TryHackMe: Looking Glass

Step through the looking glass. A sequel to the Wonderland challenge room.


Let’s do nmap first and see what do we get.

There are thousands port are open within range of 9000 to 14000

Port 22

Since there are thousands of ports are open and all of these are ssh. Let's try manual first instead of doing the automation script. When we ssh to a port there is two outputs that we will get which Higher and Lower.


After some time we will know that this is mirrored. Which if the output is Lower that means you need to get a higher port. If the output is Higher that means you need to get a lower port. You can try to do it manually or you can use my script that I modified :)

At first
After found

First User (Jabberwock)

Alright! Now let’s try to ssh to that port.

ssh the real port

So to decode it you can use the link at reference which to decode the Vigenere.

Enter the secret we found on that port and we get a credential. You use that and will get the first user!

Second User (tweedledum)

We got a poem, a script and of course user.txt. After a lot of enumeration, we found that there is a crontab running as user tweedledum.


Also luckily we can rewrite the And we take sudo -l, we also found out that we have permission to reboot as root.

sudo -l

It looks like a rabbit hole or not haha. But lets put our reverse shell and reboot!

Reverse Shell

Nice! We got our reverse shell and as the second user :)

Third User (tweedledee)

When we try sudo -l. We found that we can run bash as tweedledee. So let's change to tweedledee :)

Fourth User (humptydumpty)

Both tweedledee and tweedledum got the same humptydumpty.txt.


Let's try to crack it using the crack station


So only the last one we cannot crack? But with the result of password that we manage to crack give us a hint that one of these is the password. When we try one by one we cant enter to humptydumpty. After a lot of trying the last one is actually a hex :) You can try use cyberchef.


Alright, now we can su to this user :)

Fifth User (alice)

So we can read poetry.txt haha. Also if we take a look at home directory we found out that we can cd into alice but we can’t read anything. Isn’t it weird? So with curious thinking I try to ls -la /home/alice/.ssh/id_rsa and we found this!

So what can we do just ssh to alice.

ssh alice@localhost -i /home/alice/.ssh/id_rsa


In alice we found kitten.txt.

But this got me stuck for one day haha. Done linpeas and Linux Smart Enumeration but it's not showing anything good. The next day I try to manually enumerate with a sensitive file list that I have and found that in /etc/sudoers.d/ there is a file alice that we can read!

From what I know.

#User Permission
NOPASSWD: /bin/bash
=> Means that we can sudo as alice with no password to run bash

Right now our host is looking-glass. But by looking at sudo we can specify the host.


So maybe we can do it like this >.<

sudo -h ssalg-gnikool bash

Rooted! A lot of new things that we learn and add more knowledge and improve our enumeration skills. James’s room really teaches a lot haha >.< Thank you for this room feels free to use my script to find the secret port!


Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store