Open in app

Sign in

Write

Sign in

TryHackMe write-up: Revenge

m0ndzon3
4 min readJun 18, 2021

Introduction

This is my write-up for TryHackMe’s Revenge Room. As can be seen in the note, this room is actually a continuation of another room Blog. The write-up for that is found in TryHackMe write-up: Blog

After hacking Billy’s website, he tracks us down and sends us the following note.

Enumeration

Using nmap, I saw that this box has 2 ports open.

Checking port 80, we see that it is hosting the company’s website:

I wanted to check the products page so I checked the first product they were selling.

Funny though is that the product id is listed as part of the URL. In this case, it is http://10.10.151.163/products/1. I then checked what would happen if I typed in a non-existent product id, say 999:

The website seems to be vulnerable to SQL injection. To test that, I ran sqlmap using the following command:

sqlmap — current-db -u http://10.10.151.163/products/1

This is what I got after a while:

So I found that the database is named duckyinc.

I then ran sqlmap again. This time, I wanted to dump all the data for duckyinc DB. I then ran the following command:

sqlmap -D duckyinc — dump -u http://10.10.151.163/products/1

Here, I find a table named system_user. This contained usernames, email addresses and password hashes.

Scrolling further down the sqlmap results, I saw another table named user. Looking closer, I saw that there’s a flag under the credit_card column.

I then copied the hashes from both the system_user and user tables and had john try to crack them. After a while, it was able to crack one of the hashes. I then tried to login to SSH using that password.

Once I logged in, I was able to get the 2nd flag.

Privilege Escalation

Running sudo -l, I found that I could run systemctl and sudoedit commands as root.

However, it turns out that I could only run, restart and edit a single service.

Using sudoedit, I found that I could edit /etc/systemd/system/duckyinc.service. Below is what the .service file looked like after editing.

I changed the user to root to make sure that the service ran as root. I also added the ExecStartPre line. This line creates a reverse shell back to my attacker machine before the gunicorn process is run.

Once the service was restarted, I found a connection to my netcat listener. However, I just couldn’t find the 3rd flag. Looking back at the note and the hint provided in the room, it turns out that I had to deface the website’s front page first. To do so, I simply modified the file index.html found in /var/www/duckyinc/templates. The defaced front page is shown below:

Notice that I only made a slight change to the index.html. And yet, when I restarted the service and checked reverse shell, I found the 3rd flag.

Originally published at https://m0ndzon3.blogspot.com

Sign up to discover human stories that deepen your understanding of the world.

Free

Distraction-free reading. No ads.

Organize your knowledge with lists and highlights.

Tell your story. Find your audience.

Membership

Read member-only stories

Support writers you read most

Earn money for your writing

Listen to audio narrations

Read offline with the Medium app

Tryhackme Walkthrough
Tryhackme
Tryhackme Writeup
Hacking
m0ndzon3
m0ndzon3

Written by m0ndzon3

15 Followers
4 Following

I like breaking stuff.

No responses yet

Write a response

What are your thoughts?

More from m0ndzon3

See all from m0ndzon3

Recommended from Medium

Lists

Staff picks

827 stories1649 saves

Stories to Help You Level-Up at Work

19 stories948 saves

Self-Improvement 101

20 stories3355 saves

Productivity 101

20 stories2821 saves
See more recommendations

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams