Root Me — TryHackMe
Task 1 : Deploy the machine and connect to tryhackme network.
Task 2 : Reconnaissance
First, let’s get information about the target.>
To gather this info… we can run nmap on the target ip.
nmap -h > To list all options.
nmap -T4 -A <machine-ip>
to get info about ports vulnerabilities and os, we run the above command.
>The first 3 questions can be answered by the nmap results. Grab the required results.
>Find directories on the web server using the GoBuster tool.
gobuster dir -u MACHINE_IP -w WORDLIST_PATH
You can get wordlists at /usr/share/wordlists/dirb/
Chose any one wordlist from the directory.
As we can see these are some of the directories that we got after running Gobuster.
“panel” is the hidden directory.
Task 3 : Getting a shell
We can see there is a file upload form!.
Let’s find a php reverse shell to upload.Googled php-reverse-shell and found this http://pentestmonkey.net/tools/web-shells/php-reverse-shell and it worked! Now download and edit the php file. Change IP to your local TryHackMe Machine ip and the port you want to listen on.
When we try to upload this we got an error, so we are going to change the extension to .phtml or .php5. Then we can upload the file!
File uploaded successfully! We can start netcat listener on our terminal.
nc -lvnp <port_no>
Now browse to <Target_ip>/uploads and click on the uploaded file. You will get the shell!
Navigate and find the user.txt file. It’s in “var”. We got the flag!
Task 4: Privilege escalation
Search for files with SUID permission, which file is weird?
We can do this by,
find / -perm -u=s -type f 2>/dev/null
Execute this command to get list of files with the SUID set. The interesting one is /usr/bin/python. Now navigate to https://gtfobins.github.io/ and look for python. We found a SUID priv esc.
We have an existing SUID so ./python is not executed. Run the below command,
/usr/bin/python -c ‘import os; os.execl(“/bin/sh”,”sh”,”-p”)’
By this command we got root privileges! Now we can find the root flag here.
Now we have the root flag. Successfully got all the flags!
Happy Hacking!
Thank You!
