Madness | TryHackMe writeup

Overview

Madness is an easy Linux-based machine in TryHackMe

User Part

Start with nmap and found 2 open ports

so let’s check the website.

As you can see the image shows an error in loading the image, so let’s check the source code.

let’s download the image and check what’s wrong with image.

You can see the image is ‘.jpg’ file and header is PNG, so let’s edit the hex code to change code from PNG to jpg.

open image in ghex

Search for image magic number and got ‘jpg’ magic number

change hex value and open image, you can see the hidden directory. open the hidden directory in a browser

from the website we can identify that, we should guess ‘secret’.

there is a hint that number is between 0 to 99

By burp intruder i got the secret

after some enumeration I got the username using steghide from the downloaded image, the username is in rot13 format, so let’s decode it

after some more enumeration I downloaded and checked with this mentioned image

By using the steghide i got ‘password.txt’ file which contains password

I got username and password so tried to ssh and got shell

Root Part

lets check for SUID , and got this intresting part

searched for exploit in exploitdb

save exploit and run, as you can see now I am root user

Share on facebook
Share on twitter
Share on linkedin