Open in app

Sign in

Write

Sign in

TryHackMe En-Pass Write-Up

Cursemagic
4 min readFeb 14, 2021

Hi, everyone. Today I would like to share my write-up on En-Pass room from the TryHackMe platform. In this writeup, I will explain on the code based on my understanding which might be wrong. XD

Ok, let’s start.

Link to TryHackMe En-Pass room:https://tryhackme.com/room/enpass

Run Nmap.

We got HTTP port at 8001. Let’s dive in.

Let’s get directories!

Gobuster

Let’s run in a row!

And we got it XD

Save this and we will use it later for sure.

reg.php

Now, it’s the turn for reg.php.

We can see in the source code where there is a PHP line.

So, I take it to try editor to look at it.

From what I understand through the codes,

  1. No letter and number.
  2. And required to input some strings.

After few minutes of code reading, I somehow understand the code. (Although might not be completely correct.)

This is my understanding:

  1. The code will read the input from the $title variable, which is the input field from the page.
  2. The input field will be a string that consists of 9 different combinations of “$” which is separated by “,”.
  3. The loop statement:
    (the first if loop)
    #Reminder: Array start with 0 but to easier to understand, I make this to “normal” sequence with the first start with 1.
    1. if the length of string for the first value equal to 2 and the length of string for the ninth value is 3, it will go to the second if statement.
    2. Then, if the sixth value is not equal to the ninth value and the fourth value not equal to the eighth value, the variable sum will be added by 1.
  4. When the variable sum’s value reaches 9, the result will be shown.

This will make a string of $$,,,$$$,,$$,$$,,$$$.

But it won't work.

So, I added $ to the “empty space” between the “,” symbol. And this works!

So, input it into the input field and we will get the answer!

Great!

403.php

We can use 403fuzzer from GitHub to get the bypass value.

So, i used /..;/ and we can get the username.

SSH to the target machine

So, before we get into ssh, we need to get the private key using the RSA keywe found and the password from reg.php.

By running the following we can get the private key.

Now let’s ssh.

YES!

Now root's time!

Spawn a pty shell before as the backspace can’t be used in this shell.

python3 -c ‘import pty; pty.spawn(“/bin/bash”)’

ROOT FLAG!

After a few minutes of searching, and we find a scripts directory.

And we got this.

Will update soon XD

Tryhackme
Writeup
Explained
Beginner

--

--

Cursemagic

Written by Cursemagic

10 Followers

Just learning, together we are strong.

Help

Status

About

Careers

Blog

Privacy

Terms

Text to speech

Teams