RECOVERY-TRYHACKME

0xsanz
6 min readMar 20, 2021

This is the write-up for TryHackMe room named — Recovery:

https://tryhackme.com/room/recovery

This is by far the best room for me on THM and I enjoyed it a lot. Hope you will too.First lets write down what is already given to us:

  • A web-server showing some gibberish.
  • A web panel to keep track of recovery process at port 1337
  • SSH credentials : alex/madeline
  • The malware in alex’s home directory

Our task is to repair all the damage caused by fixutil and collect flags from web panel running at port 1337. Lets begin.

Run the NMAP first and let see if we can find something else:

nmap -sC -sV 10.10.72.173

Nothing new here. Also run NMAP to scan for all ports to check if we can find something else:

nmap -sC -sV -p- 10.10.157.2

Also run your favorite directory busting tool in the background to check if we can find other interesting web-pages.

Now let us try to SSH to the machine with alex/madeline.

And we are greeted with a series of unending messages and no way to interact with the machine. Well not entirely true. We can still run commands on the system and even chain them like:

ssh alex@10.10.72.173 “uname;whoami;id;pwd;ls -lrta”

0xsanz

Software Developer having keen interest in Security, Privacy and Pen-testing. Certs:- Security+,PenTest+,AZ900,AZ204