TryHackMe-Madness

We’re All Mad Here. For solving this room actually you’ve to think like MAD😆

Jokes Apart.

Hello this is badboy_17 with a new room writeup “Madness” from TryHackMe.

You can find me on TryHackMe here.

Let’s Start. Fire up your Kali (or any OS you work with) & Start the room.

Let’s Start

Nmap shows just two ports open.

nmap result

Let’s hunt on the web page running on port 80. This is a default Apache page. But there were nothing interesting. In the Source code We got something which will lead us forward.

thm.jpg

Browsing the link we got no image.

But however we can download it with wget for further checking.

downloading thm.jpg

let’s check the file with “file & pngcheck” command

checking the file

Here we found some error saying “invalid chunk name”

Further checking the HEX Code of the file, we saw that the file signature doesn’t matching.

I got the file signature list from here

https://en.wikipedia.org/wiki/List_of_file_signatures

I checked the HEX Code with hexeditor, built in the kali .

hexcode of thm.jpg

But default file signature is like the below image.

File Signature of jpg file

Just Edit the Hex code using hexeditor . Save it pressing control +X & then Enter.

Then we can see the jpg image.

hidden directory

After browsing the directory I found this page.

/th1s_1s_h1dd3n

Checking the source code I got some clue.

Source Code

It’s saying that there is some secret but we’ve to click on the right path.

For this Let’s Make a simple Python script.this

save it as anything.py

Running the script I got this result at 73

The Result

This is Like a password. So where can we use this password. There is one thing left we didn’t use. The Image . Using steghide with this password we got a txt file.

So we got username. But it’s not looking like a normal username. after reading the Hint we got some clue. It’s said

There’s something ROTten about this guys name!

ROT! it may be rot13

Username: joker

Username is joker. Now it’s look like normal.

now SSH into the server but with the password we got.

But not working. Looks like Dead End .

At this point i literally gave up. nowhere to go, no hint.
I was going to read a writeup.

But there was a image which we didn’t notice. But C’mon bro who is going to lookup that image.

Doing Steghide with this image we got password.txt file

password.txt

we got the user.txt after hoping into the server with SSH

The user Joker has no sudo privileges.

After Enumerating with linpeas and other things

found some interesting programs owned by root with the SUID bit set

I got exploit of screen 4.5.0 on exploitdb.

https://www.exploit-db.com/exploits/41154

So the Final Task is super easy. Just Copy & save it as a something.sh file

& run it.

You should get a root shell.

root.txt

At last, We become the root Joker 😆

Let’s hope to see you again with some juicy stuff.

Untill Then This is badboy_17 & I really do Thank you for joining with me.♥️