Planet DesKel

DesKel's official page for CTF write-up, Electronic tutorial, review and etc.

8 August 2020

THM write-up: Library

3 minutes to read



Another day, another CTF write from tryhackme. Today I going to show you a brand new tryhackme series called boot2me. This series is brought to you by user stuxnet. In addition, it is one of the Bsides guatemala challenges which is sponsored by tryhackme and Galileo universidad. Without further ado, let’s get it on.

Task 1: Capture the flag

You CTF, you win. That is the point of this challenge.

Task 1: Capture user’s flag

Nmap scanning is essential on every CTF challenge. Launch your Nmap scan with the following command

nmap -A -v <MACHINE IP>


Looks like the Nmap discovers two open ports which are port 22 (SSH) and port 80 (HTTP). I guess we have to leave port 22 for a while because we do not have any clue on brute-forcing the port. Let’s check the HTTP port.


Huh..nothing out of ordinary. The site is not vulnerable to the XSS either because of all the href link to the main page. How about directory-attack?


Nope, gobuster didn’t return any interesting directory except robots.txt.Guess we have to check it out.


User-agent rockyou? I’m guessing the rockyou.txt wordlist is the hint for the challenge. What else we can dig from the page?


We got a username called ‘meliodas’ as the author of the blog post. Now, we have the username, rockyou.txt as the hint and unexploited SSH port. What is in you mind right now? It is brute-forcing time using hydra.

hydra -t 20 -l meliodas -P <rockyou.txt location> ssh://<Machine IP>


Hooray, we are on the right track. Login to the ssh shell by using the following command and ‘iloveyou1’ as the login password.

ssh meliodas@<machine IP>


Now we are inside the meliodas’s SSH shell. Let’s capture the user flag.

user flag

Gotcha, the user flag is now with us.

Task 1-2: Capture the root’s flag

You are now half-way done. It is time to root the machine!. First and foremost let see which sudo command can be performed by the user.


The user only can use sudo python on file.


What! we can’t perform python using sudo? That is weird. How about we run the python inside the /usr/bin directory?

another python

Well, it just works. Let’s check the content inside the


I guess we can’t do anything with the script because it is write-protected. Since we only gain sudo privilege on executing the using python. How about delete the exiting and create a new one that allows us to spawn root shell? crazy huh? Let’s try this out.

rm /home/meliodas/
echo 'import pty; pty.spawn("/bin/sh")' > /home/meliodas/


Guess our crazy idea is now working. We can now capture the root flag.


Congratulation, you are now rooted in the machine.


That’s it, we are complete our first boot2root series challenge. Until next time ;)

tags: tryhackme - CTF - recon - privilege_escalate - brute_force

Thanks for reading. Follow my twitter for latest update

If you like this post, consider a small donation. Much appreciated. :)


© 2020 DesKel