Madness Walkthrough https://tryhackme.com/room/madness

Ok so let’s get started by a simple nmap scan.

nmap -sC -sV -oN <file_name> <ip_address>

we have the standard port 80 and 22 for http and SSH. So lets first inspect the apache server.

We find a ‘thm.jpg’… Lets download it.

Ahhh! after seeing this i guessed what’s wrong with the image … The image has misconfigured header, after fixing that we get a hidden directory.

Lets have look at the hidden directory …

So it say wrong secret!!!! Lets try with secret=1.

http://<ip_addr>/<hidden_dir>/?secret=1

It works!!!

Peeking into the source code we find the secret is a number between 0–99. So we have to bruteforce the ‘secret’ parameter .

As usual i bruteforced it using burp suit .

We find a diffrent length request than the rest…. It can be a possible correct secret.

huh ! bruteforce successful…

Now we have a password. But we don’t know what this password is for…… At this point i was not so sure what to do next . Since this is steganography based box i tried to decipher the “thm.jpg” image.

A cipher text username….. decoding it with rot13 we get the actual username. At this point we have a password and a username i tried to SSH in with this credentials . which failed….

Honestly, at this point i got stuck for too long. And i ended up deciphering the image in tryhackme Madness page.

deciphering this image we get another password .

i tried to SSH in ….

Hmm…. we got the “user.txt” flag…..

Privilege escallation

Hmmm…

From my previous experience i investigated all the binary with SUID bit set using.

find / -type f -perm -4000 2>/dev/null

i noticed a screen-4.5.0 bin ….Suspicious.

After googling screen 4.5.0 exploit, i found a valid exploit. Downloaded it into /tmp dir and after running it .

I got root….

Traversing into the /root directory i got the “root.txt” flag …