Madness | TryHackMe writeup
Madness is an easy Linux-based machine in TryHackMe
Start with nmap and found 2 open ports
so let’s check the website.
As you can see the image shows an error in loading the image, so let’s check the source code.
let’s download the image and check what’s wrong with image.
You can see the image is ‘.jpg’ file and header is PNG, so let’s edit the hex code to change code from PNG to jpg.
open image in ghex
Search for image magic number and got ‘jpg’ magic number
change hex value and open image, you can see the hidden directory. open the hidden directory in a browser
from the website we can identify that, we should guess ‘secret’.
there is a hint that number is between 0 to 99
By burp intruder i got the secret
after some enumeration I got the username using steghide from the downloaded image, the username is in rot13 format, so let’s decode it
after some more enumeration I downloaded and checked with this mentioned image
By using the steghide i got ‘password.txt’ file which contains password
I got username and password so tried to ssh and got shell
lets check for SUID , and got this intresting part
searched for exploit in exploitdb
save exploit and run, as you can see now I am root user