TryHackMe: Madness Writeup

Easy THM Room. Steganography, Scripting, Clue Hunting and A Fun Priv-Esc.


1. Scanning & Enumeration

We do the below scans in parallel.

1.1. Port Scanning

Nothing extraordinary.

1.2. Web Exploration

In the homepage, which is a default apache page, we see the thm.jpg image, that does not render out properly. We see it in the source code.

1.3. Steganography

Exploring the image using strings, binwalk and steghide does not return anything.

At this point, one thing CTF challenges often have is the change in the magic number of the file.

These magic numbers are used by the system to recognise which file it is. Using xxd --plain thm.jpg > wow.txt we see the first line: 89504e470d0a1a0a000000010100000100010000ffdb0043000302020302

I looked up the actual values for jpg files. We thus change the first line to: ffd8ffe000104a46494600010100000100010000ffdb0043000302020302

We see the hidden directory mentioned in the image!

PS: It is also a good idea to download the image … just in case, you know?

1.4. Hidden Directory Exploration

hidden directory that we found from stego

Info gathered:

  • We have to enter a secret
  • Source code mentions something about the type of input and the size of input.
  • The question is thus: How do we input?

1.5. Finding the Secret

Trying the below gives us an expected response. Note how the parameter is accepted.

We also see the hint printed out here. Time for some scripting!

I wrote the below code, which you can use to bruteforce the value of the secret parameter.

And we get the secret number, which gets us a key!

But, to what?

1.6. Steganography

Remember the image we fixed earlier? Well, this is where the key is being used.

Ey, Voila! Using rot13 gives us the username.

But … PASSWORD????????

2. Foothold (finally): Big Brain Time

At this point, we have no active paths we could explore. Bruteforcing SSH is not a good idea. What to do?

This is very sneaky. Saw the image on the room? Download it.

AH YES! Finally!

3. PrivEsc

We explore the common paths to priv esc.

^not useful.

^finding set uid bit

Does something seem off to you? I googled it, and found the exploit.

Copy-pasting the script and executing -

System Compromised :)

BONUS: Lessons Learnt

  • For steganography challenges, look for: strings, binwalk, steghide and also magic numbers.
  • Bruteforcing generic things is fun with python3
  • Stuck? Take a break and look where things are most … normal.
  • Google anything that looks shady.

Originally published at