Today I am going to try the RootMe box from TryHackMe. RootMe is classed as a beginner level box and is partly guided.
So let start by scanning for open port with Nmap.
nmap -sV -sC -oN version-scan 10.10.207.6
So we have ssh open on port 22 and an Apache web server open on port 80.
Apache Web Sever Port 80:
So we are at the home page, checking the ‘view source’ we can see nothing hidden in the code and there is no robots.txt file to view.
I will run a Gobuster scan to see whether we can brute force any directories:
So we have a number of directories found, the one that jumps out is /uploads and /panel.
Navigating to /panel:
We see we have a page that appears to allow us to upload files to the website. Let’s see if it filters a php file:
As we see a file with a php extension is not allowed to be uploaded to the website. Let’s try with a text file test.txt:
Moving to the /uploads directory, we can see our test.txt file has been uploaded.
Unfortunately the website appears to have some sort of filtering in place to stop us uploading a php file. I would strongly suggest following the TryHackMe tutorial for exploiting upload vulnerabilities as below:
It may filter php files but there are a number of php file extensions we can try to try and bypass the filtering method:
Let’s try and upload a php reverse shell but use one of the extensions, I will initially try .phtml and see if that works. The php reverse shell I will be using is from Pentest Monkey and is already on Kali:
/usr/share/webshells/php/php-reverse-shell.phpEdit the file and change the IP address and port number and save the file as shell.phtml and try to upload it to the website.
The file successfully uploads to the website, all we need to do now is navigate to /uploads/shell.phtml and grab our reverse shell on our listener.
First, let’s upgrade our shell using python:
python -c 'import pty;pty.spawn("/bin/bash")'We will then background the shell by pressing ‘CTRL Z’ and enter the following:
stty raw -echo;fgYou will need to press ‘Return’ twice to enter back into the shell; however you will now have all the benefits such as auto complete etc.
Looking around for the user.txt file we find it in /var/www:
Time to privesc, so further enumeration is required. I will move to the /var/www directory as it is world writable and setup a simple python http server on my local machine in the directory of an privesc enumeration script:
python3 -m http.serverOn the remote machine I will use wget to upload the Linux-Smart-Enumeration script.
We need to CHMOD the file to give execution rights, we can do this with:
chmod +x lse.shNext run the program and pipe it to a file:
./lse.sh | tee privesc.txtLooking at the results we can see a file that stands out with SUID bit set:
So we have python owned by root with the SUID bit set, so potentially we can use this to elevate our privilege to root. Let’s check out GFTOBins, the go to place of exploitable Linux binaries.
A quick search of python and we can see the following exploit under SUID.
Bingo we are root:
All that's left to do is grab the root.txt flag:
A nice box where I learnt about upload vulnerabilities and added another privesc to my library.
