TryHackMe Rootme CTF Walkthrough

Hello everyone. This machine is very beginner friendly, which stengthens your basics. Concepts learnt here are:

  1. Directory Brute Forcing
  2. File extension filter bypass
  3. Reverse shell
  4. Privilege escalation ( Becoming root)

Enumeration : Port Scanning

First, let’s scan the IP and find out which ports are open. We can use a simple command which used default nmap scripts and detects the version of the programming running.

nmap -sV -sC 10.10.18.56

The output will be similar to the following one.

nmap output

We can see that 2 ports are open. Port 22 in which SSH will be running and port 80 in which web server is hosted.

Directory Brute Forcing:

Let’s check out the website by entering IP address of the machine in address bar.

webpage

We can see the home page of the website. Now we need to see whether the web has any hidden directories. So we need to do Directory brute forcing. We can use a simple tool called Gobuster, which enumerates hidden sub directories. To install it click on the link: Gobuster-Github . The command we use is:

gobuster dir -u http://10.10.18.56 -w /usr/share/wordlists/dirb/common.txt

GoBuster

After the -w parameter, you need to mention the path of wordlist. Bydefault case it is in /usr/share/wordlists/dirb. The result looks similar to the following:

File Extension Filter Bypass:

We found that there is /panel directory, when we navigate to that page, we can see that we can upload images. Here is the place where we need to observe properly. When we try to upload .php files, it is getting rejected. It’s allowing only jpeg/gif. We need to try to bypass the filters to get a reverse shell.

PHP file for getting reverse shell is by default stored in /usr/share/webshells/php/php-reverse-shell.php

For uploading php shells by bypassing filters we can try to change the extension of the file to any of the following:

  1. .php5
  2. .phtml
  3. .php%00.gif

Before uploading you need to change few things in the php code. Use any text editor like nano and open the php code. Navigate to ip parameter, there you need to remove the given IP and replace it with your IP (ifconfig tun0). You can change the port to any port you wish and remember the port number.

I tried .php5 extension and it worked successfully. Now we need to setup a listener. For this, use the following command:

nc -lvnp 4444

Replace 4444 with the port number you specified in the php code.

File extension bypass

Reverse Shell:

Now navigate to the page where your code is uploaded and reload it. You can find that…… you got a reverse shell in terminal.

Reverse Shell

Now search for user.txt file and you will get the flag.

Privilege Escalation:

This is the most important part and trickiest part of the whole process. We need to escalate our privileges and become root user. For that we need to check for files with SUID permissions. For that use the following command:

find / -type f -user root -perm -4000 2>/dev/null

You can see that /usr/bin/python has SUID permissions. We need to escalate that by using few commands. For getting the commands navigate to the website here and search for python in search box. There you can see something similar to the given image.

Now copy the code given, i.e

python -c “import os; os.execl(‘/bin/sh’, ‘sh’, ‘-p’)”

If your getting error by copying the code from website, then copy the code that I mentioned above. You can see that I swapped the quote marks. After pasting the command given……. BOOOM!!!

We are root user now, we had escalated our privileges to root user. Now it’s easy to find root.txt file.

That’s it for now, as I said this machine is beginner friendly and it enhances our basics.

Follow me on Instagram : https://instagram.com/tridevreddyguntaka

Follow me on Twitter: https://twitter.com/ReddyTridev