TryHackMe - Madness

11-28-2021 Written by: ott3r

This is listed as as easy room (a very tricky easy room) and can be located here:

The goal here is to find two flags, one user and one root. No other questions.

First an nmap scan to see what we are working with.

└──╼ $sudo nmap -sV -O
[sudo] password for user: 
Starting Nmap 7.92 
( ) at 2021-11-28 20:37 GMT
Nmap scan report for
Host is up (0.15s latency).
Not shown: 998 closed tcp ports (reset)
22/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0)
80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))

Two ports 22 and 80. Since we don't have any clues about the ssh, I headed over to the website first. 

I tried gobuster to enumerate different paths, but didn't find anything. One odd thing to note is the errored image at the top. Let's save and see what's going on.

└──╼ $ wget

Trying to open this file leads to error. Checking image header we see this is a PNG not a JPG as the filename indicates. 

Using hexedit we can change this. 

└──╼ $hexedit thm.jpg 

Change the first row:

00000000   FF D8 FF E0  00 10 4A 46  49 46 00 01

Now open again and we have a secret link!

It looks like we can append the secret ID to the URL. We'll need to go through secrets 1-99. I used Burpsuite Intruder and created a number list with a python loop. Search through the results for a larger size and then navigate to the correct ID. Once there a secret phrase will be revealed. Save this for later. 

At this point I was a little lost. It seemed everything had been accounted for, but we still had nothing. We had to manipulate the image to get it to open, maybe there is something else there. 

Using steghide we can look for anything hidden in the image. This will require a password. Recall we have something that might work. 

└──╼ $steghide extract -sf thm.jpg 
Enter passphrase: 
wrote extracted data to "hidden.txt".

Looking at the hidden.txt file we have yet another code of some sort. If not recognized (the hint gives this away) this is encoded using ROT13. head over to your favorite decoding site and decode this 

And with that we have a username! But we still can't log in without a password. This next part I wouldn't have figured out and had to use google. The password is hidden in the rooms header image (which also appears at the top of this post).

Use the same process as we used on the other image. What is the password here? Might be nothing...only one way to find out. 

Huzzah (sorry just finished watching the Great, excellent show by the way)! We now have a password!

Jump over to ssh and login with our new user and password. Simple enough, grab the first flag in the user's directory. 

Now for the root flag. 

I couldn't find anything in crontab or sudo permissions. Checking if anything has SUID set, we find a few things. 

joker@ubuntu:~$ find /bin -perm -4000
joker@ubuntu:~$ sudo screen

I went with the screen option as it seemed to stand out more. A quick search later and I had a python script we can run (located here:

Make the script executable, then run it. You might encounter some errors, but don't worry, once done you'll be pleased to see the root prompt. 

The last flag may or may not be hanging out in root's home directory. 

That's it for this one. Thanks for reading and happy hacking!