TryHackMe | Library Walkthrough

boot2root machine for FIT and bsides guatemala CTF

This room involves ssh brute-forcing, using python payload for privilege escalation, and playing around with the permission that a low-privileged user has. This walkthrough is written as a part of the Masters's Certificate in CyberSecurity(Red team ) that I am pursuing from HackerU.

Reconnaissance

Running a nmap scan to list out all the open ports and services. We see that we have 2 open ports ( 22,80)

nmap -sS -sV -S <IP>

Now that we have port 80 open that means we must have a webpage.

Checking robots.txt

It gave us a hint as rockyou.txt is a dictionary used for brute-forcing. So now we know that we might need to use brute-forcing somewhere.

Looking around saw a user by the name of meliodas which might be a username for ssh service which is running on port 22. Using hydra to brute force ssh using the wordlist rockyou.txt

hydra ssh://<IP> -l meliodas -P /usr/share/wordlists/rockyou.txt

We found the password for user meliodas , iloveyou1

Using the credentials to ssh into the machine.

Looking around and found the first flag i.e. user.txt

Checking for the permission we have

sudo -l

we see that user meliodas can run a specific file called bak.py using python. but when we try to run it, it gives an error

Checking the bak.py file we see that it is trying to work with a ZIP file but when I checked the file it was an empty zip file.

So I tried running a simple python oneliner for privileges escalation which would have worked easily but here we not allowed to run that command.

So instead of running this command explicitly in the terminal, I added it to the bak.py that we are allowed to execute. The bak file did not have write permissions do we have to delete the original bak.py file and create another file with the same name and add this payload in that file.

And VOILA!!! we can escalate to root privileges . One thing that we have to keep in mind is that we have to give the full path of both the python directory and the bak.py directory.

If you found this helpful consider leaving some claps :)

--

--

--

Computer Science graduate who is passionate about CyberSecurity. An IoT and Crypto enthusiast.

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

The Plus Minus Code Challenge Solution

Distributed Systems: Reliable Communication

Technical Post — How we breached The Worm

QUEST FOR A BETTER DATABASE

17 Resources Programmers Wish They Knew Before Learning Programming

The Muri of a Bad On-Call System

MOBILE APP PERFORMANCE TESTING SHORTLIST

Web Development using JSP & Servlet

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Prateek Parashar

Prateek Parashar

Computer Science graduate who is passionate about CyberSecurity. An IoT and Crypto enthusiast.

More from Medium

Using Java Deserialization to exploit log4shell — LogForge, HTB

HackTheBox: EarlyAccess | MyJourney

Previse HacktheBox Walkthrough

HTB — Search Walkthrough