Tryhackme — Cct2019

Now, to think like the attacker: from www-data, how did they become root?

You check cron jobs (cat /etc/crontab) and spot an odd entry:

* * * * * root /home/elf/backup.sh

The backup.sh script is writable by the elf group. The attacker replaced its content with: tryhackme cct2019

#!/bin/bash
chmod u+s /bin/bash

After one minute, /bin/bash had the SUID bit set. Running /bin/bash -p gave a root shell.

That’s the classic writable cron script privilege escalation. Now, to think like the attacker: from www-data

The CCT2019 room on TryHackMe is a single-machine challenge designed to simulate a vulnerable corporate server. Unlike beginner rooms that guide you with explicit instructions, this room presents a black-box environment. You are given only the machine’s IP address. From there, you must rely on your enumeration, exploitation, and post-exploitation skills to capture flags (typically stored in user.txt and root.txt).

The room simulates a small corporate environment: The backup

Participants have only the IP address of Machine 1 initially. No credentials are provided—everything must be discovered.

| Vulnerability | Risk | Mitigation | |---------------|------|-------------| | Directory listing / exposed hidden files | Information disclosure (credentials, notes) | Disable directory indexing; remove comments and test files in production | | Weak password storage (MD5) | Hash cracking | Use strong hashing algorithms (bcrypt, Argon2) | | Reused or weak password (password123) | Easy compromise | Enforce strong password policy; use password managers | | Writeable cron script owned by a low-privileged user | Privilege escalation | Ensure cron scripts are owned by root and not writable by others | | No input sanitization on web login? (not directly exploited here but implied) | SQLi / auth bypass | Implement parameterized queries and strong access controls |

To succeed in this room, you should be comfortable with: