Skip to main content
  1. Writeups/
  2. TryHackMe/

SafeZone

·816 words·4 mins
TryHackMe Linux Medium
K21
Author
K21
I am human.
Tryhackme Streamline Icon: https://streamlinehq.comTryHackMe
Table of Contents

Enumeration
#

Lets start with the port scan.

nmap -sVC 10.10.91.192 -oA nmap/initial
Starting Nmap 7.95 ( https://nmap.org ) at 2025-04-17 18:02 +0545
Nmap scan report for 10.10.91.192 (10.10.91.192)
Host is up (0.18s latency).
Not shown: 998 closed tcp ports (conn-refused)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 30:6a:cd:1b:0c:69:a1:3b:6c:52:f1:22:93:e0:ad:16 (RSA)
|   256 84:f4:df:87:3a:ed:f2:d6:3f:50:39:60:13:40:1f:4c (ECDSA)
|_  256 9c:1e:af:c8:8f:03:4f:8f:40:d5:48:04:6b:43:f5:c4 (ED25519)
80/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))
|_http-title: Whoami?
|_http-server-header: Apache/2.4.29 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 27.88 seconds

Hmmm simple ports are open. Lets see the port 80.

Hmmm lets do directory busting and also use tools like nikto etc.

Lets check this features. So there is register.php,detail.php and etc. And there is login page in /index.php.

I first registered a user and logged in.

Hmmm lets check those things.

There might be some lfi and rce thing. there was nothing in contact.phpand this in detail.php.
Lets also check the source html too. Hmm.

So there is a page as GET parameter. But we are not logged in as priveleges user, thats why its saying You can't access this feature!.

I have also found /note.txt,lets see that.

Hmmm. So we need to access /home/files/pass/.txt,lets try doing lfi.

Exploit
#

Hmmm. I tried different LFI techniques.

But didn’t worked. Lets just try to access that /home/files/pass.txt. But how can we access it. We don’t know the user and there is direct /home/files/pass.txt. Hmmmm. I am completely stuck now. Hmmm after seeing writeup for this part,it was this.

Really.

Wow but okay. Now i guess we need to login as admin but the password is incomplete. Lets make a python script for this.

So i made this script with the help of chatGPT.

import requests
import time
import re

url = "http://10.10.91.192/index.php"
username = "admin"
attempts = 0

print("[*] Starting brute-force on admin__admin...")

for i in range(99):  # 00 to 99
    password = f"admin{i:02}admin"
    data = {
        "username": username,
        "password": password,
        "submit": "Submit"
    }

    try:
        response = requests.post(url, data=data, timeout=10)
    except Exception as e:
        print(f"[!] Error with request: {e}")
        continue

    if "Please enter valid login details" in response.text:
        print(f"[-] Tried {password} -> Invalid")
    elif "To many failed" in response.text:
        print("[!] Too many failed attempts, sleeping for 60 seconds...")
        time.sleep(60)
        attempts = 0
        continue
    else:
        print(f"[+] Success! Username: {username}, Password: {password}")
        break

    attempts += 1
    if attempts == 3:
        print("[*] 3 attempts reached. Sleeping 60 seconds...")
        time.sleep(60)
        attempts = 0

And we got this.

Lets login.

And we also can access this.

Hmmm and we might also provide page parameters and check if we can this or not. And this worked.

Now can we see /var/log/apache2/access.log.

And cause of my fuzzing, there are lots of requests. Lets send the php web shell in user-agent and try to execute command.

Now lets add the php web shell in user-agent header and send the request, cause the request will save in access.log file, we can now execute command using that php web shell on /var/log/apache2/access.log file.

And i tried pinging my ip.

Foothold
#

And we succeed. Lets get the rev shell.

Now lets try to escalate our priveleges. I got the full tty shell shell.

And we got something.
Lets read that.

We got the hash. And we could easily crack it using john.

Privilege Escalation
#

Lets see what else we can do. Hmmm.

So we can run id as root. And we can also change the path variable.

but there was full path in sudo -l,so we cant abuse that.

Hmm lets run linpeas.sh. After running linpeas and checking what is some odd, we can find this.

Hmm lets use ssh to tunnel that port. ssh -L 8000:localhost:8000 [email protected]

Going in that port, we can see its forbidden.

We found this.

Lets try the usernames and passwords that we have got. But nothing worked. Lets see /pentest.php.

Hmm. What is this? Is it like some command panel like thing. And it was. we can ping.

Lets try to get shell but how cause different thing are blacklisted. I tried using a nc rev shell but nc is blacklisted. Lets first make a payload to get reverse shell in /tmp and the execute it using that.

I made this.

Then, i called it using that panel.

And i got the shell.

Lets see now how can we became more elevated user.

Now doing sudo -l,we can see this.

I was just trying and this worked.

Hmmm but i need shell. Lets try to get shell somehow. So this program is copying the file i guess.

I just tried this and it worked.

Now lets see that python program. Hmm its using sshpass.

At last we got the root shell.

Done
#

And lots of things learned.