TryHackMe: RootMe Walkthrough
RootMe is an easy box from TryHackMe that tests on directory busting and exploiting unrestricted file upload vulnerabilities.
I urge you: please attempt this room yourself before reading this walkthrough. You can find the room here: https://tryhackme.com/room/rrootme
Task 1 for this box is simply to deploy the machine, which requires no answer. So we will skip right over to Task 2.
Task 2: Reconnaissance
In this instance, the box lives at 10.10.110.108 (my local IP address is 10.6.31.233). Let’s get things started with a quick nmap scan:
nmap -T4 -A -p- 10.10.110.108 -oN nmap.txt
There are a few questions we can answer right off the bat with this information:
Question 1: How many ports are open?
Answer: 2
Ports 22 and 80 are open.
Question 2: What version of Apache is running?
Answer: 2.4.29
This is running on port 80.
Question 3: What service is running on port 22?
Answer: SSH
Not much we can do with that OpenSSH port right now, so let’s take a look at that website:
Not much of anything interesting on this main page; no clickable links, no login form, nothing.
To save you some time, there isn’t anything special in the page source code either.
Instead, let’s see if we can find some hidden directories on this server that aren’t immediately shown to us.
Question 4: Find directories on the webserver using the GoBuster tool.
gobuster dir -u http://10.10.110.108/ -w /usr/share/wordlists/dirb/big.txt
Question 5: What is the hidden directory?
Answer: /panel/
Directories like /.htpasswd and /.htaccess are pretty default in an Apache deployment, but this /panel directory is a little suspect, let’s take a look at it:
Sweet, looks like we have an upload form here! Any files uploaded here will populate in /uploads, so we’ll have an easy way to execute anything we upload to the server.
Task 3: Getting a shell
We’re on our own for this one, no basic questions here to guide us along. Thankfully this seems pretty straightforward, we can go ahead and try to upload a PHP reverse shell and execute it from the /uploads directory.
For this, I will be using the infamous php-reverse-shell.php from pentestmonkey. You can grab it here:
https://github.com/pentestmonkey/php-reverse-shell/blob/master/php-reverse-shell.php
Just copy and paste this code into a text file, and change the information below:
Once this is changed, go ahead and save this as a .php file, and it’s ready for upload!
Let’s upload this to the website, navigate to and select the file as you would normally:
Click Upload:
Doesn’t seem like the machine liked that very much…
We’ll have to go ahead and take a look at what PHP file extensions this machine does accept. We can capture the upload in BurpSuite, and then give it several different file extensions to try, and we’ll see which ones work.
After firing up Burp and turning on our proxy, attempt the file upload again and observe the POST request populate into Burp:
Send to intruder, and set positions as follows:
This will ensure that our payload will only apply to the file extension in the request.
As for our payloads, we will be giving Burp the following PHP extensions:
There are several more that we can attempt, but for the sake of time, these five will suffice.
Start attack, and look over the HTTP responses once finished:
We already know that a .php file will result in a failure, hence the failure message in the HTTP response. But let’s take a look at php5:
Success! This php-reverse-shell.php5 is going to be our ticket to a shell! And thankfully, since BurpSuite actually brute-forced the file upload, the shell is already there for us:
Let’s go ahead and set up a listener with netcat and pop a shell!
nc -nvlp <port you listed in shellcode>
Once we click on php-reverse-shell.php5, we should gain a shell:
Success! We now have a shell on this machine as the user www-data.
Question 1: user.txt
Answer: Can’t give you that one, but it is located in /var/www/user.txt. Cat that file out and get your user flag!
Task 4: Privilege Escalation
Now that we have a user shell, we can attempt to escalate our privileges to root.
Normally I would recommend running LinEnum.sh or LinPEAS, but in this case, TryHackMe does point us in the right direction; we’ll be abusing an abnormal SUID binary.
The following command can be used to find all binaries on the system that have the SUID bit set:
find / -perm -u=s -type f 2>/dev/null
**Pro-tip, run this command on your Kali machine as well; provided that you haven’t added any SUID binaries on your own machine, this is useful for cross-checking to find any binaries that are inconsistent.
Question 1: Which file is weird?
Answer: /usr/bin/python
This one isn’t normally a SUID binary, as we know we have python present on our Kali machine, but it is not listed as SUID on our end.
Question 2: Find a method to escalate your privileges.
We can utilize an excellent resource called GTFOBins. You can see it here:
This website lists several common Linux binaries and ways in which they can be exploited to bypass local security restrictions.
Thankfully for us, /usr/bin/python does have a SUID entry on this site. Let’s take a look at it:
Some stuff to unpack here:
- The first command will create a new copy of the python binary with the SUID bit set. Since ours already has the SUID bit set, we can skip this command.
- The second command allows us to use python to run /bin/sh. And since the python binary is A) owned by root, and B) running as the owner of the file rather than the user executing it, we can use this second command to run /bin/sh as root, and gain a root shell.
Copy and paste that command into the shell:
./python -c ‘import os; os.execl(“/bin/sh”, “sh”, “-p”)’
NOTE: you must first cd into /usr/bin to run this command as-is. Otherwise, you will have to provide the absolute path to the binary.
You are now root!
Question 3: root.txt
Answer: Can’t give you this one either. But it is located in /root/root.txt. Cat that file out and submit your root flag.
