RootMe

This is my write-up for the machine on TryHackMe called RootMe: https://tryhackme.com/room/rrootme

I first ran an nmap scan on the IP address:

sudo nmap -T4 -A 10.10.78.153

This is the output I got:

Starting Nmap 7.91 ( https://nmap.org ) at 2021-09-20 15:45 EDT
Nmap scan report for 10.10.78.153
Host is up (0.10s latency).
Not shown: 998 closed ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 4a:b9:16:08:84:c2:54:48:ba:5c:fd:3f:22:5f:22:14 (RSA)
|   256 a9:a6:86:e8:ec:96:c3:f0:03:cd:16:d5:49:73:d0:82 (ECDSA)
|_  256 22:f6:b5:a6:54:d9:78:7c:26:03:5a:95:f3:f9:df:cd (ED25519)
80/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))
| http-cookie-flags: 
|   /: 
|     PHPSESSID: 
|_      httponly flag not set
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: HackIT - Home
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.91%E=4%D=9/20%OT=22%CT=1%CU=38132%PV=Y%DS=4%DC=T%G=Y%TM=6148E50
OS:A%P=x86_64-pc-linux-gnu)SEQ(SP=103%GCD=1%ISR=10D%TI=Z%CI=Z%II=I%TS=A)SEQ
OS:(SP=103%GCD=1%ISR=10D%TI=Z%CI=Z%TS=A)OPS(O1=M506ST11NW7%O2=M506ST11NW7%O
OS:3=M506NNT11NW7%O4=M506ST11NW7%O5=M506ST11NW7%O6=M506ST11)WIN(W1=F4B3%W2=
OS:F4B3%W3=F4B3%W4=F4B3%W5=F4B3%W6=F4B3)ECN(R=Y%DF=Y%T=40%W=F507%O=M506NNSN
OS:W7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%D
OS:F=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O
OS:=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W
OS:=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%T=40%IPL=164%UN=0%RIPL=G%RID=G%R
OS:IPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%CD=S)

Network Distance: 4 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE (using port 1025/tcp)
HOP RTT       ADDRESS
1   36.67 ms  10.6.0.1
2   ... 3
4   100.50 ms 10.10.78.153

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 27.63 seconds

My first step was to visit the website on port 80:

There seems to be nothing on the website other that the following text. I then ran feroxbuster with the big.txt file from the Seclists Github repository:

Two links stood out to me:

My assumption was to upload the pentestmonkey php-reverse-shell and then get a webshell using that. I first updated the script to have my information in it (IP and port):

Apparently PHP is not permitted:

I then though about using an alternative php version like phtml. That worked... a bit:

However, I was not able to get a shell on the system. I then tried the original pentestmonkey script, but then I changed the extension to be .phtml, and it worked:

At this point, I had realized that I had to answer questions on the TryHackMe site.

Scan the machine, how many ports are open? 2

What version of Apache is running? 2.4.29

What service is running on port 22? ssh

What is the hidden directory? /panel/

Back to the shell, I was trying to find the user.txt file. It was not in the home directory folders. I then ran:

find / -name user.txt

I then saw the following in the big output:

I then got the user.txt flag:

I then had to view the hint provided to see what command I should run to check for files with SUID permission. They recommended find / -user root -perm /4000. I ran that command and noticed a couple commands I could potentially use:

On TryHackMe, the format of the question seems to be in the following format:

This means that the executable has to be 6 letters in size. I tried /usr/bin/python and it worked. I went to GTFOBins and searched on it for python. I then came across the following:

I ran this code, but modified it to read the file from the root directory:

python -c 'print(open("/root/root.txt").read())'

I then got the flag:

Last updated