boot2root machine for FIT and bsides guatemala CTF.
This is the write up for the room Library on TryHackMe website you can access it from here.
This room involves SSH, brute-forcing, using python payload for privilege escalation, and playing around with the permission that a low-privileged user has.
Before deploying the machine make sure you have you VPN ready.
Now will deploy the machine after the VPN is deployed.
Now that the machine is booted we will start Reconnaissance.
Running a nmap scan to list out all the open ports and services.
Command :- nmap -sC -sV -p- — min-rate=10000 -oN nmap <Target Ip>
We see that we have 2 open ports 22 i.e SSH and 80 i.e HTTP.
It means there is a webpage running on port 80.
After checking the entire blog, we got to know the name of the user meliodas.
Now I tried brute-forcing the password with hydra.
Command :-hydra -l meliodas -P /usr/share/wordlists/rockyou.txt ssh://<Target_IP> -t 4
I logged in with SSH using the login and password which was bruteforced.
Looking around and found the first flag i.e. user.txt.
We got the user flag and completed the first part of our task which was to get the user flag.
user flag:- 6d488cbb3f111d135722c33cb635f4ec
Checking for the permission we have.
Command :- sudo -l
To check the user got which application to run as a privileged user(root/sudo). We see that user meliodas can run a file called bak.py using python, but when I tried to run it, it gave an error and said permission was denied.
So, I deleted the file & re-create it with spawn using python. And then ran that bak.py again which gave me root privileges.
echo ‘import pty; pty.spawn(“/bin/sh”)’ > /home/meliodas/bak.py
sudo python /home/meliodas/bak.py
Now we will find the root flag.
We got our root flag and completed this box successfully.
root flag:- e8c8c6c256c35515d1d344ee0488c617.
If you found this helpful please do leave a clap.