[THM] Madness

Will you be consumed by Madness?

Link to the room


In this challenge, an image is given that is wrongly encoded, after fixing it, a secret directory is obtained and within this a clue for a password.

When obtaining the password, a key is obtained to extract data from an image which a user gives me in ROT13

Finally, you have to download the image of the challenge since within this is the user’s password (2 hours looking around…)

After gaining access to the machine, privileges are escalated thanks to an outdated command

[Task 1] Flag submission

#1 user.txt

fntkg@kali:~/fuzzy-octo-guacamole/pentest/tryhackme/madness$ nmap -sC -sV -T4
Starting Nmap 7.80 ( https://nmap.org ) at 2020-09-23 21:51 CEST
Nmap scan report for
Host is up (0.055s latency).
Not shown: 998 closed ports
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 ac:f9:85:10:52:65:6e:17:f5:1c:34:e7:d8:64:67:b1 (RSA)
| 256 dd:8e:5a:ec:b1:95:cd:dc:4d:01:b3:fe:5f:4e:12:c1 (ECDSA)
|_ 256 e9:ed:e3:eb:58:77:3b:00:5e:3a:f5:24:d8:58:34:8e (ED25519)
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 11.37 seconds

the port scan shows me only 2 ports, ssh and an apache web server

In the source code of the main page I find an image that seems to have something hidden since it is not displayed correctly

the file is a .jpg but the header contains the metadata of a .png, I correct it with hexeditor, I simply modify the header with the following numbers (which correspond to a .jpg file)

FF D8 FF E0 00 10 4A 46 49 46 00 01

once the image is displayed correctly, it indicates a hidden directory on the server


the web page seems to ask for a password, after spending a long time with burpsuite I realize that the password can be passed through a parameter in the url such as:


in the source code of the page found there is a comment that says that the password is a number between 0–99

so I create a script that launches 100 requests to the web page with 100 possible passwords

Password found:


once inside, I find a password:


now I can extract data from the initially downloaded image:

fntkg@kali:~/fuzzy-octo-guacamole/pentest/tryhackme/madness$ steghide extract -sf thm.jpg
Enter passphrase:
wrote extracted data to "hidden.txt".
fntkg@kali:~/fuzzy-octo-guacamole/pentest/tryhackme/madness$ cat hidden.txt
Fine you found the password!
Here's a username wbxreI did't say I would make it easy for you!

I read the clue that they indicated in the room and they said that the username was ROTten so I passed the name through ROT13 and the next user came out:


From here on I was dangling against a wall for a long time cause i needed a passwd until they told me to look at the image that appears in the room, so I downloaded it and extracted a password from it!

fntkg@kali:~/fuzzy-octo-guacamole/pentest/tryhackme/madness$ steghide extract -sf 5iW7kC8.jpg
Enter passphrase:
wrote extracted data to "password.txt".
fntkg@kali:~/fuzzy-octo-guacamole/pentest/tryhackme/madness$ cat password.txt
I didn't think you'd find me! Congratulations!
Here take my password*axA&GF8dP

retrieved credentials:


with this I can already ssh to the remote machine


#2 root.txt

once inside the machine, I do some manual enumeration and I realize that the command screen-4.5.0 contains the SUID as root and that it is a command that I do not have much seen

so I search the internet a bit and find the following bash script that allows a very simple privilege escalation


I download the code and run it and that’s it, I’m root


Computer Science student. Capture the flag player.