CTF Walkthroughs, TryHackMe

TryHackMe – RootMe Walkthrough

June 15, 2021 | by Stefano Lanaro | Leave a comment

Introduction

This was an easy Linux machine that involved exploiting a vulnerable file upload functionality to gain initial access and Python with the SetUID bit assigned to it to escalate privileges to root.

Enumeration

The first thing to do is to run a TCP Nmap scan against the 1000 most common ports, and using the following flags:

  • -sC to run default scripts
  • -sV to enumerate applications versions
  • -Pn to skip the host discovery phase, as some hosts will not respond to ping requests
  • -oA to save the output in all formats available

The scan has come back with two open ports: 22 (SSH) and 80 (HTTP), the next step will be to start enumerating HTTP.

Enumerating HTTP

The following page comes up when browsing to the site:

The next step is to run a scan to find hidden files or directories using Gobuster, with the following flags:

  • dir to specify the scan should be done against directories and files
  • -u to specify the target URL
  • -w to specify the word list to use
  • -x to specify the extensions to enumerate
  • -t to specify the number of concurrent threads

The scan has revealed a /panel entry, when visiting it a file upload functionality is displayed:

Copying the Laudanum PHP Reverse Shell to the current working directory and updating the IP address and port:

Attaching the shell to the file upload page:

Exploiting File Upload Functionality

It appears PHP files are not allowed by this functionality:

After a bit of testing, it appears that other executable file types are allowed, so intercepting the request with Burp and changing the extension to PHTML:

The next step is to set up a Netcat listener, which will catch the reverse shell when it is executed by the victim host, using the following flags:

  • -l to listen for incoming connections
  • -v for verbose output
  • -n to skip the DNS lookup
  • -p to specify the port to listen on

This time the upload worked. Files are moved to the /uploads folder once uploaded (as Gobuster as shown above).. Navigating to the PHTML reverse shell to trigger it:

A callback on the Netcat listener was received, granting a shell as the www-data user:

The following steps can be done to obtain an interactive shell:

  • Running “python -c ‘import pty; pty.spawn(“/bin/sh”)’” on the victim host
  • Hitting CTRL+Z to background the process and go back to the local host
  • Running “stty raw -echo” on the local host
  • Hitting “fg + ENTER” to go back to the reverse shell

Using the find command to identify the location of the user.txt flag:

It appears to be in the www-data user’s home directory.

Privilege Escalation

Using the following command to identify any binaries with SUID/GUID permissions assigned to them:

find / -perm -u=s -type f 2>/dev/null; find / -perm -4000 -o- -perm -2000 -o- -perm -6000

Upon consulting GTFOBins, it appears that this can be exploited (as expected), by simply using the exec function from the OS Python library, to execute /bin/sh with the -p flag, which allows to execute binaries as the owner of them:

Executing the command grants root-level access to the box:

Conclusion