Cct2019 | Tryhackme

Example scenario:
A Python script /opt/script.py is writable by www-data and runs as root via cron or sudo.

Replace it with:

import os
os.system("chmod 777 /etc/shadow")

Wait for cron or run via sudo if NOPASSWD is set.
Then read /etc/shadow and crack passwords, or directly add a root user. cct2019 tryhackme

Alternative:
If /usr/bin/xxd has SUID, read /etc/shadow:

xxd /etc/shadow | xxd -r

Or if base64 SUID:

base64 /etc/shadow | base64 -d

Navigating to port 80 reveals a chess-themed website—likely a tribute to the "CyberChess Tournament." There are no obvious login forms, but the URL parameters hint at template usage (e.g., ?page=index).

In certain builds of the room, port 8080 runs Jenkins with default credentials (admin:admin). From Jenkins, you can execute Groovy scripts to get a shell on the host. Example scenario: A Python script /opt/script

The presence of two web servers indicates multiple attack surfaces. Port 80 looks like a static corporate site, while port 8080 might host a development or internal tool with weak security.

Pro Tip: Always check robots.txt, /backup, and /admin directories on both ports. Use gobuster or dirb for deeper enumeration. Wait for cron or run via sudo if NOPASSWD is set