RootMe
Task 2: Reconnaissance
Initial nmap scan to find open ports , using the flag "treat all hosts as alive" (-Pn)
We found 2 open ports, which is the answer to the first answer.
Detailed Nmap Scan :
Command Breakdown:
(-sV): Service version
(-sC): Default nmap scripts
(-p): Specifying ports 22,80
(-oN nmap): Saving it into a files called nmap
The version of Apache is 2.4.29 and the service running on port 22 is SSH. The answers to the next two questions.
To find hidden directories on a web server, we use the tool called Gobuster
.
Command Breakdown:
(-w): Specifying wordlist
(-u): Specifying URL
(-x): Specifying extensions
We find 2 directories that are interesting, and the answer for the last question of this task is /panel/
Task 3: Getting a shell
It says we need to find a form to upload and get a reverse shell, from our gobuster output we can see that there is a directory called /uploads
, which I think is a directory where uploaded files are stored. But first we need to find the upload page, and that can be found in the panel directory, when we visit it, we see the upload option.
Now we have to see if we can upload a php reverse shell (One from pentestmonkey's).
First we have to modify the script from when you first downloaded it. You have to change the $ip
to your TryHackMe IP and the $port
to the port you are listening on when you start your Netcat listener.
Once you changed it, try uploading it.
It looks like we are not allowed to upload php files. What we can do here is that we can add any number (I'm adding 5) to the name of the php file and it wont recognize that it is a php file while it actually is.
Now lets try uploading it.
And it was uploaded. Now lets go to the uploads directory where I think we can access our uploaded reverse shell.
And we surely can, but before we click it, we need to start a Netcat listener to capture the reverse shell.
Once you click the shell.php5
link on the site, you will get a reverse shell.
You can go and find the user.txt which is the answer to the question in this task. But first lets try stabilizing our shell, we do that by using this command:
And to get access to the clear command use this command:
Now if you are struggling to find the user.txt file, there is a command that you can use to find it easily , its called find
Command Breakdown:
find: Using the find command
/: Searching through all directories
-type: Specifying file type, in this case a file (f)
-name: Specifying the name of the file , in this case user.txt
2>/dev/null: Sending all error to /dev/null which is a file that does not contain anything, so it wont show any error to us.
Task 4: Privilege Escalation
The first question is asking us to find files with SUID permissions
, we can find these by using this command:
Command Breakdown:
find: Using the find command
/: Searching through all directories
-perm: Specifying permission type, in case -u=s which is the permission to find SUID files.
-type: Specifying file type, in this case a file (f)
2>/dev/null: Sending all error to /dev/null which is a file that does not contain anything, so it wont show any error to us.
Looking through these , the one that catches my eye is/usr/bin/python
, and that is the answer to the first question.
As we found a SUID permission
file, we can go to GTFOBins and find commands that can help us escalate our privileges to root.
Use the second command and without the ./
and you should get root.
Now you can find the final flag which is also the final question in this room in /root/
which you can now access as you are root.
Last updated