This is my write-up for the machine on TryHackMe called RootMe:

I first ran an nmap scan on the IP address:

sudo nmap -T4 -A

This is the output I got:

Starting Nmap 7.91 ( ) at 2021-09-20 15:45 EDT
Nmap scan report for
Host is up (0.10s latency).
Not shown: 998 closed ports
22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 4a:b9:16:08:84:c2:54:48:ba:5c:fd:3f:22:5f:22:14 (RSA)
|   256 a9:a6:86:e8:ec:96:c3:f0:03:cd:16:d5:49:73:d0:82 (ECDSA)
|_  256 22:f6:b5:a6:54:d9:78:7c:26:03:5a:95:f3:f9:df:cd (ED25519)
80/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))
| http-cookie-flags: 
|   /: 
|_      httponly flag not set
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: HackIT - Home
No exact OS matches for host (If you know what OS is running on it, see ).
TCP/IP fingerprint:

Network Distance: 4 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE (using port 1025/tcp)
1   36.67 ms
2   ... 3
4   100.50 ms

OS and Service detection performed. Please report any incorrect results at .
Nmap done: 1 IP address (1 host up) scanned in 27.63 seconds

My first step was to visit the website on port 80:

There seems to be nothing on the website other that the following text. I then ran feroxbuster with the big.txt file from the Seclists Github repository:

Two links stood out to me:

My assumption was to upload the pentestmonkey php-reverse-shell and then get a webshell using that. I first updated the script to have my information in it (IP and port):

Apparently PHP is not permitted:

I then though about using an alternative php version like phtml. That worked... a bit:

However, I was not able to get a shell on the system. I then tried the original pentestmonkey script, but then I changed the extension to be .phtml, and it worked:

At this point, I had realized that I had to answer questions on the TryHackMe site.

Scan the machine, how many ports are open? 2

What version of Apache is running? 2.4.29

What service is running on port 22? ssh

What is the hidden directory? /panel/

Back to the shell, I was trying to find the user.txt file. It was not in the home directory folders. I then ran:

find / -name user.txt

I then saw the following in the big output:

I then got the user.txt flag:

I then had to view the hint provided to see what command I should run to check for files with SUID permission. They recommended find / -user root -perm /4000. I ran that command and noticed a couple commands I could potentially use:

On TryHackMe, the format of the question seems to be in the following format:

This means that the executable has to be 6 letters in size. I tried /usr/bin/python and it worked. I went to GTFOBins and searched on it for python. I then came across the following:

I ran this code, but modified it to read the file from the root directory:

python -c 'print(open("/root/root.txt").read())'

I then got the flag:

Last updated