IDE
https://tryhackme.com/room/ide
User flag
Let's start with a basic scan
Now let's go for a more detailed scan of the found ports
We see there's a FTP service running that allows us to log in as Anonymous. Let's check what's inside.
We found a filed named "-", let's see what's the content of the file.
Apparently John got his password reseted, that give us a hint that we should look for a login portal. The note also says something about a image file so we can assume that's going to be the vulnerability to exploit.
Let's head to port 62337 and see what's in there.
By the note we found earlier we know John is the correct username. The note said the password have been changed to the default one. We don't know what's the default password, we can try to log in using "password" and see if we're lucky.
We got in, that was the password.
Googling around about Codiad 2.8.4 we found a few exploits that allow us to execute code on the victim machine. After taking a look to a few exploits we decided to use this one:
Download the exploit.py file and run the following command:
python exploit.py [URL] [USERNAME] [PASSWORD] [IP] [PORT] [PLATFORM]
We compromised the victim machine. Now it's time to look for the user flag.
We don't have perms to read the file. Let's take a look around and see if we can pivot to the drac account.
We found a password, let's su to drac and get the flag.
Root Flag
Now that we are drac we can check if we have any sudo permissions.
We can executo /usr/sbin/service vsftpd restart as sudo so we can try to change the vsftpd.service to execute a reverse shell when we restart the service.
Let's edit the file:
If we try to restart the service we get the following error:
Execute "systemctl daemon-reload" as suggested and restart the service.
Nice. We're root.
Last updated
Was this helpful?