Madness - Tryhackme writteup!

  Runing nmap: $IP 

  As we can see, we have 2 open ports "22" and "80" which is running
  Apache web server. Go to the home page.

  Apache home page

   We are now in the apache2 Ubuntu default page, go to see the source code
    of the website to check there is not a hidden message in a comment.
    When we check the source code we can notice a message in a comment line.

    In the censure part there is a image and a message 1. Download the image.

   Fixing imagen structure: hexeditor.

    We should change in the firs line the first 3 lines your image should look like

    like this. and try to open your image again and cool! now you can see a

    message in the image. The hidden directory so go to see if there is some 

    files embedded in the image goo goo goo.

 Hidden directory and passphrase:

    We have now the hidden directory and we can see the source code where
    we have a message in a comment, so go there!

    We have a message in the only comment line which say "It's between

    0-99 but I don't think anyone will look here!" so we have to search

    for the secret directory which we can found with the following line

    "http://ip/hidden_directory/?secret={number}" we should check each number

    between "0" and "99" so go there".

  Found secret.

  With this script we'll found the correct number for the secret, so run the
   with "python3". Right we have the number secret, now got to the page and
   enter the number we've found.
  Secret found.

  We've found the secret word and we'll use to extract data from the image file
   go to extract the data. 

 Extract data from image file.

  We have a hidden file into the "thm.jpg" image which we downloads, so go to
   extract the file which the following command "steghide extract -sf {image
   file}" and we'll have the hidden file, so then open the hidden file  and we'll
   see the username for the ssh sevice but the username is encoded in rot13
   we should decode it and we'll have the username but we don't have the
   password. In the "tryhackme profile's machine" we did see one image which
   we should download  and extract data again with "steghide" and the
   passphrase password is empty so just press enter and you get it.


User flag.

 

We have the user flag congratulations! See the user flag now.

Privilege escalation.

  In the first image we can see that we did use the command "find / -perm

   -4000 -exec ls -ldb {} \; 2>/dev/null" for show the programs that I can run

   like root, we can see that we have a program called "screen 4.5.0" and if

   we search an exploit for privilege escalation on google we found it one. So

   copy the source code of the exploit and create a file in bash with "sh"

   extension then save the file and then do the following command "chmod +x

   {exploit-name}" and then run the exploit and it should give you a shell as root

   congrats! now you're root on the machine and go to the root directory

   to show the root flag.

   As always thank you for read this writteup, follow me on Twitter.