This is a walkthrough of the Lockdown CTF room on TryHackMe. In this room we need to gain initial access to the target through a web application, Coronavirus Contact Tracer. Used tools / techniques: nmap, Burp Suite, php reverse shell, sqlmap, mysql, privilege escalation.
Link to the room: https://tryhackme.com/room/lockdown
Nmap scan results:
2 ports are open: SSH is running on port 22, and HTTP on port 80.
http://contacttracer.thm/login.php. To be able to visit the page I added the domain to
On the login page there was a link ‘Go to Admin Panel’ that pointed to
I tried a couple of default credentials, but none of them worked. However, I was able to login with basic SQL injection. In the username field I entered:
' OR 1=1 -- -
I clicked login and I found myself logged in to the dashboard as Administrator.
When I checked the different features of the web app, I found few ways to upload files:
- Upload avatar on the user page (http://contacttracer.thm/admin/?page=user)
- Upload image while editing an entry on the People page (http://contacttracer.thm/admin/?page=people)
- Upload image while editing an entry on the Establishment page (http://contacttracer.thm/admin/?page=establishment)
I was able to upload a PHP reverse shell, but I did not know where was the file uploaded.
Later I checked the login form further with sqlmap. I intercepted a login request via Burp Suite and saved it in a file named
Then I used that saved request as input for sqlmap. First I tried to find the name of the database:
sqlmap -r login_request.txt --current-db
The username parameter was vulnerable for time-based blind SQL injection. The name of the database was successfully enumerated by sqlmap:
Then I ran the following command to get the list of tables:
sqlmap -r login_request.txt -D cts_db --tables
Tables found: barangay_list, city_list, establishment, people, state_list, system_info, tracks, users.
I dumped the users table first. It contained the password hash for the admin user of the web application. But it was useless, because I was already logged in as Administrator. Also, password login was not allowed for SSH, so I was not able to brute-force login credentials.
I uploaded my reverse shell as an image while editing an establishment, so I dumped that table next.
sqlmap -r login_request.txt -D cts_db -T establishment --dump
The table contained the path of the uploaded file. With that information, I was able to trigger a reverse shell. That is what I needed to get initial access to the target.
Now I had a shell as www-data user on the target. I checked for other users. I found home directories for cyrus and maxine, but www-data user had no permissions on them.
Then I checked for configuration files in the root directory of the web server. I found credentials in
$dev_data = array('id'=>'-1','firstname'=>'Developer','lastname'=>'','username'=>'dev_oretnom','password'=>'5da283a2d990e8d8512cf967df5bc0d0','last_login'=>'','date_updated'=>'','date_added'=>'');
I was not able to crack the password hash. These credentials are probably useless for this room.
Then I also found the database credentials in
This password was also not working for any of the Linux users. Then I connected to the database and checked all the tables.
There was another password hash in the users table (I also dumped this table earlier with sqlmap).
cyrus user had sudo capabilities to run /opt/scan/scan.sh as root user.
The scan.sh script:
read -p "Enter path: " TARGET
if [[ -e "$TARGET" && -r "$TARGET" ]]
/usr/bin/clamscan "$TARGET" --copy=/home/cyrus/quarantine
/bin/chown -R cyrus:cyrus /home/cyrus/quarantine
echo "Invalid or inaccessible path."
The script reads the path of a file from user input. If the file exists and readable:
- clamscan will scan the file. If it is infected, the file will be copied to /home/cyrus/quarantine
- The user for /home/cyrus/quarantine directory and everything in it will be changed to cyrus
So, if we could ‘trick’ clamscan to flag every file as infected, we could copy any file to /home/cyrus/quarantine and read it.
I checked the documentation of ClamAV and found the following at https://docs.clamav.net/manual/Signatures.html
So YARA rules can be added in the database directory. By adding rules, we can have an influence on how clamscan will flag files as infected. I found the location of the database directory in the config file.
cyrus@lockdown:~$ grep DatabaseDirectory /etc/clamav/freshclam.conf
To create a YARA rule I checked this page in the documentation: https://docs.clamav.net/manual/Signatures/YaraRules.html
/var/lib/clamav/myrule.yara file with the following rule in it:
$abc = "abc"
($abc or not $abc) and filesize > 0
This rule will flag any file as infected. So this way I was able to read the root flag from /root/root.txt.
[Extra] Gaining root shell
After getting the root flag I also tried to gain a root shell on the target. For that I also used scan.sh to copy the shadow file into quarantine directory.
I put the password hash of maxine into a file and cracked the password using hashcat.
I switched to maxine user with the cracked password. Maxine had capabilities to run any command as root via sudo.
I enjoyed playing the Lockdoom room on TryHackMe. It required several tools and techniques to root the machine. There might be other ways as well to root it. E.g. I did not use the SSH service at all.
The target VM was running a web application called Coronavirus Contact Tracer. The admin login page of the app was vulnerable to SQL injection. I used this vulnerability to login as Administrator user, and also to dump data from the database. Logged in as Administrator I found 3 places where I was able to upload files. I uploaded a PHP reverse shell and gain initial access to the target.
Then, I checked the files in the webserver’s root directory. I found the database configuration file that contained the database credentials. From the DB I retrieved the password hash of the admin user and cracked the password on crackstation.net. With the discovered password I was able to switch to cyrus user and get the user flag. This user had privilege to run a shell script as root. Exploiting this script I could read the root flag as well.
Using the same exploit, I could also read the shadow file and retrieve the password hash of the other user, maxine. I cracked the password using hashcat and switched to maxine user. This user could run any command as root with sudo, so I gained root access on the target.