Undiscovered (THM) Tryhackme Writeup Answer

Description : Discovery consists not in seeking new landscapes, but in having new eyes.

Lawvye

~3 min read · April 30, 2026 (Updated: April 30, 2026) · Free: Yes

Difficulty : Medium

Note : All of the content and images are from https://tryhackme.com/

Room : https://tryhackme.com/room/undiscoveredup

Enjoy.

Task 1 Capture the Flag

Please allow 5 minutes for this instance to fully deploy before attacking. This vm was developed in collaboration with @H0j3n, thanks to him for the foothold and privilege escalation ideas.

Please consider adding undiscovered.thm in /etc/hosts

Nmap Port Scanning :

Nmap scan report for 10.xx.xxx.xxx
Host is up (0.089s latency).

PORT      STATE SERVICE  VERSION
22/tcp    open  ssh      OpenSSH 7.2p2 Ubuntu 4ubuntu2.10 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 c4:76:81:49:50:bb:6f:4f:06:15:cc:08:88:01:b8:f0 (RSA)
|   256 2b:39:d9:d9:b9:72:27:a9:32:25:dd:de:e4:01:ed:8b (ECDSA)
|_  256 2a:38:ce:ea:61:82:eb:de:c4:e0:2b:55:7f:cc:13:bc (ED25519)
80/tcp    open  http     Apache httpd 2.4.18
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Did not follow redirect to http://undiscovered.thm
111/tcp   open  rpcbind  2-4 (RPC #100000)
| rpcinfo: 
|   program version    port/proto  service
|   100000  2,3,4        111/tcp   rpcbind
|   100000  2,3,4        111/udp   rpcbind
|   100000  3,4          111/tcp6  rpcbind
|   100000  3,4          111/udp6  rpcbind
|   100003  2,3,4       2049/tcp   nfs
|   100003  2,3,4       2049/tcp6  nfs
|   100003  2,3,4       2049/udp   nfs
|   100003  2,3,4       2049/udp6  nfs
|   100021  1,3,4      34174/tcp6  nlockmgr
|   100021  1,3,4      36794/udp   nlockmgr
|   100021  1,3,4      41722/tcp   nlockmgr
|   100021  1,3,4      54052/udp6  nlockmgr
|   100227  2,3         2049/tcp   nfs_acl
|   100227  2,3         2049/tcp6  nfs_acl
|   100227  2,3         2049/udp   nfs_acl
|_  100227  2,3         2049/udp6  nfs_acl
2049/tcp  open  nfs      2-4 (RPC #100003)
41722/tcp open  nlockmgr 1-4 (RPC #100021)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Linux 3.10 - 3.13 (95%), ASUS RT-N56U WAP (Linux 3.4) (95%), Linux 3.16 (95%), Linux 3.1 (93%), Linux 3.2 (93%), AXIS 210A or 211 Network Camera (Linux 2.6.17) (92%), Sony Android TV (Android 5.0) (92%), Android 5.0 - 6.0.1 (Linux 3.4) (92%), Android 5.1 (92%), Android 7.1.1 - 7.1.2 (92%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: Host: 127.0.1.1; OS: Linux; CPE: cpe:/o:linux:linux_kernel

Answer the questions below

Q1.) user.txt (but it's root.txt)

# id
uid=0(root) gid=1002(leonard) groups=1002(leonard),3004(developer)
# cd /root
# ls
root.txt
# cat root.txt
  _    _           _ _                                     _ 
 | |  | |         | (_)                                   | |
 | |  | |_ __   __| |_ ___  ___ _____   _____ _ __ ___  __| |
 | |  | | '_ \ / _` | / __|/ __/ _ \ \ / / _ \ '__/ _ \/ _` |
 | |__| | | | | (_| | \__ \ (_| (_) \ V /  __/ | |  __/ (_| |
  \____/|_| |_|\__,_|_|___/\___\___/ \_/ \___|_|  \___|\__,_|
      
             THM{8d7b7299cccd1796a61915901d0e091c}

Answer : THM{8d7b7299cccd1796a61915901d0e091c}

Q2.) Whats the root user's password hash?

Answer : $6$1VMGCoHv$L3nX729XRbQB7u3rndC.8wljXP4eVYM/SbdOzT1lET54w2QVsVxHSH.qhRVRxz5Na5UyjhCfY6iv/koGQQPUB0

Thanks for reading my blog sir ;)

Lawvye

#tryhackme #ctf-writeup #privilege-escalation #cybersecurity #hacking

< Go to the original

Undiscovered (THM) Tryhackme Writeup Answer

Description : Discovery consists not in seeking new landscapes, but in having new eyes.

Task 1 Capture the Flag

Reporting a Problem