Open in app

Sign up

Sign in

Write

Sign up

Sign in

InfoSec Write-ups

A collection of write-ups from the best hackers in the world on topics ranging from bug bounties and CTFs to vulnhub machines, hardware challenges and real life encounters. Subscribe to our weekly newsletter for the coolest infosec updates: https://weekly.infosecwriteups.com/

Follow publication

TryHackMe: RootMe

INTRODUCTION:

Hola Gente! As you all know from title what this is about.

So let’s root

Task1: Deploy the machine

Q1. Deploy the machine.

Task 2: Reconnaissance

To make things more easier, I used to export my IP for time saving

export IP=10.10.154.15

From now, every time you want to call the ip, just use $IP

Now then, let’s begin with scanning:-

nmap -sV -oN nmap $IP
nmap results

By scanning We got the 2 open ports i.e.

80 (http) & 22 (ssh)

Let’s poke around HTTP (coz we don’t have any username and their credentials for SSH connection), we got:

http://$IP
http (80)

Nothing, just a simple page. Let’s do some dir scanning,

gobuster dir -u $IP -w <wordlist>I used 'directory-list-lowercase-2.3-medium.txt'

Found some interesting pages, one of them is:

http://$IP/panel

Task 3: Getting a shell

So there was an upload functionality on /panel.

So uploaded my rev_shell.php code with nc running on background, but no results(didn’t got rev-shell) :( Tried with diff ext i.e. png, jpg, html, php5 and got success. It was reflecting on the web page.

As my rev_shell.php5 was uploaded, now it’s time to access/run it.

Now to access/run the same file what to do?

We found /uploads directory in gobuster’s results.

So accessing the file via http://$IP/uploads (and clicking on the desired file) or via http://$IP/uploads/rev_shell.php (by specifying the file in URL itself)

But, before that don’t forget to run a listener & for that we use netcat.

nc -lnvp 4444

Now that you have done that, let’s run the php script via the link which we discussed earlier.

And yes, We got the rev-shell B-)

reverse shell

After this, tried some normal surfing i.e. searching for flag in /home, but no results. It was some where else. Then I remember this command named ‘find’ (as the name suggest, it helps to find a file) :

find / -name user.txt 2> /dev/null

And Peek-a-boom!!

Task 4: Priv Esc

Now let’s check for the Priv Esc tactics.

  1. I tried sudo -l command, no luck :(
  2. Checked for SUID files:
find / -type f -perm -04000 -ls 2>/dev/null

and Voila!! We got one file. There was python which we can run as sudo.

-> Checked for that on GTFObins,

-> Runs the script

python -c 'import os; os.execl("/bin/sh", "sh", "-p")'

-> And BOOM, we are root. And got the root.txt flag :)

With this, we successfully completed this room. It was an amazing experience doing this challenge. Hope you like this, then consider giving a clap :)

Links:

|| Room || Twitter || GitHub ||

TryHackMe | RootMe

A ctf for beginners, can you root me?

tryhackme.com

Tryhackme Walkthrough
Tryhackme Writeup
Tryhackme
Ctf
Info Sec Writeups
InfoSec Write-ups
InfoSec Write-ups
Follow

Published in InfoSec Write-ups

57K Followers
Last published 13 hours ago

A collection of write-ups from the best hackers in the world on topics ranging from bug bounties and CTFs to vulnhub machines, hardware challenges and real life encounters. Subscribe to our weekly newsletter for the coolest infosec updates: https://weekly.infosecwriteups.com/

Follow
Naman Jain
Naman Jain
Follow

Written by Naman Jain

92 Followers
29 Following

Security Researcher @Credshields | Smart Contract Auditor

Follow

No responses yet

Write a response

What are your thoughts?

Help

Status

About

Careers

Press

Blog

Privacy

Rules

Terms

Text to speech