TryHackMe: Root Me

Having fun with TryHackMe again. So, here is the write up and guideline to pass this Root Me challenge.

Room: https://tryhackme.com/room/rrootme
Level: Easy

Task: A CTF for beginners, can you root me?

Lets get started

Scan all ports range if there is available and every info available for this machine IP

# nmap -A -T4 -sS -sV -p- 10.10.78.111
....
.... 
22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   2048 4a:b9:16:08:84:c2:54:48:ba:5c:fd:3f:22:5f:22:14 (RSA)
|   256 a9:a6:86:e8:ec:96:c3:f0:03:cd:16:d5:49:73:d0:82 (ECDSA)
|_  256 22:f6:b5:a6:54:d9:78:7c:26:03:5a:95:f3:f9:df:cd (ED25519)
80/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))
| http-cookie-flags:
|   /:
|     PHPSESSID:
|_      httponly flag not set
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: HackIT - Home
....
....

There is 2 port open — 22 and 80. Ok now, need to find if there is any hidden directory since there is no hint in the webpage source code

# gobuster dir -u 10.10.78.111 -w wordlists/dirbuster/directory-list-2.3-medium.txt -t 20
....
/uploads              (Status: 301) [Size: 314] [--> http://10.10.78.111/uploXXX/]
/css                  (Status: 301) [Size: 310] [--> http://10.10.78.111/css/]
/js                   (Status: 301) [Size: 309] [--> http://10.10.78.111/js/]
/panel                (Status: 301) [Size: 312] [--> http://10.10.78.111/paXXX/]
....
....

There is 2 directory available. If open the /paXXX path, it shows the file upload page

Ok now, let’s try to upload c99 shell.

The file upload block .php extension file. Lets rename it to .php5 and see if the upload allowed it.