Jonty Bhardwaj

Jun 28, 2021

4 min read

Hello Reader, I am Jonty Bhardwaj currently enrolled in Master Certificate in Cyber Security HackerU program. Today I am here to share a writeup on a Tryhackme machine called Library.

Now first of all we will navigate to the Room URL and join it.

https://tryhackme.com/room/bsidesgtlibrary

After starting the Machine we will first connect through Open VPN and ping the machine through the IP we are given to see if the connection is established. After we are successful in pinging the machine, we will start the fun part which is Pentesting and getting root privilege.

ping 10.10.239.28

Now first we will start a Nmap scan to see what are the ports and services open on the machine.

nmap -sV -sT -T4 10.10.239.28

Now we can see that 2 ports are open and the most promising port we can gather info looks to be port 80. Lets see what’s on the website there.

http://10.10.239.28/

As you can see below there are comments posted on the website and there is a comment input form which we can fill to post comments . Maybe we can exploit this to do SQL injection .

We tried doing SQL injection but nothing was reflecting which means either there is no SQL Vulnerability or we don’t have enough access to post comments on the website.

Now we have to use gobuster to see additional hidden directories and see if we can gather some info from.

gobuster dir -u http://10.10.239.28/ -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -t 100

From above gobuster search we found only 1 webpage

http://10.10.239.28/images/

Lets navigate to webpage and see what information we can gather

On the images website too we found nothing of importance so we decided to work with what we have got and decided to read the website fully. We found a single piece of info that a person named meliodas has posted the blog on the website and has access to the website.

Lets try to bruteforce the password of the user meliodas with tool Hydra .

hydra -l meliodas -P rockyou.txt 10.10.239.28 ssh

Voila , it worked and we have got our password for the user meliodas .

Username : meliodas

Password : iloveyou1

As we have ssh port open in the machine we can login into the user and then try to escalate our privilege from there to root.

ssh meliodas@10.10.239.28

After we have successfully logged in the user, we searched for our user flag.

cat /home/meliodas/user.txt

As you can tell here We have successfully found our first flag in the main directory of user falconfeast itself. Now lets try to search some more vulnerabilities to escalate our privilege to root.

Lets see which sudo permissions this user has

sudo -l

From above we can see that we have access to a python script file. We can use this script file to obtain a root shell .

But we cannot make any change to original script file so we have to delete the script and create a new script with the same name.

rm bak.py

In this new script we are trying to import bash shell as root. So we used the command

nano bak.py

import pty; pty.spawn(“/bin/bash”)

Now we have done writing and saving the python code file, we will run this file to escalate our privilege.

sudo python3 /home/meliodas/bak.py

Once we are root we can easily find the root flag inside the root directory.

cat /root/root.txt

Here we have successfully escalated to root shell after using the exploit command and found the root flag in the root folder.

Proof of Completion

Congratulations on completing the room and reading the blog . Hope my blog helped you in your journey and made you learn something new .

Happy Hacking !!