RootMe CTF [Writeup] TryHackMe

RootMe

Deploy The Machine

The machine RootMe is available at TryHackMe.

Start the machine so that the target IP is available.

Reconnaissance

For the number of open ports run Nmap.

There are 2 ports are open: ssh and HTTP.

Apache version 2.4.29 is running. I get this info thru wappalyzer.

secure shell or ssh is running on port 22.

Apache info also can get by running a gobuster.

Here for the hidden directory, I am running the Gobuster tool

$ gobuster dir -u http://10.10.51.16/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt

The correct answer for the hidden directory is /panel/

This means we can upload any file in this /panel page. I think this is the way to getting the shell. reverse shell or binding shell? For that I need to do some google. Oh there is reverse shell mention in that room also. So need to find reverse shell code thru google and upload from that. And access that server's shell thru my machine.

Getting a shell

I need to upload the php reverse shell code in the upload section. and need to make a listener on my pc.

I use this file https://github.com/pentestmonkey/php-reverse-shell

Turn to upload the file. But I got this error. I think It does not give permission to upload php.

I change .php to .php5 and then the file is uploaded.

Create a listener in the attack device then click on this reverse shell file. Then it provides a connection back to the attack machine.

Either you can run the following command in the terminal or can click into recently uploaded malicious code thru /uploads. Then the reverse shell php code is executed. At the same time, we are listening on port 1234 in the attack machine. Hence we got the reverse shell.

Now search and find user.txt, there we got the flag. I got user.txt in /usr/www

Privilege Escalation

Q. Search for files with SUID permission, which file is weird?

Ans: /usr/bin/python

I found Python is installed in our target with SUID bit. So that we can use it to get higher privileges.

We can use https://gtfobins.github.io

as mentioned in the hint.

Now I am searching for Python and there I get the SUID section and code. With the hint in THM, this code can do something for us.

In our case, we do not need to run the first command. Run the second command which will give the root shell to us.

First, navigate into /usr/bin and then run the command

Now I got root. It's time to search and find the root flag.

First, go into the root’s home directory and there is the flag

Okay, everything is done. Now terminate the target machine.

Happy Hackers !!