THM Shrek King-Of-the-Hill Box

June 15, 2025
Privilege Escalation CTFs and Methodology TryHackMe Walkthrough

This is my notes/how I got root on the Shrek KOTH box. Not a complete walkthrough, just the first way I discovered to get root.

nmap scan
"Nmap Service detection scan"
root@ip-10-10-212-181:~# nmap -sV 10.10.147.211 Starting Nmap 7.80 ( [https://nmap.org](https://nmap.org/) ) at 2025-06-15 01:39 BST NSOCK ERROR [87.5710s] mksock_bind_addr(): Bind to 0.0.0.0:389 failed (IOD #11): Address already in use (98) Nmap scan report for 10.10.147.211 Host is up (0.00015s latency). Not shown: 993 closed ports PORT STATE SERVICE VERSION 21/tcp open ftp vsftpd 3.0.2 22/tcp open ssh OpenSSH 7.4 (protocol 2.0) 80/tcp open http Apache httpd 2.4.6 ((CentOS) PHP/7.1.33) 3306/tcp open mysql MySQL (unauthorized) 8009/tcp open ajp13 Apache Jserv (Protocol v1.3) 8080/tcp open http Apache Tomcat/Coyote JSP engine 1.1 9999/tcp open abyss? 1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service : SF-Port9999-TCP:V=7.80%I=7%D=6/15%Time=684E165C%P=x86_64-pc-linux-gnu%r(Ge SF:tRequest,B8,"HTTP/1\.0\x20200\x20OK\r\nAccept-Ranges:\x20bytes\r\nConte SF:nt-Length:\x200\r\nContent-Type:\x20text/plain;\x20charset=utf-8\r\nLas SF:t-Modified:\x20Thu,\x2012\x20Mar\x202020\x2008:24:13\x20GMT\r\nDate:\x2 SF:0Sun,\x2015\x20Jun\x202025\x2000:39:54\x20GMT\r\n\r\n")%r(HTTPOptions,B SF:8,"HTTP/1\.0\x20200\x20OK\r\nAccept-Ranges:\x20bytes\r\nContent-Length: SF:\x200\r\nContent-Type:\x20text/plain;\x20charset=utf-8\r\nLast-Modified SF::\x20Thu,\x2012\x20Mar\x202020\x2008:24:13\x20GMT\r\nDate:\x20Sun,\x201 SF:5\x20Jun\x202025\x2000:39:54\x20GMT\r\n\r\n")%r(FourOhFourRequest,B8,"H SF:TTP/1\.0\x20200\x20OK\r\nAccept-Ranges:\x20bytes\r\nContent-Length:\x20 SF:0\r\nContent-Type:\x20text/plain;\x20charset=utf-8\r\nLast-Modified:\x2 SF:0Thu,\x2012\x20Mar\x202020\x2008:24:13\x20GMT\r\nDate:\x20Sun,\x2015\x2 SF:0Jun\x202025\x2000:39:54\x20GMT\r\n\r\n")%r(GenericLines,67,"HTTP/1\.1\ SF:x20400\x20Bad\x20Request\r\nContent-Type:\x20text/plain;\x20charset=utf SF:-8\r\nConnection:\x20close\r\n\r\n400\x20Bad\x20Request")%r(RTSPRequest SF:,67,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nContent-Type:\x20text/plain; SF:\x20charset=utf-8\r\nConnection:\x20close\r\n\r\n400\x20Bad\x20Request" SF:)%r(Help,67,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nContent-Type:\x20tex SF:t/plain;\x20charset=utf-8\r\nConnection:\x20close\r\n\r\n400\x20Bad\x20 SF:Request")%r(SSLSessionReq,67,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nCon SF:tent-Type:\x20text/plain;\x20charset=utf-8\r\nConnection:\x20close\r\n\ SF:r\n400\x20Bad\x20Request")%r(TerminalServerCookie,67,"HTTP/1\.1\x20400\ SF:x20Bad\x20Request\r\nContent-Type:\x20text/plain;\x20charset=utf-8\r\nC SF:onnection:\x20close\r\n\r\n400\x20Bad\x20Request")%r(TLSSessionReq,67," SF:HTTP/1\.1\x20400\x20Bad\x20Request\r\nContent-Type:\x20text/plain;\x20c SF:harset=utf-8\r\nConnection:\x20close\r\n\r\n400\x20Bad\x20Request")%r(K SF:erberos,67,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nContent-Type:\x20text SF:/plain;\x20charset=utf-8\r\nConnection:\x20close\r\n\r\n400\x20Bad\x20R SF:equest")%r(LPDString,67,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nContent- SF:Type:\x20text/plain;\x20charset=utf-8\r\nConnection:\x20close\r\n\r\n40 SF:0\x20Bad\x20Request"); MAC Address: 02:4C:68:A5:C0:AD (Unknown) Service Info: OS: Unix Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 88.62 seconds root@ip-10-10-212-181:~#