TryHackMe: RootMe CTF Writeup
Task 1 — Deploying the machine
Before we start anything, we have to deploy the machine. You can do so by clicking the “Deploy Machine” button in the first section.
Once you have completed this, click the button confirming that you have deployed the machine to finish the first task.
Task 2 — Recon
In this section, we will be gathering recon on the machine by running scans with tools like Nmap and GoBuster.
First, let’s start with Nmap:
From this Nmap scan, we can see that two ports are open (80 and 22), and they are running SSH and an Apache 2.4.29 webserver.
My next step was brute-forcing web directories with dirsearch. It is available on GitHub for everyone @ https://github.com/maurosoria/dirsearch. On TryHackMe, it said to use GoBuster, but either work.
After running a DirSearch scan, I noticed two directories that interested me and they are marked in red.
/panel is going to be the main focus of the CTF, and is going to be where we get our shell.
/uploads is just a directory where any uploaded file will be stored, which is also where we will access our uploaded shell later.
Task 3 — Getting a shell
I’m sure that there are multiple ways to get a shell on this box, but here is how I did it.
First, I fired up weevely to make my shell (you can use any web shell, this is just my preference)
Once my shell is made, I tried uploading it just like that to see what would happen, and I got this message back from the webserver:
My first attempt showed clearly that I could not use a php file, so I went to lookup different ways to bypass a blacklist. The first link that popped up was a blog post from NullByte that gave a good description and multiple ways on how to do it.
Link: https://null-byte.wonderhowto.com/how-to/bypass-file-upload-restrictions-web-apps-get-shell-0323454/
The first thing I tried from this link was the ‘.php5’ trick. I renamed the shell from ‘shell.php’ to ‘shell.php5’ and it uploaded!
Once we have the shell, we can do to /uploads and see that our shell is in the directory. If it’s not, you did something wrong and might have to go back and retry.
Now that we have the PHP web shell on the web server, we can grab our first flag: the user's flag.
I did this fairly easily with weevely. I first ran the command at the top with the location of the shell in red, and the password I set on the shell in green. A session opened and I started going through directories. I ran the command “cd ..” first to do back a directory, found nothing and then repeated my action to find the user.txt file. I got the contents of the file with the cat command.
Task 4 — Privilege Escalation
To start off this task, I ran the command ‘find / -user root -perm /4000’ and looked for a ‘weird’ file. Something stood out to me, and that was python.
I went to GTFOBins (https://gtfobins.github.io/) and looked up “python” in the search bar.
Python popped up, and I clicked on it. First, I tried “SUID”, and it failed. Then, I tried “sudo” and it failed. I’m not sure if this is a problem on my machine or with the target machine, but my other attempt was “File read”.
I modified the command for our system, changing “file_to_read” to “/root/root.txt”, because normally that is where the flags are stored for the root user.
I ran the command and we did it! It returned the root flag as a non-sudo user, which we are able to put into TryHackMe to finish the room.
Why are you not showing the flags?
I didn’t show the flags because the point of a CTF is to try and apply your skills, not to get it from an online article. These writeups/walkthroughs are here for help if you get stuck on a certain part of a box, not as an instructions manual. Please also seek help in the TryHackMe discord if you need more help!
That’s it for me, cya!
