GitHub icon LinkedIn icon d="M6.667 4h18.667c1.467 0 2.667 1.2 2.667 2.667v18.667c0 1.467-1.2 2.667-2.667 2.667H6.667A2.675 2.675 0 0 1 4 25.334V6.667C4 5.2 5.2 4 6.667 4zm16.946 8.44c.64-.533 1.387-1.173 1.72-1.88-.547.28-1.2.453-1.92.547.667-.48 1.>
Writeup - Road (THM)
4 min read

Writeup - Road (THM)

Writeup - Road (THM)
Photo by Diego Jimenez / Unsplash

This is a writeup for the Road machine from the TryHackMe site.


First, let's start with a scan of our target with the following command:

nmap -sV -T4 -Pn

Two TCP ports are discovered:

  • 22/tcp : SSH port (OpenSSH 8.2p1)
  • 80/tcp : HTTP web server (Apache 2.4.41)


I start with an enumeration of the files of the website.

I find a button on the basic site page that redirects to a login page. We have the possibility to create an account, I start by doing that.

Once the account is created, I log in and see the following page:

In the edit profil section you can't modify anything except the profile picture, but after looking closer, a message indicates that only the admins can do this action... Except that we learn an important information: the email of the admin!

After some research on the site, I find another page. This page allows you to change your password. I make a password change and capture the request sent to the server with Burp.

I realize that the email of the account is sent during the validation of the form, so I try to send the request but changing my email for the admin one. The server does not return any error, so I can connect to the admin account of the site!

Now that I'm admin, I can upload a new profile picture!

So I create a PHP reverse shell with the following template:

php-reverse-shell/php-reverse-shell.php at master · pentestmonkey/php-reverse-shell
Contribute to pentestmonkey/php-reverse-shell development by creating an account on GitHub.

I upload my reverse.php file thanks to the profile image change form. No error during the upload, I just have to find where the file has been put on the server..

I look at the source code of the page to see if there would not be any information. I find the following comment:


So I go to the following address:

I now have a reverse shell and can recover the first flag.

$ cat /home/webdeveloper/user.txt

Privilege escalation

I start by running linPeas. In the result of the command I find that Mysql and MangoDB are running on the machine...

I upgrade my shell with the following command:

python3 -c 'import pty; pty.spawn("/bin/bash")'

Then I try to connect to MySQL without success, so I test with MongoDB :

I am now in Mongo, I list the databases with the following command:

After a little exploration, I find in the backup database a table user :

I can now connect via SSH to webdeveloper. I then check if this user has SUDO authorization:

The webdeveloper user can execute the sky_backup_utility with root rights. But the most interesting thing is the tag: env_keep+=LD_PRELOAD.

After some research I found this website:

Sudo (LD_PRELOAD) (Linux Privilege Escalation) – Touhid’s Blog

Overall, it explains that it is possible to execute code before the program and that with root execution rights. So I create a bash.c file with the following content :

#include <stdio.h>
#include <sys/types.h>
#include <stdlib.h>

void _init() {

Then I compile it with the following command:

gcc -fPIC -shared -o evil.c -nostartfiles

I can now run the program with sudo, without forgetting our code that will be executed at the beginning:

sudo LD_PRELOAD=/home/webdeveloper/ sky_backup_utility

I now have a root shell so I can get the last flag.


To patch this host I think it would be necessary to perform a number of actions:

  • Secured the password change page to prevent a user from changing the password of a user other than his own
  • Set up a verification of the upload files to the server to avoid sending PHP code or other
  • Do not store passwords in clear text in a database
  • Secure access to databases
  • Do not change SETUID bit of a program to avoid LD_PRELOAD exploit