In this write-up I show how to complete the RootMe room on THM.
It’s a beginner CTF challenge, that was a lot of fun! Let’s connect to our THM OpenVPN network and start hacking!!
Task 1 – Deploy the machine
Deploy the machine, and you will get your machine IP address.
Task 2 – Reconnaissance
Let’s get some information about the target.
I’ll start pinging to the target, to check communication and to see which machine it is.
ping -c 1 <machine_ip>
![](https://ic3cr1pt0.com/wp-content/uploads/2022/02/ping.png)
If the TTL is less than 64 and greater than 1, then it is linux host.
If the TTL is greater than 64 and less than 128, then it is windows host.
If the TTL is between 128 and 255, then it is network appliance.
Nmap Scan:
We will now use the T1595: Active Scanning (MITRE ATT&CK) technique to gather information that may be useful to us.
nmap -vvv -Pn -sCV -p0-65535 –reason -oN rootme.nmap <machine_ip>
There are 2 ports open.
![](https://ic3cr1pt0.com/wp-content/uploads/2022/02/image-1.png)
#2.1 Scan the machine, how many ports are open?
2#2.2 What version of Apache is running?
2.4.29#2.3 What service is running on port 22?
ssh
Gobuster:
We will now use the T1083: File and Directory Discovery (MITRE ATT&CK) technique to find directories on the web server using the GoBuster tool.
gobuster dir -u http://<machine_ip> -w <wordlist_file>
And we can see that there is an interesting folder:
![](https://ic3cr1pt0.com/wp-content/uploads/2022/02/gobuster.png)
#2.4 Find directories on the web server using the GoBuster tool.
No answer needed.#2.5 What is the hidden directory?
/panel
Task 3 – Getting a shell
We need to find a form to upload and get a reverse shell, and find the flag.
Navigate to the hidden directory in the URL http://<machine_ip>/panel/
And we can upload here our form to get a reverse shell:
![](https://ic3cr1pt0.com/wp-content/uploads/2022/02/panel-1024x553.png)
For this task I will upload php reverse shell script.
I usually use pentestmonkey to try get reverse shell using netcat.
Git clone to download the script in terminal:
https://github.com/pentestmonkey/php-reverse-shell
![](https://ic3cr1pt0.com/wp-content/uploads/2022/02/gitclone.png)
Change your directory to the php-reverse-shell folder and make your php-reverse-shell script executable by using the following command:
chmod +x php-reverse-shell.php
![](https://ic3cr1pt0.com/wp-content/uploads/2022/02/chmod.png)
Open the php reverse shell script in editor and change the $ip parameter’s value and $port parameter’s value to your host machine’s IP and port you want to listen on.
![](https://ic3cr1pt0.com/wp-content/uploads/2022/02/php-reverse-shell-script-editor.png)
Now you have configured the script. We will proceed further and upload the file.
![](https://ic3cr1pt0.com/wp-content/uploads/2022/02/php-error-1.png)
Upload failed! This is because php files is not allowed to be uploaded.
We’ll go do a little google search on it.
![](https://ic3cr1pt0.com/wp-content/uploads/2022/02/image-2.png)
And we can see some other extensions that we can use to use php.
![](https://ic3cr1pt0.com/wp-content/uploads/2022/02/image-4.png)
BurpSuite:
So in case of T1110: Brute Force (MITRE ATT&CK) technique I’ll use the BurpSuite tool.
Let’s make sure to run the BurpSuite tool.
And what I did actually captured the request and sent it to intruder, cleared all the selections and only added the .php
extension so that when I did my sniper attack it would change the php
to whatever I decide to change.
![](https://ic3cr1pt0.com/wp-content/uploads/2022/02/burp-suite-php-ext-1024x387.png)
On the payloads screen I added other extensions (see above) for it to try brute force it.
![](https://ic3cr1pt0.com/wp-content/uploads/2022/02/burp-suite-extensions.png)
I will start the attack and see in the results, that the length is greater than the length of .php.
![](https://ic3cr1pt0.com/wp-content/uploads/2022/02/length-burp-suite.png)
We will rename the script file using the command:
mv <filename.php> <filename.specific_ext_from_the_list>
![](https://ic3cr1pt0.com/wp-content/uploads/2022/02/php2.png)
Now let’s try uploading the script again.
![](https://ic3cr1pt0.com/wp-content/uploads/2022/02/success.png)
We have successfully uploaded the script.
Now we need to start a listener on netcat. I am using 1234
port and I have already inserted the same port and host IP of my machine in the script that we edited and uploaded.
netcat:
![](https://ic3cr1pt0.com/wp-content/uploads/2022/02/netcat.png)
Now we have to gain shell by executing the uploaded script in the http://<machine_ip>/uploads/ directory that we found earlier (see above).
![](https://ic3cr1pt0.com/wp-content/uploads/2022/02/uploads-directory.png)
Just click on one of them (some of them are not working properly, .php5, .phtml are working from my test) and check back your netcat listener.
![](https://ic3cr1pt0.com/wp-content/uploads/2022/02/nc-listener.png)
![](https://media.giphy.com/media/l0CLTexuIY7XStMTm/giphy.gif)
But the shell looks a little uncomfortable.
So we’re going to upgrade it using Python.
Python:
First we’ll check if we have Python.
![](https://ic3cr1pt0.com/wp-content/uploads/2022/02/which-python.png)
And we can see we have Python.
We will now upgrade our shell using the Python -c (cmd) flag.
![](https://ic3cr1pt0.com/wp-content/uploads/2022/02/bash.png)
And we can see that we have upgraded our shell to bash.
We will try to search for the user.txt file using find command.
![](https://ic3cr1pt0.com/wp-content/uploads/2022/02/find.png)
We’ll try to look for something that has access, like /var/www/user.txt.
![](https://ic3cr1pt0.com/wp-content/uploads/2022/02/user.txt.png)
Navigate to /var/www/user.txt.
![](https://ic3cr1pt0.com/wp-content/uploads/2022/02/cat-user.png)
#3.1 user.txt
THM{XXXXXXXXXXXXXXX}
Task 4 – Privilege escalation
We are going to use T1548.001: Abuse Elevation Control Mechanism: SUID and SGID (MITRE ATT&CK) technique.
![](https://ic3cr1pt0.com/wp-content/uploads/2022/02/python-sgid.png)
We have the /usr/bin/python wtih SUID permission.
#4.1 user.txt
/usr/bin/python
We will try to escalate our privileges.
To do this we will Google for GTFOBINS.
And look for python there.
![](https://ic3cr1pt0.com/wp-content/uploads/2022/02/image-5.png)
![](https://ic3cr1pt0.com/wp-content/uploads/2022/02/image-6.png)
We can skip the command as the binary has already SUID permission.
Just write the second command.
![](https://ic3cr1pt0.com/wp-content/uploads/2022/02/os-execl.png)
We have successfully escalated our privileges and we can confirm we are root.
#4.2 Find a form to escalate your privileges
No answer needed.
Let’s get our root flag.
Navigate to /root/ directory to find your root.txt.
![](https://ic3cr1pt0.com/wp-content/uploads/2022/02/root.txt.png)
#4.3 root.txt
THM{XXXXXXXXXXXXXXXXXXXX}
Congratulations on completing the room successfully!
I would be happy if you like and comment.
I really enjoyed doing this content for you
Be careful, the internet world is big.
-Chai Geydarov