Skip to main content
  1. Writeups/
  2. TryHackMe/

CyberCrafted

·532 words·3 mins
TryHackMe Linux Medium
K21
Author
K21
I am human.
Tryhackme Streamline Icon: https://streamlinehq.comTryHackMe
Table of Contents

Enumeration
#

nmap -sVC 10.10.114.176 -oA nmap/nmap            
Starting Nmap 7.95 ( https://nmap.org ) at 2025-05-11 00:41 +0545
Nmap scan report for 10.10.114.176 (10.10.114.176)
Host is up (0.17s latency).
Not shown: 997 closed tcp ports (conn-refused)
PORT     STATE    SERVICE   VERSION
22/tcp   open     ssh       OpenSSH 7.6p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 37:36:ce:b9:ac:72:8a:d7:a6:b7:8e:45:d0:ce:3c:00 (RSA)
|   256 e9:e7:33:8a:77:28:2c:d4:8c:6d:8a:2c:e7:88:95:30 (ECDSA)
|_  256 76:a2:b1:cf:1b:3d:ce:6c:60:f5:63:24:3e:ef:70:d8 (ED25519)
80/tcp   open     http      Apache httpd 2.4.29 ((Ubuntu))
|_http-title: Did not follow redirect to http://cybercrafted.thm/
|_http-server-header: Apache/2.4.29 (Ubuntu)
2041/tcp filtered interbase
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 23.94 seconds

Lets add cybercrafted.thm in /etc/hosts and access port 80.

Hmm nothing. Lets see source.

Hmm so there are other sub domains. Lets try to get that and also lets try to do directory busting.

Hmm. /secret But there was only few images.

Lets now do sub domain enumeration.

Hmm lets put those in /etc/hosts. There is a login page in admin sub domain.

And store sub domain has forbidden.

Lets do directory bruteforcing on admin.cybercrafted.thm.

Hmm command.png, So is there command injection or something. Hmm.

So its a php site, there is login.php. Lets also try to find directories with extensions like php,txt,etc. And there was also panel.css, and we got it.

But it redirect us to login page. Hmm. I guess it is upcoming thing for command execution. Hmm but for now we have to be logged in somehow.

Hmmm lets also check that forbidden sub domain store.

Hmm so there is /search.php. Lets check that out.

Hmm searching thing.

Exploit
#

Hmmm. Is it command injection thing? Hmmm lets try some. But didn’t worked.

Lets see that in burp.

Hmm. Lets also test sql injection. I used sqlmap for that. I captured the request with burp. sqlmap -r "$(pwd)/req.txt" -p search --dump --batch

And it worked.

Hmm so we got the flag and creds.

We got the username and password hash.

User:xXUltimateCreeperXx
Pass:diamond123456789

Foothold
#

Lets try to login on that previous login page with this cred.

We logged in. Hmm so we can execute command from here i guess.

We can get the easy reverse shell. And we can get id_rsa in /home/xxultimatecreeperxx/.ssh/id_rsa.

We can then easily crack the passphrase.

creepin2006

Privilege Escalation
#

After logging in. We can run linpeas.

Hmm so cybercrafted is running tar something in cron. We might use it. Lets see. After checking /opt/minecraft/, we can see these.

Hmm. we got the plugin and a log file with the password of cybercrafted.

JavaEdition>Bedrock

So now we are cybercrafted.

And now doing sudo -l gave this.

Hmm. /usr/bin/screen -r cybercrafted as root.

I tried different things and tried to understand but didn’t succeed to escalate my priveleges. After doing some research, i got this.

It was small, we just need to do ctrl+a+c after running screen command as root.

And we will be showed up with sh root shell. And we are root again.

Done
#

And done. In this room, we learned more new thing like privilege escalation with screen command with sudo and also helped to sharp my recon skills.