# Library

## Nmap

```
nmap 10.10.241.233 -T4 -A -p-

PORT   STATE SERVICE VERSION

22/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0)

80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
| http-robots.txt: 1 disallowed entry 
|_/
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Welcome to  Blog - Library Machine
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
```

As port 80 is open lets run `nikto` and `gobuster`:

![nikto](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-6f847b843740dc72dbdba705c65b5d41f9928656%2Fimage.png?alt=media)

![Gobuster](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-bbd8ca8f0f221cbb223a4e97e7cf2b7d89e1da01%2Fimage.png?alt=media)

Nmap reports an entry for robots.txt and we found the following information:

```
User-agent: rockyou 
Disallow: /
```

At this point Gobuster only found a /images/ directory so before checking that out I am not sure what User-agent: rockyou implies so I will run Gobuster with the rockyou.txt wordlist. Usually this is used for passwords however, it does not hurt to run it against `gobuster`just in-case.

The /images/ directory did not have anything outstanding inside it however, we might be able to exploit a PUT request.

![/images/ directory](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-23241ab6e7faa55a4945b98df0d37852b11a84e3%2Fimage.png?alt=media)

Before we do lets check out the root directory:

![comments on the root directory](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-dcc7f8a684b9f8bab79582eaaf8aab6db879a614%2Fimage.png?alt=media)

![possible user account](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-7141b5a42063ac4f8858158d29b6d6fad88979cd%2Fimage.png?alt=media)

We have gathered some interesting information as per the comments above and a possible user account for SSH with the user "meliodas". I am going to run `Hydra` against SSH based on the fact we have a possible user and potentially a wordlist hint in regards to the rockyou agent in /robots.txt/

I ran quick PUT request test using Burpsuite and received the follwing.

![testing a HTTP PUT request with Burp](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-24ef206d42d0f6a54f64e3effcd6d5fd50f78e94%2Fimage.png?alt=media)

No luck here as PUT requests are now allowed. Lets check on Hydra.

![Hydra has been successful against SSH](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-dce2cae61ac1fb72586cd91daf5435800a1c7fc9%2Fimage.png?alt=media)

Looks like Hydra has a hit. Lets test them on SSH.

![Logging in and grabbing user.txt](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-06bf8121735e535e6c029c39c9e2a5ab5f6cfc7a%2Fimage.png?alt=media)

We managed to log in and grab the user.txt flag.

Lets check to see if we can do anything with `sudo -l`:

![checking sudoers permissions](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-27248f2ac7eb75db70fa660b96cc8b52816cf323%2Fimage.png?alt=media)

Looks like we can run python as root on the bak.py file in our current home directory. Lets see what the file does.

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-05a250ec073ce13febdbe2f646209bfec6bc81c9%2Fimage.png?alt=media)

I run the script as root and all this did was create a zip file from the contents of the /var/www/html directory. Nothing interesting.

Seeing as we can run bak.py as root and not allowed to edit the contents of the file we can instead delete it with the `rm` command

```
rm /home/meliodas/bak.py
```

Create a new bak.py file with the touch command:

```
touch /home/meliodas/bak.py
```

Now all we need to do is put a python shell command in this file. We achieve this either through `echo` or `nano`.

```
echo 'import pty;pty.spawn("/bin/bash")' > /home/meliodas/bak.py
```

Now we can run the script with the sudo command.

![Grabbing the root.txt flag](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-e710fd7eaf1d7caa752a616528de57774a673607%2Fimage.png?alt=media)