TryHackMe: Jeff — Writeup

Photo by Mika Baumeister on Unsplash

Port scanning

I started with a simple nmap TCP port scan, and by the ouput we can see that there’s nothing beyond the usual.

Web server enumeration & vhost discovery

The webserver’s main page appears to be completely empty, but viewing it’s source code, we see a hint

Cracking encrypted backup zip file

We can download the backup file at /backups/backup.zip, but cannot unzip it because it’s encrypted.

Wordpress exploitation & initial shell

Using the previously found password, we’re able to log in as “jeff ”at wordpress.jeff.thm/wp-login.php

Docker container breakout

Whoa, we received a reverse shell connection, but sadly we’re in a docker container. We can confirm that by many means, but the most common is the presence of the file /.dockerenv.

Exploitation process

1. Enumerating - FTP Server

Horizontal privilege escalation

There are two valid users with home directory in the machine, jeff and backupmgr (us). Searching for files owned by jeff, we can find a binary and a backup file owned by jeff and only readable by him and the group ‘pwman’.

Exploitation

Vertical privilege escalation

As we have jeff’s password, we can view if he can run something as another user, like root, running $ sudo -l

Conclusion

Very cool machine, which covered a bunch of interesting topics and took me a lot of time in order to complete the box, really testing my ‘tryhard’ mentality. I hope you enjoyed my explanation, and really recommend you go check it out this room on TryHackMe!

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store