The Cyber crime investigation unit in the Danish Police posted an interesting tweet the other day:
It turns out that the boot2root box was on TryHackMe, which I have mentioned earlier. I am back to work at full speed but did put in a few mins in a break to see if it was possible to do – turned out that the first flag was found within a few mins, so I decided to spend a few more breaks on it next day.
The initial web challenge was pretty standard. Can’t spoil too much, but there is nothing you would not be able to find in any of the other web-related rooms at THM.
With the normal tools from Kali Linux, you should be able to get the first 3-4 flags pretty fast.
Tools to consider:
- nmap
- gobuster
- sqlmap
- burp suite
- EditThisCookie browser extension (spoiling a bit here)
- CyberChef (mostly just base64 so cmdline tool is fine too)
After identifying a way to get RCE (Remote Code Execution) on the box, it was pretty easy to get a shell as www-data (the user running the webserver).
So the next step (after stabilizing the shell with the usual python3 -c "import pty;pty.spawn('/bin/bash')"
) was to get a real user – in this case “guru”. It takes a bit of searching to actually find this, unless you look at what processes that pops up from time to time in the background (hint! hint!).
If you have ever done a boot2root on THM/HTB, then you should easily be able to get a reverse shell as Guru from here.
At this point I got a bit stuck because it seemed like guru actually did not have any interesting files etc to work with. I did find a hidden file (hint!hint!), that lead me to an idea.
Grap’ing for places mentioning this file in relevant places of the file system gave me the info I needed. Now I just needed to figure out how to utilize that and then I was root and passed the room.
Turns out I was actually the first person from Denmark to finish this room (my Brazilian acquaintance Cyberaguiar beat me at the finish line)
Along the way, there are small hidden messages with pep-talks about applying for the job. The job is however in Copenhagen and I live in Aalborg (with no plans to move any time soon) so that part was not so relevant for me.
The box was a few hours of fun nonetheless, so thanks to NC3 for setting up this small happening.
PS: the box is rated as “hard”, but I would probably rate it at easy-medium compared to other hard boxes at THM.