Road – Walkthrough En | TryHackMe – Write-up

Inspired by a real-world pentesting engagement

Road is a medium difficulty CTF from TryHackMe. It is a very well done CTF both on the web part with a Broken Access Control and on the privilege escalation with LD_PRELOAD.

Buy Me a Coffee


Command :

nmap -T5 -p-


Two ports are present. SSH on port 22 and a website on port 80. Port 22 is probably useless, you have to go directly to the enumeration on the website.

Web enumeration

Command :

dirsearch -u -x 403


Website access:

It’s basically a simple visit to see what the website looks like and see what we can do.

As it is possible to create an account, you might as well make one…

Accès au compte user

Once the account is created, you have to look at what options the user has the right to modify.

The user can do two things, change their password and upload a profile picture.

It is important to look everywhere. In particular, the note indicating that only the admin can access this function.

Broken access control

The only option the user ultimately has is to change their password. We are therefore going to change it but by intercepting the request with noise.

The following screenshot shows the password change on the browser side:

The following screenshot shows the password change on the BurpSuite side (once the request has been intercepted).

The request shows us three elements:

  • email address,
  • new password,
  • confirmation.

As long as we know the email address of the admin account admin@sky.thm why not put it in place of ours.

Photo change

Once the modified request has been forwarded, it is possible to access the admin account.

Changement de photo

If we come back to the note, only the admin can modify his profile picture.

We will directly upload a shell in PHPsee if there is filtering at the level of extensions.


No problem, the file is saved. A message appears very furtively « image saved« 


Where is the picture ?

The only problem to be solved is to find where the file is to be saved …

The answer can be found in the source code of the page. At the bottom

<! – / v2 / profileimages / ->


Initial foothold

Direct access to the URL is not possible.

Directory listing is disabled

This is not a problem. just try to access our payload directly

With a netcat listening, we get a reverse shell.


Lateral movement: www-data to webdeveloper.

Listing with linpeas does not give important information. It appears that the netstat command was not executed. In fact, netstat is not installed on the machine. Instead, we can use ss

Command : 

ss -atur

There are several ports that are listening, including port 27017. It corresponds to MongoDB


Connection to mongdb

Command to connect on DB :


Command to check databases :

show dbs

Command to select a db :


Command to see tables :

show collection

Command to display the contents :

db.collection .find ()


Escalation of privilege.

Once on the webdeveloper account, you have to do this command. It remains one of the first orders to be made … if not the 1st

Command :

sudo -l


The escalation of privilege is very well thought out. You must use the two information that is displayed. LD_PRELOAD and /usr/bin/sky_backup_utility.

The binary allows you to make backups with root rights. LD_PRELOAD allows you to load shared libraries when a program is loaded. In general, you must have SUDO rights.

So if we create a shared library to run sky_backup_utility with the sudo command, we could have root access if our share library refers to a root shell?

Creation of the payload

Command :

vim shell.c

copy this inside:

void _init () {
 unsetenv ("LD_PRELOAD");
 setgid (0);
 setuid (0);
 system ("/ bin / bash");

Command to compile :

gcc -fPIC -shared -o shell.c -nostartfiles

If any warnings appear of no importance. Note that the compilation can be performed on the target machine or on kali.

From Kali to transfer the file with setting up a web server: 

python3 -m http.server

Command to download on host :


Final command to root the box :

sudo LD_PRELOAD = / tmp / / usr / bin / sky_backup_utility



That’s all folks

Thank you for taking the trouble to come to the site to read this Write Up

Hope he got you more and taught you new things.

Please feel free to leave a comment or share this article.