In this walk through, we will be going through the RootMe room from Tryhackme. This room is rated as easy on the platform and is directed towards beginners by testing their skills in enumeration, exploitation, and at last privilege escalation of a Linux server. On that note, let’s get started.
Table of Contents
Machine Info:
Title | RootMe |
IPaddress | 10.10.171.102 |
Difficulty | Easy |
Objective | A ctf for beginners, can you root me? |
Task 1 – Deploy the machine
Task 2 – Reconnaissance
Question 1 – Scan the machine, how many ports are open?
sudo nmap -sS -sV 10.10.18.7
2
Question 2 – What version of Apache is running?
2.4.29
Question 3 – What service is running on port 22?
SSH
Question 4 – Find directories on the web server using the GoBuster tool.
Done
gobuster dir -u http://10.10.18.7/ -w ~/Desktop/common.txt
Question 5 – What is the hidden directory?
/panel/
Task 3 – Getting a shell
Find a form to upload and get a reverse shell, and find the flag.
Question 1 – user.txt
- By directory bruteforcing, we found a hidden directory “panel”. Great, we can use it to upload our PHP reverse shell.
- Changing IP and port in our shell script for reverse connection.
- While trying to upload our reverse PHP shell, it throws an error – “not allowed”.
- I tried changing extension to jpg and jpeg however no luck. Finally phtml works here and we uploaded our shell successfully on the server.
- Executing our shell by visiting /uploads/ directory and clicking shell.phtml. Getting a reverse connection via netcat.
- Navigating to /var/www/. We found our user.txt.
THM{y0u_g0t_a_sh3ll}
Task 4 – Privilege escalation
Now that we have a shell, let’s escalate our privileges to root.
Question 1 – Search for files with SUID permission, which file is weird?
find / -perm -u=s -type f 2>/dev/null
usr/bin/python
Question 2 – Find a form to escalate your privileges.
Done
- Using GTFO bins and using python file read.
python -c 'print(open("/root/root.txt").read())'
Question 3 – root.txt
THM{pr1v1l3g3_3sc4l4t10n}
Also Read: Tryhackme – Relevant
Conclusion:
So that was “RootMe” for you. Let’s sum it up quickly. We started off with a regular nmap scan with version detection, found common ports opened – 22 (SSH) and 80 (HTTP). Next, we moved ahead with directory bruteforcing using gobuster. Found a directory named /panel which has a file upload functionality. We exploited it by uploading our PHP reverse shell on the server and its execution gave us our initial access. For the privilege escalation, we used python SUID exploit from GTFObins to get the root flag. On that note, i must take your leave as my boyfriend’s girlfriend is calling me. So, see you in next one, Till then “Hack the Planet” and don’t put the blame on me.