Library Tryhackme
Vrijanandan Kumar
Cyber Security Enthusiast || CTF Player || Security Researchers || Passionate about Securing the Digital World || CEH
Start the VPN you have downloaded and deploy the TryHackMe machine first. Then, ping and check the machine's connectivity. Next, run an Nmap scan to determine which ports are open and which services are operational on these ports. I will use a hostile Nmap scan. We observe that ports 22 and 80 are open.
Running the gobuster to check hidden folders and directories.
gobuster dir -u https://IP -w /usr/share/wordlists/rouckyou.txt
Reviewing the results generated by Gobuster.
The URL https://10.10.0.217/robots.txt returns the results below, which may hint at using rockyou.txt.
When we used the provided IP 10.10.0.217 as the URL in the browser, we found the author of the blog as shown below.
Assuming the user is meliodas, try a brute-force attack using the Hydra tool. The Gobuster search revealed a robots.txt file that hinted at using rockyou.txt. We will use the “rockyou.txt” dictionary to brute force the login for meliodas.
hydra -l meliodas -P /usr/share/wordlists/rockyou.txt ssh://10.10.0.217
We got the login as meliodas and password as iloveyou1 from the brute force search. Let’s try to log into the target machine with these credentials.
Now we are inside Meliodas’s SSH shell. Let’s capture the user flag. Using the ls command, we can see a list of files. We have access to the user and can see two files. We have captured the first flag of this !
Root flag
Now, to capture the root flag, we need root access. First, let's see what commands the user can run with sudo. The user can only use sudo with Python on the bak.py file. Let's check the permissions of bak.py and examine its contents
cat bak.py
sudo -l
ls -la
It seems we can't modify the script because it is write-protected. Since we have sudo privileges to execute bak.py using Python, we could delete the existing bak.py and create a new one.
So, let’s create a new file.
rm bak.py
touch bak.py
echo 'import pty;pty.spawn("/bin/bash")' > bak.py
sudo python /home/meliodas/bak.py
cd /root
Done!!!!!! Let us see the answers to the challenge questions now.
6d488cbb3f111d135722c33cb635f4ec
2. Root flag
e8c8c6c256c35515d1d344ee0488c617
Thank you very much for reading. I hope you find this useful. If you have any suggestions or something to add, feel free to contact me anytime.
Happy Hacking!
Cyber Security Enthusiast || CEHv12 || CTF Player || Security Researchers || TryHacMe Top 1% ||Programing C,Python || Bug Bounty ||
8 个月Very informative