This is the write-up for TryHackMe room named — Recovery:
This is by far the best room for me on THM and I enjoyed it a lot. Hope you will too.First lets write down what is already given to us:
- A web-server showing some gibberish.
- A web panel to keep track of recovery process at port 1337
- SSH credentials : alex/madeline
- The malware in alex’s home directory
Our task is to repair all the damage caused by fixutil and collect flags from web panel running at port 1337. Lets begin.
Run the NMAP first and let see if we can find something else:
nmap -sC -sV 10.10.72.173
Nothing new here. Also run NMAP to scan for all ports to check if we can find something else:
nmap -sC -sV -p- 10.10.157.2
Also run your favorite directory busting tool in the background to check if we can find other interesting web-pages.
Now let us try to SSH to the machine with alex/madeline.
And we are greeted with a series of unending messages and no way to interact with the machine. Well not entirely true. We can still run commands on the system and even chain them like:
ssh alex@10.10.72.173 “uname;whoami;id;pwd;ls -lrta”