Hello all this is my first ctf writeup to publish.
The name of the box is Team and it’s beginner friedly ctf rated easy.
Please allow 3–5 minutes for the box to boot
Created by: dalemazza

Link to the room: https://tryhackme.com/room/teamcw


nmap -v -sC -sV -p- -O -T4 -On nmap.txt [ip]

Results from nmap showed 3 open ports

First we tried to login ftp port but anonymous login was disabled so went on to check http port 80.

Http page revealed just an apache default page. We also did a directory scan on this page using gobuster but unfortunately gobuster didn’t reveal much information. From the web source page i found an interesting comment which was mentioning to add domain to /etc/hosts.

I then added it to the /etc/hosts file

After adding it to hosts file went to check the webpage and found another webpage which seems to be blog website.

Now i ran two gobuster scan to get full path to the directory. Gobuster is a Directory/file & DNS busting tool written in Go Gobuster is a tool used to brute-force URI’s including directories and files as well as DNS subdomains.

From the above screenshot we got a many directories. From robots.txt We got a username named dale. It could be useful to login ssh. Then we checked the /scripts/script.txt. After browsing to the page. The page was mentioning of ftp credentials but the creds wasn’t there to get the creds changed the directory to script.old as it mentioned.

We saved the script.old

When we checked the script it gave the proper ftp creds to login. Let’s now login ftp using this credentials.

There was another .txt file let’s grab it using get command to our local directory.

The .txt file was mentioning about a .dev webpage and also about ssh id_rsa config file. Let’s first add .dev.team.thm to the /etc/hosts and navigate it in the webpage.

On visiting the website, it was evident that the website is still in development. Clicking on the only link on the website, we see that it is a PHP script, probably using the include function.

Testing the variable ‘page’, we see that it is vulnerable to LFI.

Now from the .txt file we got from ftp it mentioned about ssh config files so i thought to check all ssh files and it seems that dale ssh private key was actually visible we got it using injecting a simple lfi command.


To get the ssh private key in a proper way i did curl,grep and cut to just specifically get the id_rsa key.

curl http://dev.team.thm/script.php?page=../../../../etc/ssh/sshd_config | grep -A 100 ‘AllowUsers dale gyles’ cut -c “2-”

And we saved the id_rsa key then changed the permission to chmod 600 to execute the ssh key. And finally we logged in using dale private key.

After getting in the machine, we see that there is another user ‘gyles’ in the machine. As Gyles was instructing dale, it is safe to assume that the user Gyles has more privileges than our current user. On, running sudo -l as the user dale, we see that we can run a script ‘admin_checks’ as user gyles with elevated privileges and NOPASSWD. Reading the script ‘admin_check’, it asks for the users name and date, and then passes the ‘date variable’ to the ‘date command’ to be executed. This was very easy to exploit, just pass ‘/bin/bash’ as date, and we have a shell.

Now we are logged in as the gyles’ user. Looking at the user’s home directory we see that the author left the .bash_history meaning we can trace what the author did while he was creating the box. Looking through the file we see a file in /opt/admin_stuff . We then navigated to that directory.

Seems script.sh is owned by root let’s check contents inside the script.sh

The owner had setup cronjob for two bash scripts. And if we can abuse and upload our shell script to the file probably we could be logged in as root.

The file main_backup.sh had writable permission and the file was owned by root great.

Let’s inject our payload to the script. And wait to get executed by cron.

After a minute we get back the shell. by checking the userid we are logged in as root.

cat /root/root.txt.

And there it is. A wonderful beginner level ctf challenge.

…………………………Happy Hunting………………………………………….