPG file.
From here we have no luck opening the file as a standard JPG file. I uploaded the file to an online hex editor to further inspect.
The hex editor shows that the header information for the file is actually set to PNG rather than JPEG.
Using the following information linked here: https://www.file-recovery.com/jpg-signature-format.htm.
We are able to replicate the correct header for the first line in order to set the correct header for the data type.
After doing so the image can be exported and viewed correctly.
The image presents the directory /th1s_1s_h1dd3n
.
Viewing the page source reveals the commented line:
After some poking about I found that the main index page is PHP. Along with this and no obvious method for inputting the secret mentioned above its probable that the /th1s_1s_h1dd3n
directory will take a PHP
parameter for input.
After some testing I found the following URL to be a valid parameter:
I then used fuff
to automate this.
Where the number 73 appears to be the correct input.
This password can be used with steghide
to then extract secret information from the thm.jpg
(with the correct JPEG header).
From the extracted data we find we are given an encoded username. Using Cyberchef: https://gchq.github.io/CyberChef/#recipe=ROT13(true,true,false,13) and with the hint from the room ROT13 can be used to decode the real username value.
Unfortunately this part of the room had to be looked up. This is because the password information required to proceed is hidden in the image on the room page.
We do not need a password to extract at least...
We now have all the information required to proceed with a SSH login as the user joker.
Through the standard enumeration checks we find SETUID
is set on a non standard binary screen-4.5.0.
A simple Google search for this binary shows various exploits. Of which the most simple is shown below.
Original vulnerability report: https://lists.gnu.org/archive/html/screen-devel/2017-01/msg00025.html
Github PoC: https://github.com/XiphosResearch/exploits/blob/master/screen2root/screenroot.sh
Create a bash file with nano
and paste the code above in the file. Then execute with bash
. This will give us a root shell.
Last updated