exploit quest

TryHackMe: RootMe CTF

7 minutes

TryHackMe’s RootMe CTF room is targeted towards beginners and entails the basics of network enumeration, web server enumeration, reverse shells, and privilege escalation.

We’ll begin by starting up our machine, the IP of which will be referenced to as [IP] from here on. You can now either use the dedicated attack box provided by TryHackMe or you can use your own machine running Kali Linux and connect to the network via their VPN.

Note: Some answers and flags will not be directly mentioned to encourage attempting the CTF on your own.

Network enumeration

The room starts by asking us to find open ports on the machine. We can achieve this by using the nmap tool which can be used to perform network discovery.

We can use the tool by running the following command: nmap -sV [IP]

Note: The -sV flag tells nmap to probe the open ports to try and gather service/version information (this can come in use later to determine whether a vulnerable version of the service is being used so we can attempt to exploit it).

The results from nmap are as follows:

22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))

Here we’re able to see 2 open ports on the machine, it is important to note down these services for later as they could all be possible attack vectors.

Web server enumeration

The room asks us to use GoBuster to enumerate the web server and find hidden directories. GoBuster is a tool that allows us to run a brute-force attack on a web server using a word list of potential directory or file names in an attempt to discover hidden files on the web server.

We can initiate the attack by using the following command: gobuster dir -u [IP] -w /usr/share/wordlists/dirbuster/directory-list-1.0.txt

Note: We have to specify dir when using GoBuster if we want to brute-force directories or files as GoBuster also has the option of brute-forcing DNS which is not necessary for this CTF. The -u flag allows us to specify a URL or IP and finally the -w flag lets us specify a word list file. The word list we are using is provided by default on Kali distributions and is usually satisfactory for most beginner CTFs unless specified otherwise.

GoBuster then brute-forces the web server and provides us with the directories it found, the most notable of which is the /panel directory. Navigating to it in a browser reveals a file upload page that can be used in the next stage of our attack.

PHP reverse shell

The room now asks us to find a form to upload and get a reverse shell. First, let’s start by testing this form and seeing how it reacts when we upload an arbitrary file.

When uploading a simple JPEG file, we receive a success message in Portuguese and a hyperlink at the bottom of the page that when clicked, displays the file we just uploaded. Perhaps we could achieve a reverse shell if we can upload a PHP script to the server then display (execute) the PHP file via this hyperlink? Let’s try it.

A quick Google search of “PHP reverse shell” gives us many results, the script I picked can be found here. However, before we upload it to the site we must first modify it and replace the $ip variable with our local IP. When connected to the TryHackMe VPN, your local IP can be found using the following command: ip addr show tun0 | grep "inet "

Once we’ve modified the script, we must now set up a reverse shell listener on our attack box, we can do this by typing the following command: nc -lvp 1234

Note: The nc/netcat command is a network utility that can be used to read and write data across network connections via TCP or UDP. We can use the -l flag to use netcat for listening on a specific port for connections, we can then use the -v flag for verbose logging and the -p flag for specifying the port. In this case, we are using port 1234 as it is the default port in the script linked above, other scripts may use a different port or you can modify the script to choose your own port.

Now that we are listening for connections, all that’s left to do is upload the reverse shell PHP script. However, we run into a problem, the upload form has blocked PHP scripts from being uploaded, luckily, we can easily bypass this by using an alternative file extension which is still recognised as a PHP script by the web server, we can do this by renaming the file extension from .php to .phtml.

After renaming the file, we can re-upload the script and it should be successful, once the script is uploaded simply click the hyperlink at the bottom of the page to execute the script and return to your terminal with netcat to receive a reverse shell.

File system enumeration

We were told to get a reverse shell then find a file named “user.txt”, we can find this file by running the following command in the reverse shell: find / -name user.txt 2>/dev/null

Note: The find command is being used to search the / (source) directory for all the files named “user.txt” using the --name flag, finally, the command ends with 2>/dev/null which will discard all error messages so we can easily analyse the output of the command.

Once we’ve found the file we can use cat [file] to display the flag.

Privilege escalation

The final flag requires us to access the /root directory, unfortunately, we do not have permission to access it with our current account. To access the directory we must first escalate our privileges by exploiting a vulnerability or misconfiguration of permissions.

The room asks us to check the SUID files, SUID files are executables that can be run with the permissions of the file owner. To list useful SUID files, we can use the following command: find / -user root -perm /4000 2>/dev/null

Note: The find command is once again being used to search all files in the source folder, but this time it is being used to search for all files that have SUID permission with the user as root, we are also once again discarding any errors to make it easier to analyse the output.

After running the command, we are presented with a list of SUID files which we can use to potentially escalate our privileges, however, the file which sticks out the most is the /usr/bin/python file, which we can use to run custom scripts as root.

Let’s start by finding a way to open a root shell via Python, we can do so by searching for Python on GTFOBins. By scrolling down to the SUID section, we find the following command: python -c 'import os; os.execl("/bin/sh", "sh", "-p")'

After running the command we are given access to a root shell, we can verify this by using the whoami command to display the current account’s username, which should be root. Now we can finally type cat /root/root.txt to receive the final flag and complete the CTF. :]