Hello Reader, I am Jonty Bhardwaj currently enrolled in Master Certificate in Cyber Security HackerU program. Today I am here to share a writeup on a Tryhackme machine called Library.

Now first of all we will navigate to the Room URL and join it.

https://tryhackme.com/room/bsidesgtlibrary

After starting the Machine we will first connect through Open VPN and ping the machine through the IP we are given to see if the connection is established. After we are successful in pinging the machine, we will start the fun part which is Pentesting and getting root privilege.

ping 10.10.239.28

Now first we will start a Nmap scan to see what are the ports and services open on the machine.

nmap -sV -sT -T4 10.10.239.28

Now we can see that 2 ports are open and the most promising port we can gather info looks to be port 80. Lets see what’s on the website there.

http://10.10.239.28/

As you can see below there are comments posted on the website and there is a comment input form which we can fill to post comments . Maybe we can exploit this to do SQL injection .

We tried doing SQL injection but nothing was reflecting which means either there is no SQL Vulnerability or we don’t have enough access to post comments on the website.

Now we have to use gobuster to see additional hidden directories and see if we can gather some info from.

gobuster dir -u http://10.10.239.28/ -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -t 100

From above gobuster search we found only 1 webpage

http://10.10.239.28/images/

Lets navigate to webpage and see what information we can gather

On the images website too we found nothing of importance so we decided to work with what we have got and decided to read the website fully. We found a single piece of info that a person named meliodas has posted the blog on the website and has access to the website.

Lets try to bruteforce the password of the user meliodas with tool Hydra .

hydra -l meliodas -P rockyou.txt 10.10.239.28 ssh

Voila , it worked and we have got our password for the user meliodas .

Username : meliodas

Password : iloveyou1

As we have ssh port open in the machine we can login into the user and then try to escalate our privilege from there to root.

ssh meliodas@10.10.239.28

After we have successfully logged in the user, we searched for our user flag.

cat /home/meliodas/user.txt

As you can tell here We have successfully found our first flag in the main directory of user falconfeast itself. Now lets try to search some more vulnerabilities to escalate our privilege to root.

Lets see which sudo permissions this user has

sudo -l

From above we can see that we have access to a python script file. We can use this script file to obtain a root shell .

But we cannot make any change to original script file so we have to delete the script and create a new script with the same name.

rm bak.py

In this new script we are trying to import bash shell as root. So we used the command

nano bak.py

import pty; pty.spawn(“/bin/bash”)

Now we have done writing and saving the python code file, we will run this file to escalate our privilege.

sudo python3 /home/meliodas/bak.py

Once we are root we can easily find the root flag inside the root directory.

cat /root/root.txt

Here we have successfully escalated to root shell after using the exploit command and found the root flag in the root folder.

Proof of Completion

Congratulations on completing the room and reading the blog . Hope my blog helped you in your journey and made you learn something new .

Happy Hacking !!

--

--

--

Avid learner and writer trying to gain as much knowledge as possible in the domain of cyber security while sharing my learning to help other people like myself.

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Get Paid To Use a Faster, More Secure Browser?

Data location in computer history

Spies Want to Make the FaceTime Eavesdropping Bug Into a Feature

{UPDATE} Offroad Monster Truck Racing Hack Free Resources Generator

The wold’s most widely used web application scanner OWASP ZAP

Malware Threats,Hoaxes and Taxonomy on Android

{UPDATE} World Plague Pandemic: Evolved Zombie Invaders Hack Free Resources Generator

The good, the bad and the ugly of Tech Communication in 2016

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Jonty Bhardwaj

Jonty Bhardwaj

Avid learner and writer trying to gain as much knowledge as possible in the domain of cyber security while sharing my learning to help other people like myself.

More from Medium

THM Anonymous Writeup

Writeup on TryHackMe (THM) Linux Privilege Escalation Capstone Challenge

Cyber Santa HTB CTF — Writeup

HTB-Frolic Writeup