Library
https://tryhackme.com/room/bsidesgtlibrary
Nmap
As port 80 is open lets run nikto and gobuster:
Nmap reports an entry for robots.txt and we found the following information:
At this point Gobuster only found a /images/ directory so before checking that out I am not sure what User-agent: rockyou implies so I will run Gobuster with the rockyou.txt wordlist. Usually this is used for passwords however, it does not hurt to run it against gobusterjust in-case.
The /images/ directory did not have anything outstanding inside it however, we might be able to exploit a PUT request.
Before we do lets check out the root directory:
We have gathered some interesting information as per the comments above and a possible user account for SSH with the user "meliodas". I am going to run Hydra against SSH based on the fact we have a possible user and potentially a wordlist hint in regards to the rockyou agent in /robots.txt/
I ran quick PUT request test using Burpsuite and received the follwing.
No luck here as PUT requests are now allowed. Lets check on Hydra.
Looks like Hydra has a hit. Lets test them on SSH.
We managed to log in and grab the user.txt flag.
Lets check to see if we can do anything with sudo -l:
Looks like we can run python as root on the bak.py file in our current home directory. Lets see what the file does.
I run the script as root and all this did was create a zip file from the contents of the /var/www/html directory. Nothing interesting.
Seeing as we can run bak.py as root and not allowed to edit the contents of the file we can instead delete it with the rm command
Create a new bak.py file with the touch command:
Now all we need to do is put a python shell command in this file. We achieve this either through echo or nano.
Now we can run the script with the sudo command.
Last updated
