RootMe
Difficulty = Easy
Hola đ, Here is my write-up on RootMe , based on the TryHackMe CTF. It covers learning reconnaissance, privilege escalation, and reverse shell techniques.
Task 1: Deploy the machine
Connect to TryHackMe network and deploy the machine
- So, I started by connecting to the TryHackMe network and deploying the machine.
Task 2: Reconnaissance
First, letâs get information about the target.
Q1: how many ports are open?
-
So, I began by utilizing one of the best enumeration and scanning tools, which is
Nmap. Nmap is a powerful network scanning tool used to discover hosts and services on a computer network. -
Running our nmap scan, give us this:
# Nmap 7.94SVN scan initiated Sat Mar 2 16:09:04 2024 as: nmap -sC -sV -oN ./myfile.txt 10.10.88.68
Nmap scan report for 10.10.88.68
Host is up (0.20s latency).
Not shown: 998 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 4a:b9:16:08:84:c2:54:48:ba:5c:fd:3f:22:5f:22:14 (RSA)
| 256 a9:a6:86:e8:ec:96:c3:f0:03:cd:16:d5:49:73:d0:82 (ECDSA)
|_ 256 22:f6:b5:a6:54:d9:78:7c:26:03:5a:95:f3:f9:df:cd (ED25519)
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
|_http-title: HackIT - Home
| http-cookie-flags:
| /:
| PHPSESSID:
|_ httponly flag not set
|_http-server-header: Apache/2.4.29 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sat Mar 2 16:09:42 2024 -- 1 IP address (1 host up) scanned in 37.96 seconds
And we can see that we have 2 ports open from our Nmap scan.
- Answer: 2
Q2: What version of Apache is running?
- From our
nmapscan port 80 https is running of Apache httpd 2.4.29 ((Ubuntu))
- Answer: 2.4.29
Q3: What service is running on port 22?
- Answer: SSH
Q4: Find directories on the web server using the GoBuster tool.
- Answer: No Answer Needed
Q5: What is the hidden directory?
- Using Gobuster, a command-line tool utilized for directory and file brute-forcing on web servers, we were able to uncover the hidden directory.
- Answer: /Panel/
Task 3: Getting a shell
Find a form to upload and get a reverse shell, and find the flag.
- We have to Find a form for uploading files to obtain a reverse shell, and then locate the flag. In this scenario, access the IP address via a web browser. The hidden directory named âpanelâ will lead you to the upload form.
- We can go here to find PHP reverse shell scripts. What we need to do is create a âshell.phpâ file that we can upload onto the vulnerable server used to establish a backdoor connection to a compromised server.
- So, we can create a file with nano, for example, âexample.phpâ. This will open the nano editor where you can copy-paste the payload from the Git repository. Afterwards, we need to change the âip_addrâ and port to the desired values for our communication. In this case, I use port 4444, but you can use any port convenient for you. Then, use the IP address of your TryHackMe (THM) VPN if you are connected using the VPN. Or using the attackbox. scroll down you will see something similar.
- After completing the process, itâs time to upload it to the /panel/ directory that we discovered earlier. However, whatâs this? It appears the server isnât accepting .php files. What should we do in this situation? Weâre aware that we have a .php file, and PHP files can be disguised with various extensions. A brief search on Google reveals alternative extensions such as: .php3, .php4, .php5, .php7, .phtml, .pht. Then, the .php5 extension finally works! Bingo! đ
- Now, we need to navigate to the uploads page at
ip_addr/uploads, which was found earlier using Gobuster, to access hidden pages. It will look something like this. Then, we start our netcat listener in the terminal.
- To start our Netcat, we have to open our terminal and enter the command:
nc -lvnp 4444(replace â4444â with the port number specified in your PHP reverse shell file). In my case, I use port 4444.
- Now, click on the PHP shell in the /upload/ directory and switch to the Netcat terminal window.
- move to the terminal BINGO!! đ we are in:)
-
Back to Q1:User.txt:
-
How to find it đ¤? Use the find command. Type
find / -type f -name user.txt 2> /dev/null. - find: This command is used to search for files and directories within a specified directory hierarchy.
- /: Specifies the starting point of the search, which is the root directory.
- -type f: Indicates that we are searching for regular files.
- -name user.txt: Specifies the name of the file we are looking for, which is âuser.txtâ.
-
2> /dev/null: Redirects any error messages (specifically stderr, represented by â2â) to /dev/null, which essentially discards them.
- Then, we will obtain its path and can view it with the cat command to retrieve the flags.
- Answer: THM{y0u_g0t_a_sh3ll}
Task 4: Privilege escalation
Now that we have a shell, letâs escalate our privileges to root
Q1: Search for files with SUID permission, which file is weird?
- We need to use the command
find / -user root -perm /4000. What does it mean? Itâs searching for a special kind of file that has a permission setting allowing it to be run as the root user. We have to carefully check the list of files it finds to see if any of them can be used to gain full control over the system as the root user.
- Answer: /usr/bin/python
Q2: Find a form to escalate your privileges.
-Answer: No Answer Needed
Q3: root.txt
- How to exploit it? Utilize GTFOBins and loook for Python GTFO.
- We need to run this
python -c 'import os; os.execl("/bin/sh", "sh", "-p")', copy it, and paste it into your terminal to see where we end up. Then, type the commandwhoami.we are in đ! - To find the root.txt run this command in the terminal
find / -type f -name root.txt
We got the flags.
- Answer: THM{pr1v1l3g3_3sc4l4t10n}
And we are done đ! Thatâs all, friends. Thank you for reading up to this point. I would like to hear your feedback on anything not clear here. Here is my Twitter account @T3chnocr4t. Feel free to DM me if you have any issues with my write-up. Thanks!