Skip to main content

TRYHACKME-ROOT_ME

 


TryHackMe: Root Me. Having fun with TryHackMe again. So… | by Hafiq Iqmal | Medium 
TryHackMe : RootMe CTF Writeup (Detailed)
 
Let’s dive in!!
 


Task 1- Deploy the machine
Create a directory for your ctf machine on Desktop and a directory for nmap
Task 2- Reconnaissance
Nmap Scan :
nmap -sC -sV -oN nmap/rootme <MACHINE_IP>
-sC : Default scripts
-sV : Version detection
-oN : Output to be stored in the directory ‘nmap’ you created earlier
Nmap Scan Output
There are 2 ports open :
22/ssh — OpenSSH 7.6p1
80/http — Apache httpd 2.4.29
OS detected — Linux
#1.1. Scan the machine, how many ports are open?
Ans: 2
#1.2. What version of Apache are running?
Ans: 2.4.29
#1.3. What service is running on port 22?
Ans: ssh
Gobuster :
Gobuster standard output
gobuster dir -u http://<MACHINE_IP> -w <PATH_TO_WORDLIST>
-u : URL
-w : Wordlist
Gobuster output using below flags
Additionally you can use more flags in gobuster :
-q : quiet , silent scan . Will hide banner .
-o : Output to be stored in the directory
-x : Search for extensions e.g. html,txt,php,phtml etc.
#1.4. Find directories on the web server using the GoBuster tool.
Ans: No answer needed
#1.5. What is the hidden directory?
Ans: /panel/
Task 3- Getting a shell
Navigate to URL http://<MACHINE_IP>
Its always good to check the source code of the page for any interesting information laid out that could be helpful in our enumeration process.
View Source of the URL page . Ctrl+U
As you can see nothing is interesting in the source code for us so we will start looking into the directories found in gobuster.
There is a hidden directory /panel/.
We can upload a file in the /panel/ directory.
For this task we will upload php reverse shell script. I frequently use pentestmonkey php-reverse-shell.php script to try to gain a reverse shell using netcat.
Git Link to download the script or clone in terminal : https://github.com/pentestmonkey/php-reverse-shell
Make your php-reverse-shell script executable by using the command :
chmod +x php_reverse_shell.php .
Open the script in editor and change the $ip and $port to your host machine’s IP and port you want to listen on.
Now you have configured the script . We will proceed furthur and upload the script.
Upload failed!! This is because php is not allowed to be uploaded. Therefore we will try to bypass the upload by changing the file extension. To further understand File Name Bypass, see the exhibits below:
We will rename the script using the command:
mv php_reverse_shell.php php_reverse_shell.phtml
Let’s try uploading the script again.
We have successfully uploaded the script. Leading to our next step, we will start a listener on netcat. I am using 9001 port and I have already inserted the same port alongside the host IP of my machine in the script that we uploaded.
We are listening on port 9001.
Now we have to gain shell by executing the uploaded script in the <MACHINE_IP>/uploads/ directory.
Execute the script and check back to see your netcat listener.
Voila!!
We have successfully gained shell.
BUT the shell is not a stable shell.
How do we get a stable shell? Let me show the way.
$ python -c ‘import pty;pty.spawn(“/bin/bash”)’
Ctrl+Z
stty raw -echo
fg
export TERM=xterm
We have a stable shell now.
The above commands will let you now autocomplete by TAB, clear screen, navigate around the shell easily.
Let's hunt for our user flag!
The find command was quite useful and located the user.txt file pretty easily for us saving us time to manually search the flag’s location.
Navigate to /var/www/user.txt
#3.1 user.txt
Ans: THM{XXXXXXXXXXXX}
Task 4- Privilege Escalation
To look for the files with SUID permission we can use the command:
find / -type f -user root -perm -4000 2>/dev/null
#4.1 Search for files with SUID permission, which file is weird?
Ans: /usr/bin/python
We have the /usr/bin/python with SUID permission, we will try to escalate our privileges.
My first spot is to go to https://gtfobins.github.io/ look for possible privilege escalation commands for elevating the privileges.
Search python in the search bar.
Always read the description before copying commands. We can skip the first command as the binary has already SUID permission. Copy the second command and paste in the shell to see if it works. Remove ./ from the command and run it.
python -c ‘import os; os.execl(“/bin/sh”, “sh”, “-p”)’
YES!! It indeed works.
We have successfully escalated our privileges.
We can confirm we are root.
#4.2 Find a form to escalate your privileges.
Ans: No answer needed.
Let’s get our root flag.
Navigate to /root/folder to find your root.txt
#4.3 root.txt
Ans: THM{XXXXXXXXXXXX}
CONGRATULATIONS!!! YOU HAVE COMPLETED THE ROOM!!!
If you liked the post and the post has helped you in any way possible, let me know in comments or sharing the love by claps.
This is my first-ever medium post and first-ever tryhackme walkthrough. I really enjoyed making this as detailed as possible for anyone who wants to learn doing CTFs. The RootMe CTF is aimed at beginners and I will recommend all beginners to try this box and root it.
Thanks for taking out the time.
 
STAY SAFE. HAPPY HACKING

Comments

Post a Comment

Popular posts from this blog

What is Bug Bounty in Cyber Security 2022?

Task 1 | What is Penetration Testing? Before teaching you the technical hands-on aspects of ethical hacking, you'll need to understand more about what a penetration tester's job responsibilities are and what processes are followed in performing pentests (finding vulnerabilities in a client's application or system).   The importance and relevancy of cybersecurity are ever-increasing and can be in every walk of life. News headlines fill our screens, reporting yet another hack or data leak.   Cybersecurity is relevant to all people in the modern world, including a strong password policy to protect your emails or to businesses and other organizations needing to protect both devices and data from damages.   A Penetration test or pentest is an ethically-driven attempt to test and analyze the security defenses to protect these assets and pieces of information. A penetration test involves using the same tools, techniques, and methodologies that someone with malicio...
Post a Comment
Read more

WHAT IS SESSION HIJACKING?

  What is Session Hijacking? A session is the period of time when you as a user are actively accessing an application, website, or other online service. Each user session begins when you log into a website or app and ends when you log out of it. For example, when you type your username and password into a banking application, that begins your session on that online application. When you log into an online application, for example, amzon.com, their server typically generates a temporary session cookie in your browser. This cookie tells your browser that you are logged in and have been authenticated on the server by Amazon. Each temporary session cookie is marked by a unique session ID, or key. If a hacker is able to access your unique session ID, they can access your session. Let us take the example of Facebook. For example, when you log into Facebook, a session begins. This allows you to keep using Facebook (even if you close and reopen the web browser) until you click on ‘log out’...
Post a Comment
Read more