Tryhackme - RootMe

Tryhackme – RootMe

In this walk through, we will be going through the RootMe room from Tryhackme. This room is rated as easy on the platform and is directed towards beginners by testing their skills in enumeration, exploitation, and at last privilege escalation of a Linux server. On that note, let’s get started.

RootMe

Machine Info:

TitleRootMe
IPaddress10.10.171.102
DifficultyEasy
ObjectiveA ctf for beginners, can you root me?

Task 1 – Deploy the machine

Task 1 - Deploy the machine

Task 2 – Reconnaissance

Question 1 – Scan the machine, how many ports are open?

sudo nmap -sS -sV 10.10.18.7

nmap scan

2

Question 2 – What version of Apache is running?

Apache service version

2.4.29

Question 3 – What service is running on port 22?

SSH version

SSH

Question 4 – Find directories on the web server using the GoBuster tool.

Done

gobuster dir -u http://10.10.18.7/ -w ~/Desktop/common.txt

Gobuster scan

Question 5 – What is the hidden directory?

directories found

/panel/

Task 2 - Reconnaissance

Task 3 – Getting a shell

Find a form to upload and get a reverse shell, and find the flag.

Question 1 – user.txt

  • By directory bruteforcing, we found a hidden directory “panel”. Great, we can use it to upload our PHP reverse shell.

Select a file to upload

  • Changing IP and port in our shell script for reverse connection.

PHP reverse shell

  • While trying to upload our reverse PHP shell, it throws an error – “not allowed”.

Select file to upload

Not allowed error

Google Translate

  • I tried changing extension to jpg and jpeg however no luck. Finally phtml works here and we uploaded our shell successfully on the server.

File uploaded successfully

Uploads directory

  • Executing our shell by visiting /uploads/ directory and clicking shell.phtml. Getting a reverse connection via netcat.

netcat listener

  • Navigating to /var/www/. We found our user.txt.

user.txt

THM{y0u_g0t_a_sh3ll}

Task 3 - Getting a shell

Task 4 – Privilege escalation

Now that we have a shell, let’s escalate our privileges to root.

Question 1 – Search for files with SUID permission, which file is weird?

find / -perm -u=s -type f 2>/dev/null

SUID Permissions check

usr/bin/python

Question 2 – Find a form to escalate your privileges.

Done

python -c 'print(open("/root/root.txt").read())'

Python File read

Question 3 – root.txt

root.txt

THM{pr1v1l3g3_3sc4l4t10n}

Task 4 - Privilege escalation

Also Read: Tryhackme – Relevant

Conclusion:

Tryhackme - RootMe

So that was “RootMe” for you. Let’s sum it up quickly. We started off with a regular nmap scan with version detection, found common ports opened – 22 (SSH) and 80 (HTTP). Next, we moved ahead with directory bruteforcing using gobuster. Found a directory named /panel which has a file upload functionality. We exploited it by uploading our PHP reverse shell on the server and its execution gave us our initial access. For the privilege escalation, we used python SUID exploit from GTFObins to get the root flag. On that note, i must take your leave as my boyfriend’s girlfriend is calling me. So, see you in next one, Till then “Hack the Planet” and don’t put the blame on me.

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top