TryHackMe : RootMe CTF Writeup (Detailed) | Samirul Haque | @iamsamirhq | tryhackme | rootme

Rootme :)

Let’s Start :)

Task 1 - Deploy the machine

Task 1

Create a directory for your CTF machine on Desktop and a directory for nmap.

Making Directory

Task 2 - Reconnaissance

Task 2

Nmap Scan :

nmap -sC -sV -oN nmap/rootme <MACHINE_IP>

  • -sC : Default scripts
  • -sV : Version detection
  • -oN : Output to be stored in the directory ‘nmap’ you created earlier
nmap report

There are 2 ports open :
22/ssh — OpenSSH 7.6p1
80/http — Apache httpd 2.4.29
OS detected — Linux

#1.1. Scan the machine, how many ports are open?
Ans: 2
#1.2. What version of Apache are running?
Ans: 2.4.29
#1.3. What service is running on port 22?
Ans: ssh

Let’s try with Gobuster :


gobuster dir -u http://<MACHINE_IP> -w <PATH_TO_WORDLIST>

  • -u : URL
  • -w : Wordlist
Found Dir

Additionally you can use more flags in gobuster :

  • -q : quiet , silent scan . Will hide banner .
  • -o : Output to be stored in the directory
  • -x : Search for extensions e.g. html,txt,php,phtml etc.

#1.4. Find directories on the web server using the GoBuster tool.
Ans: No answer needed
#1.5. What is the hidden directory?
Ans: /panel/

Task 3 - Getting a shell

Navigate to URL http://<MACHINE_IP>

Its always good to check the source code of the page for any interesting information laid out that could be helpful in our enumeration process.
View Source of the URL page . Ctrl+U

source code (Ctrl + U)

As you can see nothing is interesting in the source code for us so we will start looking into the directories found in gobuster.

There is a hidden directory /panel/.

:) File upload

We can upload a file in the /panel/ directory.

For this task we will upload php reverse shell script. I frequently use pentestmonkey php-reverse-shell.php script to try to gain a reverse shell using netcat.
Git Link to download the script or clone in terminal :

php reverse shell

Make your php-reverse-shell script executable by using the command :
chmod +x php_reverse_shell.php .
Open the script in editor and change the $ip and $port to your host machine’s IP and port you want to listen on.

change this

Now you have configured the script . We will proceed furthur and upload the script.

); upload fail

Upload failed!! This is because php is not allowed to be uploaded. Therefore we will try to bypass the upload by changing the file extension. To further understand File Name Bypass, see the exhibits below

;) Let’s do it
:) got it

We will rename the script using the command:
mv php_reverse_shell.php php_reverse_shell.phtml

;) hahahaha

We have successfully uploaded the script. Leading to our next step, we will start a listener on netcat. I am using 9001 port and I have already inserted the same port alongside the host IP of my machine in the script that we uploaded.

Listening via netcat

We are listening on port 9001.
Now we have to gain shell by executing the uploaded script in the <MACHINE_IP>/uploads/ directory.

Execute the script and check back to see your netcat listener.

hahaha we got it!!
We have successfully gained shell.
BUT the shell is not a stable shell.
How do we get a stable shell? Let me show the way.

Python shell

$ python -c ‘import pty;pty.spawn(“/bin/bash”)’
stty raw -echo
export TERM=xterm

We have a stable shell now.
The above commands will let you now autocomplete by TAB, clear screen, navigate around the shell easily.

Let’s hunt for our user flag!

The find command was quite useful and located the user.txt file pretty easily for us saving us time to manually search the flag’s location.

Navigate to /var/www/user.txt

;) got it

#3.1 user.txt

Task 4 - Privilege Escalation

Task 4

To look for the files with SUID permission we can use the command:
find / -type f -user root -perm -4000 2>/dev/null

SUID Binaries
python ;)

#4.1 Search for files with SUID permission, which file is weird?
Ans: /usr/bin/python

We have the /usr/bin/python with SUID permission, we will try to escalate our privileges.
My first spot is to go to look for possible privilege escalation commands for elevating the privileges.
Search python in the search bar.

Always read the description before copying commands. We can skip the first command as the binary has already SUID permission. Copy the second command and paste in the shell to see if it works. Remove ./ from the command and run it.

python -c ‘import os; os.execl(“/bin/sh”, “sh”, “-p”)’

get root access :)

YES!! It indeed works.
We have successfully escalated our privileges.
We can confirm we are root.

#4.2 Find a form to escalate your privileges.
Ans: No answer needed.

Let’s get our root flag.

Navigate to /root/folder to find your root.txt

Finally hurrh!

#4.3 root.txt


If you liked the post and the post has helped you in any way possible, let me know in comments or sharing the love by claps.
This is my first-ever medium post and first-ever tryhackme walkthrough. I really enjoyed making this as detailed as possible for anyone who wants to learn doing CTFs. The RootMe CTF is aimed at beginners and I will recommend all beginners to try this box and root it.

Thanks for taking out the time.

Follow me on Medium.

More writeups on the way.

Take Care, Stay Safe, and Keep Hacking!

-Samirul Haque

Follow me on TryHackme :

Follow me on Linkedin :

Follow me on Instagram :

Follow me on Twitter :

Follow me on Facebook :

Follow me on Github :

Gautam Kumawat Paid Ethical Hacking Course in Free Free Link :

Best of Luck Guyzz ;)




Cyber Security Expert | Certified Ethical Hacker | Trainer and mentor | CTF Player | Writeups writer

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Git objects

Class And Instance Attributes

Flutter Google / Facebook Sign-in using Firebase Auth

Setting up Flutter: Flutter for web

Asynchronous Web Server in Python

Serious Scrum’s complicated stance on the Scaled Agile Framework SAFe

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Samirul Haque

Samirul Haque

Cyber Security Expert | Certified Ethical Hacker | Trainer and mentor | CTF Player | Writeups writer

More from Medium


HTB — Previse Walkthroughs

TryHackMe — Road

HTB — Previse Walkthrough