Tryhackme rootme writeup

Link to the room here.

difficulty:easy

This room is a simple boot2root challenge.

Task 1: Deploy and go!

Task 2: Recon

From the first ask, we need to perform recon on the machine.

1.Scan the machine, how many ports are open?

This requires an nmap scan for open ports. We use a quick nmap scan to find any open ports.

We find 2 ports open and two services running on those ports.

2.What version of Apache is running?

A service and version detection scan should do the trick! The result of this scan also gives the answer to question 3 XD

3.What service is running on port 22?

See (2) above!

4.Find directories on the web server using the GoBuster tool.What is the hidden directory?

A GoBuster scan for hidden directories using usr/share/wordlists/dirb/common.txt wordlist(parrot pre-installed) gives us a correct flag!

Task 3: Getting a shell!

Since the IP has port 80 open and a http service is running from there, we ought to visit the IP from a browser to see if we’ll get anything. Looking at the website, nothing we can use to exploit the site and gain shell :(

Luckily we found a hidden directory found previously and we find an option to upload files(looks like a file upload vulnerability) and from here we can upload our payload and get shell!

We upload pentestmonkey’s reverse shell php script(script can be found here).The site seems to have blacklisted files with .php extension therefore we try one with a .php5 extension(file name bypass) and it accepts!

shell.php
shell.php5

NOTE:One should change the IP to tun0’s IP and default listening port(1234) to another port of one’s choosing for it to work.

In order to get a shell, we should first listen using netcat using the port number specified in the reverse shell script.

Accessing the payload from the site should spawn a reverse shell.

http://$IP/uploads/shell.php5

Task 4: Privilege escalation

1.Search for files with SUID permission, which file is weird?

In order to search for a file with SUID permissions, we ought to run the following command:

find / -user root -perm /4000

usr/bin/python stands out since by default it should not be granting non sudoer users sudo permissions.

We can exploit this by visiting GTFObins and find an exploit vector.

We find an entry for the python binary

./python -c ‘import os; os.execl(“/bin/sh”, “sh”, “-p”)’

NOTE: The above command has to be run inside the /usr/bin directory for it to work.

Yaaay!! we got root!

root

The last flag can be found in the /root dir.