Archangel | TryHackMe Writeup

Overview

Archangel is an easy Linux-based machine in TryHackMe

User Part

Start with nmap scan found 2 open ports.

port 22,80 are open.

I opened the website.

As mentioned in the picture, you can see the hostname.

so lets add this to our /etc/hosts

browse the hostname, you can see under development.

I checked robots.txt and got a file

I opened that file in the browser and a button is there.

I clicked that button, you can see the webpage is reading internal files. So I checked with LFI payloads

My first payload was not successful.

My second payload was success

After reading this blog i got this log file for further exploitation

i opened that log file in browser and got success

For my next step of exploitation, I want to add this PHP code to the log file.
By that, whenever I read the log file, this PHP code can also be executed.
Remember: this is a log file, if you make any mistake/damage it won’t work anymore, be careful

now i tried to read the log file and tried php code for exploitation, and i got success

For getting shell i used this command

I got reverse shell using the burpsuite

Then i uploaded linpeas from my local machine, and i run it

The below-mentioned files show writable files owned by me, the /opt/helloworld.sh file is weird.

i added reverse shell code to that file and wait for 1 min, i got shell back and can read user flag

Root Part

for further checking i uploaded linpeas and i run it

In the Below image , i have the priviliage to executable backup file

i downloaded and checked for strings, as you can see ‘cp’ command is executing

I made a cp file in ‘/tmp/’ and made it executable. then i added /tmp/ path in PATH variable,
so when we execute that backup file, the first time it checks for the cp command in ‘/tmp/’.
By this, I added reverse shell command to the cp file and got shell back, and now I am root

Share on facebook
Share on twitter
Share on linkedin