TryHackMe is an online platform that teaches Cybersecurity through hands-on virtual labs. Whether you are an expert or beginner, learn through a virtual room structure to understand theoretical and practical security elements.
Library CTF is an easy CTF on TryHackMe for beginners to explore.
You have to first signup to join the room. There are few simple steps that you can follow in the Signup page. Next follow the steps in the Welcome room to configure the VPN connectivity.
I have connected to TryHackMe network using OpenVPN on Kali Linux. Once you connect, the access page will confirm the status by confirming your IP address and status.
After joining the room, deploy the machine to find the flags in user.txt and root.txt files on that machine. Click on the deploy button.
The Machine's IP Address is displayed and the time remaining is also displayed, If you are unable to capture the flags within 1 hour, you may add 1 more hour.
Note: IP addresses, flags and passwords which can play a spoiler in your TryHackMe learning experience are obfuscated in this write-up.
Once the machine is deployed we can start enumerating. Run nmap for scanning open ports and service fingerprinting.
We can see that TCP Ports 80 and 22 are open. It has revealed that the Linux OS is running on the target machine. Apache and OpenSSH services were detected.
Since port 80 is open and it is running Apache, Let us try accessing it using a browser.
Looks like a blog site. We shall explore the site like a hacker does and click on every tab and visit all the pages in the site and note down all the useful information available for us to further hack into it.
Let us continue with our enumeration. Next let us run gobuster to scan and list directories in the web server.
Most of the websites have robots.txt
Let us check what's in it using the browser. We can see the word rockyou. Note it down. It is a clue. From the word rockyou, you might have already guessed, it is a popular wordlist used for bruteforcing passwords. So next we will be using hydra to brute force.
While observing the site homepage, we had noted down few user ids who have posted on the site. They're meliodas, www-data and root.
Let us first run hydra to bruteforce password for login id meliodas on open SSH port. We had already got a clue from robots.txt on which word list to be used. Word list would be rockyou.txt
Hurray! We found the password. Login using the credentials that you found.
After logging in as user meliodas, we can explore user's home directory and see if we can find the flag.
Let us confirm if that is the flag by submitting it in the TryHackMe room.
TryHackMe verified that it is the correct answer.
We don't have privilege to view root user's directory. So we have to try Privilege Escalation methods.
Command sudo -l revealed that the user meliodas has sudo access to the file bak.py so we shall try to add a command to that script that will spawn a shell for us.
We were able to successfully add the instructions in to the script that will get us the shell.
The Privilege Escalation is successful. whoami verified that we have gained root access now. And also we could get the flag in root.txt
Let us verify the flag in TryHackMe room by answering the question.
It is the correct answer.
I hope this write-up was informative for you. Please leave a feedback. Thank you
-Srivathsa Dhanvantri
Comments