Skip to content

Tryhackme - Nerdherd Room WriteUp

Tryhackme3 min read


Nerdherd is an easy/medium category room developed by 0xpr0N3rd . You can check out the room here. Let's get started.

As usual , first nmap it .

nmap -sC -sV -v -oA nmap/initial IP

221/tcp open ftp vsftpd 3.0.3
3| ftp-anon: Anonymous FTP login allowed (FTP code 230)
4|_drwxr-xr-x 3 ftp ftp 4096 Sep 11 03:45 pub
5| ftp-syst:
6| STAT:
7| FTP server status:
8| Connected to ::ffff:
9| Logged in as ftp
11| No session bandwidth limit
12| Session timeout in seconds is 300
13| Control connection is plain text
14| Data connections will be plain text
15| At session startup, client count was 5
16| vsFTPd 3.0.3 - secure, fast, stable
17|_End of status
1822/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.10 (Ubuntu Linux; protocol 2.0)
19| ssh-hostkey:
20| 2048 0c:84:1b:36:b2:a2:e1:11:dd:6a:ef:42:7b:0d:bb:43 (RSA)
21| 256 e2:5d:9e:e7:28:ea:d3:dd:d4:cc:20:86:a3:df:23:b8 (ECDSA)
22|_ 256 ec:be:23:7b:a9:4c:21:85:bc:a8:db:0e:7c:39:de:49 (ED25519)
23139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
24445/tcp open netbios-ssn Samba smbd 4.3.11-Ubuntu (workgroup: WORKGROUP)
25Service Info: Host: NERDHERD; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
27Host script results:
28|_clock-skew: mean: -39m14s, deviation: 1h09m16s, median: 44s
29| nbstat: NetBIOS name: NERDHERD, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
30| Names:
31| NERDHERD<00> Flags: <unique><active>
32| NERDHERD<03> Flags: <unique><active>
33| NERDHERD<20> Flags: <unique><active>
34| \x01\x02__MSBROWSE__\x02<01> Flags: <group><active>
35| WORKGROUP<00> Flags: <group><active>
36| WORKGROUP<1d> Flags: <unique><active>
37|_ WORKGROUP<1e> Flags: <group><active>
38| smb-os-discovery:
39| OS: Windows 6.1 (Samba 4.3.11-Ubuntu)
40| Computer name: nerdherd
41| NetBIOS computer name: NERDHERD\x00
42| Domain name: \x00
43| FQDN: nerdherd
44|_ System time: 2020-12-20T15:06:08+02:00
45| smb-security-mode:
46| account_used: guest
47| authentication_level: user
48| challenge_response: supported
49|_ message_signing: disabled (dangerous, but default)
50| smb2-security-mode:
51| 2.02:
52|_ Message signing enabled but not required
53| smb2-time:
54| date: 2020-12-20T13:06:09
55|_ start_date: N/A

Again the JUICY anonymous FTP . Let's check it out .


We have a PNG and a hidden directory which contains a file hellon3rd.txt . Let's get down on the PNG .

Ran strings , nothing ! Ran exiftool , ummm something weird !


The owner name is a bit weird , I mean maybe it is just a random text but then again why would you put it here . Let us put this in UMMMM box and go on for now. The file hellon3rd.txt says

all you need is in the leet

Now, honestly I had no idea what the F*** it meant . It took me hours of random stuff , a bit of SCREAMING and a little crying , after which I figured out this is referring to the leet port (1337). I could have just done a full port nmap scan , but then I am lazy !

OK , so let's go to port 1337 and we have a ubuntu default page . With two silly alert messages , just to mess with you ! Cheap Thrills , Duhh!

msg1 msg2

The second one inspires you , though xD . So , I looked through the source code to see if the creator REALLLY left something. And indeed he did . We have a youtube link which takes us to the song Surfin Bird By Trashmen . Now at first , I thought this is a rabbit hole which was again a bit weird because normally for that we have Rick Astley . So , again let us put this in UMMM box and go on , we still have samba left.

We have port 139 and 445 open , so let's see if we have some juicy stuff. To see the available shares , we use the

smbclient -L IP_ADDR

hoping that NULL SMB sessions are allowed and indeed they are !


We see nerdherd_classified , this seems interesting . So we try to list the share by using

smbclient //IP/nerdherd_classified

but we get NT_STATUS_ACCESS_DENIED which means we have to find credentials for accessing it .

We can find out the users in the domain using the enum4linux tool (or the rpcclient but enum4linux is kinda comprehensive ,so yeah!) . So I fired up

enum4linux -a IP

and we have a user .


Okay , now we have a user chuck , so the next step I tried was to brute the SSH login using hydra . I let it run for some time , but there was nothing . Now , seriously , WTF should I do . Let's go back to our UMMM box . We have a weird owner name and a youtube song link. What we need is a password for user chuck . Connect The Dots bruh . Maybe , the weird owner name is a cipher . Ahann ! I checked it on my favourite tool Boxentriq and it turns out it is a vignere cipher . Now , vignere cipher needs a key to decode , that's where the song comes in . Okay, at this point , I wanna say that it gets just too guessy here , so if it helps , SCREAM ! The lyrics of the song are


We need a key right ! And we have lyrics right ! So , I mean GUESSS ! There is this word repeating again and again in the lyrics birdistheword .We use this as the key and we have decoded the cipher . We get the password .

Okay , we can list the nerdherd_classified now . We see a file secr3t.txt in the share . I downloaded the file in my machine and it gives us a secret directory to look at . Upon visiting this directory , we get chuck's SSH creds.

We ssh as chuck and we get our USER flag .


Priv Esc Time

Start a python server in your machine and get that linpeas down in the victim's machine . I fire up linpeas and I saw a kernel exploit vector for 4.4.0-31-generic , But who does kernel exploit , they break stuff . Moving on , there is nothing interesting in rest of the linpeas output. So , should we do kernel exploit. Naah , I will do manual enum . I checked out www dir , and it has some base64 creds somewhere inside which was a rabbithole . Sooooo ,let's do a kernel exploit .

Search for 4.4.0-31-generic kernel exploit and you will get a lot of stuff that can break the machine for you . At first I tried , this exploit , it works though , gives you a shell and then breaks the machine . Then after a lot of staring and trying , I got this one.

It is stable . It is a kernel exploit and it doesn't break the machine , be like this exploit xD .


So , now we go the usual location where root flag lives , /root/root.txt and we see , the flag isn't there . Woah ! Cheap Thrills man !

find / -type f -name root.txt 2>/dev/null

and we see the location /opt/.root.txt . We got the stuff.


We should be done but there is one bonus flag too ! Cheap Thrills again ! As it could be anywhere and I won't scan the entire file system AFTER I got root flag , I looked at the hint , it says Brings back so many memories , So I looked at the bash_history file (I am lying ,I looked at ton of stuff before stumbling upon this) and it has the bonus flag . And We are Done !!


Hope you learned something new . Thanks for reading and as always

See ya later!

© 2021 by Jatin Malik. All rights reserved.