TryHackMe | Biblioteca Writeup


Introduction

Today I will be writing about a CTF from TryHackMe which I recently completed. This CTF is called Biblioteca and is linked HERE.

Initial Scans and Enumeration

Starting off with rustscan, we see that there are two ports open on the target machine, 22 (SSH), and 8000 (HTTP).

rustscan output

Knowing that we are dealing with a webserver, we can open a browser and see what is being hosted by the webserver. Doing so takes us to a simple login page.

login page

Exploitation

Anytime I see a login page, my first thought is to try some well known credentials like “Admin:Password123”, “Admin:Pa$$w0rd!”, etc. Unfortunately this doesn’t produce any results. My next course of action after that is to try SQL injection with the sqlmap tool. sqlmap is a great tool for automating SQL injection. You can use burp suite capture an HTTP request supplying credentials to the target website, then sqlmap can take the request and use it to test for injection, as well as exploit the injection vulnerability. You can learn more about sqlmap and how to use it HERE.

After enumerating through the tables, we can dump the entire users table and get credentials to log in to the website.

sqlmap output

Successful website login

From here, I tried to enumerate subdirectories using gobuster, just to see if there was anything interesting. After letting that run for a few minutes with no results, I also tried enumerating subdomains with no success.

Now, this is something that will be very important to remember when you’re doing CTF’s; if you have valid credentials from one service like a website, an application, etc., you should keep note of that and use it when trying to log in to other services. Password reuse is a fundamental security flaw, and it is very common. Keep that in mind when doing CTF’s, because credential stuffing just might be key to your success.

Knowing that I had valid website credentials for the smokey user, I decided to use those credentials in an attempt to get an SSH session on the target machine.

Successful SSH login

Once I was logged in to SSH as smokey, I poked around to see what I could find. Unfortunately, there isn’t a whole lot that is immediately useful. There is another user named hazel, and there are two files in hazel’s home directory, user.txt and hasher.py. So we need to figure out how we can become hazel. I looked all over the place but found nothing that was getting me any closer to becoming hazel. I went to the tryhackme forums, where a hint said that hazel’s password was “very weak”. Well, lets try hazel as the password! Use “su hazel” and supply the password “hazel”. From there, you can read the user.txt file.

Privilege Escalation and Root Flag

After switching over to the hazel user, we can use “sudo -l” to view what sudo privileges hazel has.

Hazel’s sudo privileges

Viewing the image above, we can see that Hazel is able to execute a python script “hasher.py” with root privileges, without even having to supply a password. Not only that, but Hazel is also given “SETENV” sudo privileges. In short, this allows Hazel to set environment variables which are not subject to the normal security measures that environment variables set by other users would be. We can exploit this, because we know that there should be a PYTHONPATH environment variable. If we can modify that variable, then we can control where python scripts import libraries from. Lets look at what the hasher.py script is doing, and make sure that it is importing a library.

hasher.py script

Basically, this script is asking a user for a password to hash, then returning the hash to the user. Also, at the very top, we can see that the script is importing the hashlib library in order to use that library’s hashing functionality. Great, now we need to create our own hashlib.py file with our own malicious code to read the root flag, and save it into the /tmp directory.

Malicious hashlib.py file

Now we can use sudo to run the hasher.py script while specifying the PYTHONPATH variable as the /tmp directory where our malicious hashlib.py file is stored. When that happens, the hasher.py script imports our malicious hashlib.py file and executes it, because we told python to look in the /tmp directory for libraries when we set the PYTHONPATH environment variable. Now we have the root flag!

Accessing the root flag

Conclusion and Takeaways

This was a fun one for me. This was another CTF which reinforced that sometimes it’s the simple stuff that will get you in. For a short time, I overlooked the possibility that I could reuse the credentials I had already stolen in order to expand my access. I also really enjoyed using the python library hijacking method to get the root flag. I think there is an important lesson to be learned from that, as sudo privileges obviously need to be tightly controlled and monitored. Sudo misconfigurations can be especially dangerous when combined with a scripting language like python, as an attacker can easily write a short script to elevate their privileges, steal data, and take other malicious actions.

I hope you enjoyed this writeup and got some value from it, and I hope you come back to read some more writeups/blog posts in the future as well. Feel free to share this post and other posts from my blog if you think others would also like it. Thank you!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: