Library: Tryhackme Writeup 1

Library: Tryhackme Writeup

Tryhackme

This post is a write-up of the Incognito CTF beginner box on Tryhackme.

Let’s get started by deploying the machine. Now, after deploying the machine, start with a basic Nmap scan and see which ports and services are open and running on the particular IP address.

Nmap Scan

nmap -sC -sV -A -T4 10.10.194.255
Nmap Scan

Port 80 is open and running so let’s look at the webpage first. The webpage is a login page of an LMS(Library Management System).

login Page

So whenever I see such type of a login page in any box my first step is to either put common usernames and passwords or dictionary attack with the help of hydra or a basic SQL injection.

This time I started with the later one which is SQL injection and I got into the website with a basic payload.

Username: ‘–

Password: ‘–

After I got in I checked various functionalities to possibly find an injection point or to search for other vulnerable stuff, after some exploring I found out that the website was vulnerable through a File Inclusion Attack which could be exploited using the function add/edit books.

So here I used Pentest Monkey’s PHP Reverse Shell to get the reverse shell and get into the box.

admin panel

Before uploading the shell I opened a listening connection via netcat.

nc -lnvp 9999
Netcat

As you can see this is not an interactive pty so in order to run commands like su we need to spawn a pty via a python command.

python3 -c 'import pty; pty.spawn("/bin/bash")'
shell recieved

user.txt

After getting a stable pty I found a user cirius and got the user flag from there.

user.txt

root.txt

Now initially I had trouble getting the root but the CTF author released a hint on discord that user cirius is using a weak password. I used su cirius with password password to switch current user as cirius.

lateral escalation

After changing the user I tried the sudo -l command which will list all the allowed commands for the particular user.

sudo -L

From here we can deduce that we can run as a superuser on basically anything as long as we have the password.

so let’s become a superuser and get the final flag that’s supposed to be in /root.

Root flag

Reading the root.txt file, I saw the last flag and was able to complete the box!. For more writeups like this, you can click here. Many more writeups of Incognito CTF coming soon.

Tags
Share your love

Related Posts

One comment

  1. I know this if off topic but I’m looking into starting my own weblog and was curious what all is needed to get setup?

    I’m assuming having a blog like yours would cost a pretty penny?

    I’m not very web savvy so I’m not 100% sure.
    Any tips or advice would be greatly appreciated.
    Thanks

Leave a Reply

Your email address will not be published. Required fields are marked *