TryHackMe : RootMe CTF Writeup

Title Image

To access the box click on the following link

TryHackMe | RootMe

Reconnaissance

First, let’s get information about the target.

We can use nmap to scan ports on target IP. Following command will perform a port scan on the host with IP “10.10.199.204” for all ports in the range from 1 to 10,000 with an aggressive timing template.

nmap -p-10000 -T4 10.10.199.204

• p-10000: Scans ports from 1 to 10,000. It will attempt to scan all ports in that range. Port scanning can reveal which ports are open and can be useful for identifying services running on the target host.
• T4: Sets the timing template to "aggressive." It makes the scan faster but can be noisier and may potentially increase the chance of being detected.

nmap scan results

Following two ports are open:

Port 22 ssh

Port 80 http

Finding server

The following command is essentially telling Nmap to perform a detailed scan on port 80 of the target host, which is typically used for web services (HTTP). The aggressive scan (-A) will attempt to gather as much information as possible about the services running on that port, including the operating system and service versions.

nmap -A -p80 10.10.199.204

• A: Enables aggressive scanning, which includes several tasks such as OS detection, version detection, script scanning, and traceroute.
• p80: Specifies that the scan will focus on port 80. Port 80 is commonly used for HTTP, which means this scan is specifically looking for information related to web services on the target host.

nmap scan results

Reconnaissance answers

Directory busting

Now, we can use ffuf tool for directory busting. Following command is used for finding directories on a target IP or Web App.

ffuf -u http://10.10.199.204/FUZZ -w /usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt

• u <http://10.10.199.204/FUZZ:> specifies the target URL where the FUZZ keyword will be replaced by entries from the wordlist. In this case, FUZZ acts as a placeholder that will be substituted with directory and file names from our wordlist.
• w /usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt: specifies the wordlist file to use for directory and file brute-forcing. The provided wordlist, raft-medium-directories.txt, is a common wordlist used for this purpose.

The command will make requests to the target URL, substituting FUZZ with entries from the wordlist, effectively trying to access various directories and files to discover hidden resources. This is a common technique used in web application security testing to find potentially sensitive information or vulnerabilities.

Directory busting using FFuF

We found two hidden pages panel and uploads that can be useful for penetration testing.

Directory busting results

Let’s navigate to machine IP. In this case it doesn’t look interesting.

Target IP

Let’s navigate to hidden panel directory we discovered. So, we can see upload option here. We will try to upload a reverse shell script to get shell access.

Panel directory on target IP

Reverse Shell attack

For this task we will upload php reverse shell script. You can get the script from the following link

https://github.com/pentestmonkey/php-reverse-shell

Change the ip and port in script on which you want to start the listener. In my case I choose port 3344.

Reverse Shell Script

Uploading script

When we try to upload php script it gives an error. Upload failed!! This is because php is not allowed to be uploaded. Therefore we will try to bypass the upload by changing the file extension.

Upload Failed on Target

Bypass upload

To bypass upload we can change the file extension with burp suite.

Intercept post request with burp suite and send that to intruder.

Intercept traffic with Burp Suite

Add variable to the file name extension.

Adding variable in place of extension

Set payload to simple list and add different extensions like phtml, php2, php4 etc, as shown in the image below.

Adding extensions to payload list

Start attack and we can see the status code is 200 which shows the script file is uploaded with different extensions.

Attack Successful with status code 200:OK

We can verify it by navigating to uploads page on browser.

Upload Page showing all uploaded scripts

Reverse Shell Attack

Start listener on port we specified in reverse shell script using the following command

nc -lvp 3344

• nc: is the command to invoke netcat, a versatile networking utility for reading from and writing to network connections.
• l: option tells netcat to listen for incoming connections.
• v: option makes netcat run in verbose mode, providing detailed information about the connections.
• p 3344: option specifies the port number to listen on. In this case it’s port 3344

Listener started on port 3344

Click on scripts we uploaded one by one. In my case .phtm extension worked.

Uploads page

Get back to terminal where we started listener, We have successfully gained shell.

Reverse Shell

Execute command whoami to get username.

Whoami command result

Hunt for User flag

Let’s hunt for our user flag! use the following command to find user.txt

find / -type f -name user.txt

• find: is the command for searching files and directories.
• /: is the starting directory for the search, which is the root directory.
• type f: specifies that only regular files should be included in the search. It excludes directories and other types of files.
• name user.txt: specifies the name of the file to search for, in this case, it's looking for a file named user.txt.

The find command is quite useful and located the user.txt file easily, saving us time to manually search the flag’s location.

User file found

Use cat command to view user.txt in terminal

View content with cat command

User flag on tryhackme

Privilege Escalation

Search for files with SUID permissions, which file is weird?

Use the following find command to search for files.

find / -perm -u=s -type f 2>/dev/null

• find: command for searching files and directories.
• /: is the starting directory for the search, which is the root directory, so it searches the entire file system.
• perm -u=s: specifies the permissions you're searching for. perm is used to match files based on their permissions. u=s specifies that you are looking for files with the setuid (SUID) bit set. SUID is a special permission that allows a program to run with the permissions of the file's owner.
• type f: part of the command specifies that only regular files should be included in the search. It excludes directories and other types of files.
• 2>/dev/null: part of the command redirects error messages (file not found, permission denied, etc.) to /dev/null, effectively suppressing them. This is done to avoid displaying errors that may occur during the search.

find command results

We have the /usr/bin/python with SUID permission, we will try to escalate our privileges. To do so, visit the following link.

GTFOBins

look for possible privilege escalation commands for elevating the privileges.

Search python in the search bar and click on SUID.

Web browser

Always read the description before copying commands. We can skip the first command as the binary has already SUID permission.

privilege escalation command

Copy the second command and paste in the shell to see if it works. Remove ./ from the command and write full path we got (/usr/bin/python) and run it. It worked and we are now logged in as root.

privilege escalation command

Capture root flag

Use cd command to navigate into root directory.

Use ls command to list files in root.

Use cat command to view content of file.

Root flag captured

Paste the captured flag in Privilege escalation question box on tryhackme.

CONGRATULATIONS!!! The room is completed!

I hope you had a great time reading my writeup and discovered some exciting new tricks. Stay tuned for the next adventure! 🚀😊