Bookstore Write-Up (TryHackMe)

A Beginner level box with basic web enumeration and REST API Fuzzing. This room was created by sidchn.

Bookstore (TryHackMe)

Enumeration

I started my enumeration phase with Nmap to learn more about the host and the technologies which are running on ports.

nmap -sC -sV <ip> -p-
  • -sC : Equivalent to — script=default
  • -sV : Probe open ports to determine service/version info
  • -p- : Scan all ports

There are ssh on port 22 and two web servers on ports 80 and 5000.

  • The web server on port 80 runs Apache 2.4.29
  • The web server on port 5000 runs Werkzeug 0.14.1 with Python 3.6.
  • On the Werkzeug web server, there are /robots.txt and /api

As I didn’t know much about Werkzeug 0.14.1, I made a few search and found that there is a RCE wich can be exploited (maybe). https://www.rapid7.com/db/modules/exploit/multi/http/werkzeug_debug_rce/

After that, I tried to access the website on port 80 with my browser.

Then, I found a login page.

http://<ip>:80/login.html

I displayed the source code and found something a little interesting…

view-source:http://<ip>:80/login.html

Still Working on this page will add the backend support soon, also the debugger pin is inside sid’s bash history file

So, apparently, we have an user (sid) and the pin is inside .bash_history.

Maybe we’ll be able to read this file via a LFI.

The debugger ??? It reminds me the exploit I found previously…

The next thing for me was to access the web server on port 5000 with my browser.

http://<ip>:5000/

Let’s enumerate the web servers with gobuster.

Port 80 :

gobuster dir -u http://<ip>:80/ -w /usr/share/dirbuster/directory-list-2.3-medium.txt -x php, html, txt, bak
  • dir : Enumerate directories
  • -u : The URL to enumerate
  • -w : The wordlist to use
  • -x : The extensions of the files you want to find

I tried all theses directories and found nothing except a cipher in page source of /books. To decode it : base32 -> Hex -> Plain . Just a rabbit hole…

Port 5000 :

gobuster dir -u http://<ip>:5000/ -w /usr/share/dirbuster/directory-list-2.3-medium.txt -x php, html, txt, bak

/console

http://<ip>:5000/console

Console locked. WE NEED THE PIN !

/api

http://<ip>:5000/api

Local File Inclusion

We can see a lot of parameters which made me think there was a Local File Inclusion vulnerability. Maybe we can use this vulnerability to see the bash history file and find the pin.

So, I tried with the parameter id

http://<ip>:5000/api/v2/resources/books?id=../../../../.bash_history

Nothing…

I tried a lot of different payloads without success.

Reminds you of the introduction text of the room ?

A Beginner level box with basic web enumeration and REST API Fuzzing.

So, I had the idea to replace v1 to v2 (because v1 can be unpatched) and fuzz the parameter.

wfuzz -u http://<ip>:5000/api/v1/resources/books?FUZZ=.bash_history — hc 404
  • -u : Url to fuzz
  • -w : Wordlist to use
  • — hc : Hide responses with the specified code

Yeah ! We found the parameter !

http://<ip>:5000/api/v1/resources/books?****=.bash_history

I went to /console and entered the pin

http://<ip>:5000/console

I immediately tried to get a reverse shell. Reverse Shell Cheat Sheet : https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md

http://<ip>:5000/console
nc -lvnp 9999 -v

Initial foothold done, we are sid and we got the user.txt

Privilege Escalation

There was a SUID binary here called try-harder

ls -la

I opened a python server on the machine to download the binary to my attacking machine, then analyzed it with r2 and found this source code.

The try-harder binary source code
  • The code validates the input of the user to some value.
  • We can see that line 14 there is a XOR function. We need to know the good value for user_input, so I tried this in a Python interpreter :

0x5dcd21f4^0x1116^0x5db3

I got this result : 1573743953

PWNED !

Thank you for reading this write-up, I hope it helped you.

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store