Library — TryHackMe — WriteUP
Hello. I’m Rahmos. Here is my Library — TryHackMe — WriteUP. Check it out!
First, deploy the machine and nmap for opened ports.
nmap -A -T4 -p- -v <ip>
As port 80(http) is opened, let’s access the website first.
I’ve found the 1st username: meliodas
Scroll down and you will see other 3 usernames: root, www-data and Anonymous
It’s always good to check the page source (Ctrl+U), but I didn’t find anything in page source. So let’s move to finding hidden dirs using gobuster
gobuster dir -u http://<ip>:80/ -w /path-to-wordlist
As robots.txt is presented, let’s read it.
The user-agent is : rockyou. So maybe it’s the hint for us to bruteforce the ssh password?
I’ve also changed the user-agent to “rockyou” but nothing happened.
So now let’s brute the ssh password using Hydra
hydra -l meliodas -P /path-to-rockyou.txt ssh://<ip>
**I tried “meliodas” cause it’s the most likely username here.
After a while, I’ve got the ssh password. Let’s login!
Get the 1st flag:
Now let’s own root to get the final flag. First, sudo -l to check if meliodas can run sudo:
Well, meliodas can run the script bak.py as root. Let’s see what it does:
The script will create a zip file of website.zip. We cannot modify this script, but here’s the way.
The script imports a lib called “zipfile”. When python imports this lib, it will first go around to find “zipfile.py”, and normally it will be in Lib/zipfile.py
But if we create a file called “zipfile.py” right in meliodas’s home folder, python won’t use the “zipfile.py” in Lib/zipfile.py anymore, but will use the “zipfile.py” in meliodas’s home folder instead! Why? Because the “bak.py” is in meliodas’s home, and it’s the 1st place python will check if “zipfile.py” exists.
Create “zipfile.py” in meliodas’s home with the following content:
This script will spawn a shell for us. Then chmod +x zipfile.py to make it executable.
Then run the bak.py script as sudo:
sudo /usr/bin/python3 /home/meliodas/bak.py
Boom! Now I’m root! Get the final flag:
The end.
Explaination:
If you haven’t understand about the python script above, look here.
The script above will print out the direction of python. As you can see, ‘ ‘ is where the script is stored. In this situation: meliodas’s home folder. It will first check in meliodas’s home folder for needed source code, this time: zipfile.py. If the source code doesn’t exist, then it will continue look at /usr/lib/python2.7, … and so on until it finds the zipfile.py.
Because I’ve created zipfile.py at meliodas’s home folder, python will think it has already found its source code and use it. That’s why, it gave me a shell, and because I run as sudo, so the shell will be root!
HAPPY HACKING
