TryHackMe - Library CTF [Writeup]

 

Library CTF

Reconnaissance

Nmap

Let’s start with a nmap scan.

nmap -A -v <MACHINE IP>

Nmap seems to detect two open ports, port 22 (SSH) and port 80 (HTTP). I think we should leave port 22 for a while since we have no idea how to brute force the port. Let's check the HTTP port.

 How about directory-attack?

Gobuster

gobuster dir -u http://remote-ip-addr/ -w /usr/share/dirb/wordlists/common.txt

gobuster didn't return any interesting evidence except robots.txt. I think we should check that out.

User agent rockyou? I think the word list rockyou.txt is a hint to the challenge. What else can we extract from the page?

We’ve got a username called “meliodas” as the author of the blog post. Now, we have the username rockyou.txt as a hint and an unused SSH port. What’s on your mind now? It’s time to brute force with hydra.

Hydra

hydra -l meliodas -P <rockyou.txt location> ssh://<Machine IP>  

We are on the right track. Login to the ssh shell by using the following command and ‘iloveyou1’ as the login password.

User flag

ssh meliodas@<machine IP>

Now we are inside meliodas' SSH shell. Let's grab the user flag.

The user flag is now with us.

Privilege Escalation

It is time to root the machine!. First and foremost let see which sudo command can be performed by the user.

The user only can use sudo python on bak.py file.

What! We can't run Python using sudo? That's weird. What if we run Python inside /usr/bin directory?

Root flag