You’ve been hired by Billy Joel to get revenge on Ducky Inc…the company that fired him. Can you break into the server and complete your mission?
This is Revenge from TryHackMe. It’s medium rated.
Cut to the chase
I’m going to skip over a lot of this. Foothold is via a SQLi on the ‘products’ page of the website, sqlmap can dump the database and John can crack the hash for one of the users; then we SSH in.
After I was done with this I checked some writeups and unfortunately they all used sqlmap, no-one did the SQLi manually. I had a bit of a go at it but I wasn’t getting too far.
For the privesc, our user can edit and restart a service, so that’s our path:
The service runs the webserver. The final flag was supposed to be awarded for defacing the webserver front page, not by gaining root. Anyway, the first time I tried it I sent myself a root shell:
Then I edited /var/www/duckyinc/templates/index.html … and got a 502 Bad Gateway error on the website.
Next, I used the service to make myself another root user:
Then I edited /var/www/duckyinc/templates/index.html … and got a 502 Bad Gateway error on the website.
I checked some writeups and no-one else mentioned this as being an issue. Anyway, I then restored the service file to the original state and restarted it again (still with my root2 user) and finally it worked. So yeah, not sure what was up with that.