TryHackMe : RootMe CTF Writeup (Detailed) | Samirul Haque | @iamsamirhq | tryhackme | rootme

Let’s Start :)

Task 1 - Deploy the machine

Create a directory for your CTF machine on Desktop and a directory for nmap.

Task 2 - Reconnaissance

Nmap Scan :

nmap -sC -sV -oN nmap/rootme <MACHINE_IP>

  • -sC : Default scripts
  • -sV : Version detection
  • -oN : Output to be stored in the directory ‘nmap’ you created earlier

There are 2 ports open :
22/ssh — OpenSSH 7.6p1
80/http — Apache httpd 2.4.29
OS detected — Linux

#1.1. Scan the machine, how many ports are open?
Ans: 2
#1.2. What version of Apache are running?
Ans: 2.4.29
#1.3. What service is running on port 22?
Ans: ssh

Let’s try with Gobuster :

gobuster dir -u http://<MACHINE_IP> -w <PATH_TO_WORDLIST>

  • -u : URL
  • -w : Wordlist

Additionally you can use more flags in gobuster :

  • -q : quiet , silent scan . Will hide banner .
  • -o : Output to be stored in the directory
  • -x : Search for extensions e.g. html,txt,php,phtml etc.

#1.4. Find directories on the web server using the GoBuster tool.
Ans: No answer needed
#1.5. What is the hidden directory?
Ans: /panel/

Task 3 - Getting a shell

Navigate to URL http://<MACHINE_IP>

Its always good to check the source code of the page for any interesting information laid out that could be helpful in our enumeration process.
View Source of the URL page . Ctrl+U

As you can see nothing is interesting in the source code for us so we will start looking into the directories found in gobuster.

There is a hidden directory /panel/.

We can upload a file in the /panel/ directory.

For this task we will upload php reverse shell script. I frequently use pentestmonkey php-reverse-shell.php script to try to gain a reverse shell using netcat.
Git Link to download the script or clone in terminal : https://github.com/pentestmonkey/php-reverse-shell

Make your php-reverse-shell script executable by using the command :
chmod +x php_reverse_shell.php .
Open the script in editor and change the $ip and $port to your host machine’s IP and port you want to listen on.

Now you have configured the script . We will proceed furthur and upload the script.

Upload failed!! This is because php is not allowed to be uploaded. Therefore we will try to bypass the upload by changing the file extension. To further understand File Name Bypass, see the exhibits below

We will rename the script using the command:
mv php_reverse_shell.php php_reverse_shell.phtml

We have successfully uploaded the script. Leading to our next step, we will start a listener on netcat. I am using 9001 port and I have already inserted the same port alongside the host IP of my machine in the script that we uploaded.

We are listening on port 9001.
Now we have to gain shell by executing the uploaded script in the <MACHINE_IP>/uploads/ directory.

Execute the script and check back to see your netcat listener.

hahaha we got it!!
We have successfully gained shell.
BUT the shell is not a stable shell.
How do we get a stable shell? Let me show the way.

$ python -c ‘import pty;pty.spawn(“/bin/bash”)’
Ctrl+Z
stty raw -echo
fg
export TERM=xterm

We have a stable shell now.
The above commands will let you now autocomplete by TAB, clear screen, navigate around the shell easily.

Let’s hunt for our user flag!

The find command was quite useful and located the user.txt file pretty easily for us saving us time to manually search the flag’s location.

Navigate to /var/www/user.txt

#3.1 user.txt
Ans: THM{XXXXXXXXXXXX}

Task 4 - Privilege Escalation

To look for the files with SUID permission we can use the command:
find / -type f -user root -perm -4000 2>/dev/null

#4.1 Search for files with SUID permission, which file is weird?
Ans: /usr/bin/python

We have the /usr/bin/python with SUID permission, we will try to escalate our privileges.
My first spot is to go to https://gtfobins.github.io/ look for possible privilege escalation commands for elevating the privileges.
Search python in the search bar.

Always read the description before copying commands. We can skip the first command as the binary has already SUID permission. Copy the second command and paste in the shell to see if it works. Remove ./ from the command and run it.

python -c ‘import os; os.execl(“/bin/sh”, “sh”, “-p”)’

YES!! It indeed works.
We have successfully escalated our privileges.
We can confirm we are root.

#4.2 Find a form to escalate your privileges.
Ans: No answer needed.

Let’s get our root flag.

Navigate to /root/folder to find your root.txt

#4.3 root.txt
Ans: THM{XXXXXXXXXXXX}

CONGRATULATIONS!!! YOU HAVE COMPLETED THE ROOM!!!

If you liked the post and the post has helped you in any way possible, let me know in comments or sharing the love by claps.
This is my first-ever medium post and first-ever tryhackme walkthrough. I really enjoyed making this as detailed as possible for anyone who wants to learn doing CTFs. The RootMe CTF is aimed at beginners and I will recommend all beginners to try this box and root it.

Thanks for taking out the time.

Follow me on Medium.

More writeups on the way.

Take Care, Stay Safe, and Keep Hacking!

-Samirul Haque

Follow me on TryHackme : https://tryhackme.com/p/iamsamirhq

Follow me on Linkedin : https://www.linkedin.com/in/iamsamirhq/

Follow me on Instagram : https://www.instagram.com/iamsamirhq/

Follow me on Twitter : https://twitter.com/iamsamirhq

Follow me on Facebook : https://www.facebook.com/iamsamirhq/

Follow me on Github : https://github.com/iamsamirhq

Gautam Kumawat Paid Ethical Hacking Course in Free Free Link : https://youtube.com/playlist?list=PLG6mugKB7amaes1YMhlw8i42j3xJi9jgY

Best of Luck Guyzz ;)

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store