Tryhackme: RootMe — WalkThrough

Today, we will be doing CTF from TryHackMe called RootMe which is labeled as a beginner-level room that aims at teaching basic web-security, Linux exploration, and Privilege Escalation. Without further ado, let’s connect to our THM OpenVPN network and start hacking!!!

Reconnaissance

From above results, we can clearly see two of the ports are open.

• Port 22 (SSH)
• Port 80 (HTTP)

Let’s navigate to the web-page hosted by the machine at port 80. However, nothing interesting was found in this page.

Out of our arsenal, we then took out dirsearch script to scan for the hidden directories inside the web-server.

Immediately after running the script, we got to find two hidden directories: uploads and panel. So, let’s check them out.

• 10.10.37.65/panel is where we are able to upload files (restricted) to the server.
• 10.10.37.65/uploads is the directory where all the files we uploaded from the panel gets stored.

This upload panel can be a good attack surface. Lets try the file-upload vulnerability as our attack vector i.e, if we become successful in uploading a malicious script to the server which can make a reverse connection back to our attacking machine then our work is done.

Popping a reverse shell !!!

The basic idea here is to upload a PHP script to the server using the panel whose sole job is to connect back to our local attacking machine for which we need to be listening on a certain port using netcat for this connection. Through Local File Inclusion, we would be able to execute the script which will give us a command-shell leading to Remote Code Execution on the box.

Lets upload the script php-reverse-shell.php. Remember to change $ip and $port variables inside.

Script from Pentest-Monkey. Can also be found at at /usr/share/webshells/php.

But, wait! We are not being able to upload the script. It looks like there is some extension filtering thing going on. So, the challenge here is to bypass this filter.

After multiple unsuccessful trials and a bit of research, I got to know phtml exists 🙂 which is functionally similar to PHP. So I modified php-reverse-shell.php to php-reverse-shell.phtml and checked. Voila! Uploaded successfully.

Making the connection

We are listening on the port 9001.

Now, lets execute the script by just including it in the URL and we get our TCP connection to the box. We have now got the shell access of the machine.

/bin/sh was used to pop a reverse shell which is not that comfortable to use. Its now time to get a proper shell and work around comfortably.So we used pty module to spawn bash.

Environment variable TERM should be exported as xterm. For bash auto completion-feature, hit Ctrl+Z to background the process and run the command below.

Finally, hit fg (fore-ground) command and ⏎ ⏎ to bring our reverse shell back into view. Lets start capturing the flags.

Reading user flag

Privilege Escalation

Hunting for SUID binaries

While looking for unusual binary with SUID bit set, /usr/bin/python looks weird. I searched for it in GTFOBins to see if any techniques exist for escalating our privileges to root. And yeah it exists.

Getting root shell and reading the flag