The machine can be found in TryHackme Link
I have used Nmap to find the open ports and found the port 22(SSH) and 80 (http) open.
Once i found the http open port i have visited the link the IP Address it refered to & found a username saying meliodas.
I have used Dirsearch to find the hidden directories and found the name rockyou in the robots.txt file which seems to be a clue to Brute Force.
maybe the wordlist to be used can be rockyou.txt.
dirsearch -u targetIPaddressI just assumed the username for SSH to be meliodas and started hydra over it.
hydra -l meliodas -P /usr/share/wordlists/rockyou.txt ssh://ta.rg.et.Ip// | tee password.txtThe above command will bruteforce the username password and prints it to console and also the file.
I have logged into the ssh and i got access to the meliodas user and got the user flag.
In the home directory i found 2 files user.txt-> user flag & back.py -> seems to be a backup code.
We need to have sudo privileges to directly execute the back.py.
sudo -l will return with the set of commands the user can execute using the sudo previlages.
Here in this case we have permission to execute /usr/bin/python,/home/meliodas/back.py
with sudo privileges this can be checked by,
sudo -lThe directories with NOPASSWORD mentioned can be accessible by meliodas hence running directly bak.py will not be accessed but can be executed using the following command
/usr/bin/python bak.pywill have result
now we can modify bak.py using echo to bringup the shell by,
echo 'import pty; pty.spawn("/bin/sh")' > bak.pyNow we can execute bak.py using the same command
sudo /usr/bin/python bak.pyAnd can get the root shell.
Explore how to add the user to limit the user to execute the commands with sudo privileges.
Add the /usr/share/python to your current user to execute python files with sudo privileges.
