This room is basic and is searching for two different flags. A user.txt flag, and a root.txt flag.

Enumerating the box

We have port 22, 53, 8009, and 8080 open.

8080 is showing Apache Tomcat. Lets navigate to the page

Looks like we are using Apache 9.0.30

From here we are going to launch Metasploit and search for Apache, tomcat, and Jserv (from port 8009)

Looks like our Jserv option has a great aux module

Lets set the options and run

Our response seems to give us a username and password!

Testing those credentials against ssh and we are in the user account!

we have two files listed.

  1. credential.pgp
  2. tryhackme.asc

The second file appears to be an ssh key

Searching the box, we come across our first key in a different users profile

Going back to our 2 files, we are going to attempt to run John against the asc file.

Lets pull the file to our local host

and we have our username and password!

We use alexandru for the passphrase and we have merlins password

Running sudo -l we see that /usr/bin/zip is what we want to attack for Privesc

Navigating to gtfo bins, we come across this

TF=$(mktemp -u)
sudo zip $TF /etc/hosts -T -TT ‘sh #’
sudo rm $TF

Running this option gives us root!

Searching the root directory, we find root.txt!