Open in app

Sign in

Write

Sign in

TryHackMe Jeff Writeup

Shivam Taneja
6 min readNov 7, 2022

Jeff Walkthrough

In this post, I would like to share my experience and walkthrough on Jeff Room.

Overall, I have taken a few days just to complete this machine and it’s a HARD machine to play with.

Let’s Start!

We need to deploy the machine for us to play with the machine.

Once the machine is fully up within 5 minutes, we can start information gathering on the machine by executing the command nmap -sC -sV <IP Address> -PN

From the nmap result, i found out that the following port are open:

  • 22: OpenSSH 7.6.1p1
  • 80: nginx

From my experience, we need to add the IP and domain within the /etc/hosts

Let’s check what is stored inside the website.

The website looks pretty plain with the link is cannot function at all.

Let’s start to enumerate the website by executing the command dirb jeff.thm and hope that we found something useful.

Oh wow! We got /backups/ directory and i can assume that there will a file on this backups directory. I will do a random guess that backup.zip is save on this directory. Hope my guess is correct!

Let’s see the backup file and see what stored inside. However, the file has been protected by a password.

Let’s get the password by using the command fcrackzip -v -u -D -p /usr/share/wordlist/rockyou.txt backup.zip

Now, you can unzip the backup file using the password that we got from output above.

We got a password for the WordPress login access. Assuming that, we can predict that CMS WordPress is been stored on the machine. My bet would be that WordPress is included in the domain of the machine such as wordpress.jeff.thm

And cross finger that we got the wordpress page

We got it! What a guess! We should be able to access wp-admin in order for us to login into WordPress with credentials as below:

  • User: jeff
  • Password: <The same password that we found in wpadmin.bak>

Next, we need to copy-paste the PHP reverse shell on 404.php configuration the WordPress themes

Once we change the IP address and port, we can click the Update File Button for it to edited successfully.

Before we access the link on the browser, we need to start the listening port in the order to return to us. If not, it will appear something like below

We can refresh the browser if you have access the website without starting the listening

We have successfully access the server via www-data privileges access.

Let’s read the ftp_backup.php file that stored in /var/www/html. I found out the Host IP, Username and Password where we will use that information inside a python script.

Disclaimer: I didn’t own the Python Script above. I found the script by doing some research on the internet

Once we have filled up the information on the Python Script, we can transfer the file on the target’s machine just like follows:

After we have complete getting the file on the machine, we need to change the permission of the file to executable by running the command chmod +x <filename>.py

Before we can execute the files, we need to start listening as normal.

Now, we can execute the Python Script and it might take some minutes to fully return back to us

While waiting for the shell coming back to us, let’s have a coffee. Normally, it will take a minute if everything been executed perfectly.

We got the access as backupmgr user privileges and let’s check the user.txt whether we can already read the file by going to /home/jeff

Sadly, we cannot read the file because the permission is denied. Let’s go and get the permission to read the user.txt

We found systool been stored in /opt/systools/ directory but we also see one file called message.txt. I’m curious about what is written inside the file.

So, let’s restore back the backup file that might store in /var/backups directory.

We will need to delete message.txt in this directory and I will talk about it later on.

After we have deleted the message.txt, we need to access the backup by going to /var/backups

I found jeff.bak stored here and let’s access /opt/systools directory and execute the following command

ln -s /var/backups/jeff.bak message.txt

Let’s run ./systool command and key-in number 3 after entering the number 2

The password is shown above been assigned for jeff user privileges. However, you need to enter the command below in order to use the “su” command

python3 -c ‘import pty: pty.spawn(“/bin/bash”)’

Now, we access the server via jeff credentials. Let’s try again to read the user.txt

We need to decode the md5 hash for us to gain the actual user flag

Let’s check if we be able to escalate user jeff can access to root

I found that crontab is running for jeff and we need to run the command sudo crontab -e and we see the interface as shown in the screenshot below

We need to key-in :!/bin/sh when we see the interface at first sight. For us to get the terminal look, we need to use bash -i

We are in the machine as root and we can access to /root/ directory to read the root flag

That is all!!

Sign up to discover human stories that deepen your understanding of the world.

Free

Distraction-free reading. No ads.

Organize your knowledge with lists and highlights.

Tell your story. Find your audience.

Membership

Read member-only stories

Support writers you read most

Earn money for your writing

Listen to audio narrations

Read offline with the Medium app

Tryhackme
Shivamtaneja
Linux
Hacking
Coding
Shivam Taneja
Shivam Taneja

Written by Shivam Taneja

28 Followers
17 Following

IT Security Consultant, Researcher, Penetration Tester & Hacker.

No responses yet

Write a response

What are your thoughts?

More from Shivam Taneja

See all from Shivam Taneja

Recommended from Medium

Lists

General Coding Knowledge

20 stories1944 saves

Stories to Help You Grow as a Software Developer

19 stories1624 saves
Image by vectorjuice on FreePik

The New Chatbots: ChatGPT, Bard, and Beyond

12 stories563 saves

data science and AI

40 stories340 saves
See more recommendations

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams