Try Hack Me — Team box writeup

6 min readNov 17, 2023

lets start by pinging the target and check if its alive

ping 10.10.76.20

lets do a nmap scan to see which services are running on which ports.

nmap -PN -A 10.10.208.133 -T4

so we see 3 main services http , ssh , ftp but the problem is we can not ssh into the system without knowing the username and password , on the other hand the anonymous login is also disabled on the ftp service.

since we detected a http service at port 80 lets visit the page and open the page source

the page source code instruct someone to add team.thm to the hosts file on your system.

adding team.thm to the hosts file

sudo nano /etc/hosts

lets visit and see if we can visit team.thm and see its content

since there is nothing useful on the website or its source page so lets try to find the subdomain for it using wfuzz

wfuzz -c -f sub-fighter -w /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-5000.txt -u '<http://team.thm>' -H "Host: FUZZ.team.thm"

so we found 2 subdomain www.team.thm and dev.team.thm you will have to add both to the hosts file again to access them.

www.team.thmhas nothing new on it.

sudo nano /etc/hosts

upon visiting the link , we are redirected towards to a new page and we observe the url of the new page closely it can be seen that the URL have a parameter of page that is serving us a page of name teamshare.php directly from the system where the website is hosted , we can try accessing other files instead of teamshare.php

so we can accesss the /etc/passwrd file hence the LFI is possible here , lets try to read ssh since we have ssh service opened at the port 22

the RSA ID is located at the /etc/ssh/sshd_config

copy paste this RSA ID into a file in your system , also remove the # symbol at the start of each line to make the rsa id valid and work.

Then use the rsa id to login into the ssh into the target machine and find the user flag

now to find the root flag we have root privileges so lets try a find a way to gain root access

using command

sudo -l

The sudo -l command is like asking, "Hey, what can I do with my administrator key?" It shows you a list of commands you're allowed to use with that key. This helps you understand what powerful actions you can perform on the computer.

So, in simple terms, sudo -l is a way to check what special things you're allowed to do on a computer with administrator powers.

so the results shows us that the user gyles can run the admin checks with root privileges.

lets cat and see the content inside admin_checks script

so looking at the It seems like we can abuse the error command within this script. To do so, we have to craft a payload that executes /bin/bash as the gyles user. Run the following commands.

run the admin_check as user gyles and give the follwing parameters to the script to get gyles shell

now we have a shell as the gyles’ user. Looking at the user’s home directory we see that the author left the .bash_history meaning we can trace what the author did while he was creating the box

Looking through the file we see a file in /usr/local/share called main_backup.sh being edited

cat .bash_history

We also see some mention of crontabs meaning there might be a cronjob running

Looking at the file’s permission we see that its only writable by root and members in the admin group. And the gyles user is in the admin group as seen in the screenshot below meaning we have access to modify the file’s contents

This can also be confirmed if you roam around the directories a bit then you will find the reference for this cronjob in the /opt/admin_stuff directory as well

inside/opt/admin_stuff we have a script by the name of script.sh

this script also display location for the main_backup.sh script

Looking at the file with a vim text editor we see that it’s a bash script that copies some backups i decided to edit the file and add a reverse shell since i knew that there was a cronjob being executed