TryHackMe — Looking Glass Walkthrough

4 min readSep 1, 2023


This is a short guide for Looking Glass machine.

Get the IP address of the machine and perform the nmap scan.

nmap scan result

Multiple ports are opened showing service Dropbear sshd (protocol 2.0)

Lets ssh into one of them

Showing the port is higher

When connecting through ssh on port 10000, it shows higher. Lets try with smaller port number

Showing the port is lower

Trying port 9200 shows that it is lower. so the correct port is between port 9200 to 10000. Time to bruteforce.

Connected on port 9367

Using port 9367 we are in. Now it asks for secret. Looking at the above jumbled words lets try to decrypt the cipher.

Jabberwocky is poem by Lewis Carroll.

After some googling and stuff found that it was Vigenere cipher.

As vigenere cipher requires a key to decrypt, using online tool which bruteforce the key found that the key was “thealphabetcipher”.

Now using the key, lets decrypt the cipher

Decoded message

At the end of the poem there is a secret. Using the secret we are now provided with username and password.

Now login through ssh with the provided username and password.

ls into the home folder and we can see user.txt file.

The flag in user.txt is mirrored. So unmirror it to get the flag.

Then there is file which contains some code to write message to all users.

Looking into sudo -l command output we can see that the user can reboot the system.

There is a cron job where user tweedledum runs the bash script on reboot. We can leverage this and gain a reverse shell as user tweedledum as we can edit the script.

Crontab output

Edit the script and insert the reverse shell

Adding reverse shell on the script

On the local machine start a netcat listener on the specified port. Then reboot the system. When the system reboots, the script is run by user tweedledum and we get a shell as user tweedledum.

System rebooted
Got a shell as user tweedledum

Looking on the files on home folder we see a file name humptydumpty.txt which contains encrypted message.

Output of humptydumpty.txt

The message is encrypted using sha256, lets decrypt it.

Password found for user humptydumpty

Using this password we can how login as humptydumpty

Logged in as user humptydumpty

Looking into the home folder there is only a poetry.txt file which contains some texts. As we can cd into alice home directory but cannot list the directory and we have executable permission on alice directory lets see what we can do in alice directory.

lets see if we can find the id_rsa file so that we can download it and ssh as user alice using the id_rsa file.

User alice id_rsa file

As we can read the content of id_rsa file, lets download into the local machine and ssh as user alice.

Remember to change the permission of id_rsa file to 600.

Logged in as user alice using id_rsa

As we cannot sudo anything because we do not have the alice password, lets use to see if we can find something there.

As we can see that we can run /bin/bash as root with host ssalg-gnikool. Lets do it.

We have successfully got root access on the machine now.

Time to obtain the flag which is in /root directory.

Flag in root.txt file is also mirrored so unmirror it to obtain the flag.

Thank you for reading.

Twitter: Vengenace0x0




Penetration Tester | Trader/ Investor | Cyber Security Enthusiast | Bibliophile