This blog is a walkthrough for the room RootMe on the TryHackMe Platform.
Task 1: Deploy The Machine
Task 2: Reconnaissance
Task 3: Getting a shell
Task 4: Privilege Escalation
Findings & Screenshot
Task 1: Deploy The Machine
1 Deploy the machine
- No Answer Needed
Task 2: Reconnaissance
First, let’s get information about the target
1 Scan the machine, how many ports are open?
- 2
2 What version of Apache is running?
- 2.4.29
3 What service is running on port 22?
- SSH
4 Find directories on the web server using the GoBuster tool.
- No Answer Needed
5 What is the hidden directory?
- /panel/
Task 3: Getting a shell
Find a form to upload and get a reverse shell, and find the flag.
1 user.txt
- THM{y0u_g0t_a_sh3ll}
Task 4: Privilege Escalation
Now that we have a shell, let’s escalate our privileges to root.
1 Search for files with SUID permission, which file is weird?
- /bin/python
2 Find a form to escalate your privileges.
- No Answer Needed
3 root.txt
- THM{pr1v1l3g3_3sc4l4t10n}
Findings & Screenshot
Started of with a nmap scan and discovered a few open ports:
Runnning a gobuster scan on the ip I found the “/uploads” and ”/panel” directories:
Checking out this directories in the browser I see I can upload a file, and 1st thing that came to mind was a php reverse shell:
I reused the reverse php shell from pentest monkey and I couldn’t upload the extention “.php” so I tried different php extentions and “.phtml” worked for me and it uploaded successfully:
Going to the uploads directory and clicking on the file uploaded and started my netcat listener and I got my shell as the “www-data” user:
Running “find / -perm -u=s -type f 2>/dev/null” to find SUID binaries that I could use for privilege escalation, python stood out most as I know I can spawn a shell, so looking at the resulst from the scan, and the results from GTFOBins. I ran the python command and got a root shell:
What is SUID Permission?
SUID: Set User ID is a type of permission that allows users to execute a file with the permissions of a specified user. Those files which have suid permissions run with higher privileges. Assume we are accessing the target system as a non-root user and we found suid bit enabled binaries, then those file/program/command can run with root privileges.
Running the command:
I couldn’t locate the user flag in the rootme users home directory, so I decided to run a linux command “find” as well, this will allow me to locate the path to the user flag:
Navigated to thet “/var/www/” directory, this is also where the web services would look for files you want host, unless you change the config file:
Reading out the user.txt I got the 1st flag, now since I’ve already found a way to gain root, I located the root.txt in the “/root/” directory:
