TryHackMe | RootMe Walkthrough
Hi there, I’m glad to see you here. In this article, we’ll solve together the “RootMe” room in TryHackMe. In some sections, I’ll share brief about the subject. Don’t forget! You must always research to learn more. I hope it will be helpful for you. Let’s start!
Contents:
-Reconnaissance
-File Upload Vulnerabilities
-Reverse Shell
-Privilege Escalation
Deploy the machine
Connect to TryHackMe network and deploy the machine.
Step 1: You need openvpn configuration file to connect with VPN to machines in TryHackMe.
Step 2: Use openvpn command and start your VPN connection.
Step 3: Can you see the IP address of the machine?
Step 4: You can check your connection.
Reconnaissance
First, let’s get information about the target.
Answer the questions below
Q1: Scan the machine, how many ports are open? (Use nmap to do a port scan.)
A1: 2
Firstly, we need to run a nmap scan to find out which ports are open and which services are running on these ports.
Nmap (Network Mapper) is a free and open source utility for network discovery and security auditing.
nmap -A -T4 -p- 10.10.3.156-A : Enable OS detection, version detection, script scanning and traceroute.
-T4 : Set timing template (higher is faster).
-p- : You can specify “-p-” to scan ports from 1 through 65535.
Let’s take a look at the website running on port 80.
We can use the Wappalyzer to learn about the technologies used on the website.
The Wappalyzer APIs provide instant access to website technology stacks, company and contact details, social media profiles, email verification and more.
Q2: What version of Apache is running?
A2: 2.4.29
Apache is a free and open-source software that allows users to deploy their websites on the internet. It is one of the oldest and most reliable web server software maintained by the Apache Software Foundation, with the first version released in 1995.
Q3: What service is running on port 22?
A3: ssh
The SSH protocol (also referred to as Secure Shell) is a method for secure remote login from one computer to another.
OpenSSH is an open-source implementation of the SSH protocol. It is based on the free version by Tatu Ylonen and further developed by the OpenBSD team and the user community.
Q4: Find directories on the web server using the GoBuster tool.
A4: No answer needed
Gobuster is a tool used to brute-force URIs including directories and files as well as DNS subdomains.
Q5: What is the hidden directory?
A5: /panel/
gobuster dir -u http://10.10.3.156/ -w <wordlist>dir : Uses directory/file enumeration mode.
-u : We can use the option “-u” to specify the target domain or subdomain you want to dig into the hidden directories and files.
-w : Path to the wordlist.
We found a directory where we can upload file.
Getting a Shell
Find a form to upload and get a reverse shell, and find the flag.
A reverse shell is a type of shell in which the target machine communicates back to the attacking machine. The attacking machine has a listener port on which it receives the connection, which by using, code or command execution is achieved.
Answer the questions below
Q1: user.txt (Hint: Search for “file upload bypass” and “PHP reverse shell”.)
A1: ********************
Let’s upload a photo and see what happens as a result.
Perfect! There doesn’t seem to be a problem for now.
When we found the hidden directories using gobuster, there was a directory called uploads.
Here is the photo we uploaded. Pretty cute!
Other than this, we can try to upload different files but do you remember? We found out that the website uses PHP using Wappalyzer. So we can try to install PHP Reverse Shell to open a port on the machine.
File upload vulnerabilities are when a web server allows users to upload files to its filesystem without sufficiently validating things like their name, type, contents, or size.
This tool is designed for situations where you have upload access to a web server running PHP.
For more:
https://pentestmonkey.net/tools/web-shells/php-reverse-shell
The git clone command is primarily used to point to an existing repo and make a clone or copy of that repo at in a new directory, at another location.
Add your IP address that you received as a result of your VPN tunnel connection and a preferred port to listen to the connection.
I think we’re ready, don’t you?
Unfortunately we received a response from the website that we cannot load PHP files.
How about we trick the website? Let’s change the file extension and see what happens. For this method, I recommend you to review the following website.
You can use the mv command to rename the file.
The mv command is one of the basic Linux commands that is used to move files and directories from one location to another. It is also used to rename files and directories.
Are you excited like me? Let’s do this!
Fantastic! Our file is inside the website.
We can look in the uploads directory to check if our file has been uploaded.
Now we can use the netcat to listen to the port. Let’s start netcat and click on the file.
Netcat or nc is a utility tool that uses TCP and UDP connections to read and write in a network.
nc -nlvp 8989-n: only IP numbers, no DNS names
-l: listen mode
-v: verbose mode
-p: local port
We are inside! Time to find the flags.
Firstly, I think we can do some research to upgrade our shell.
https://blog.ropnop.com/upgrading-simple-shells-to-fully-interactive-ttys
Let’s try to upgrade our shell using the command we found.
We can find the location of the flag using the find command.
The find command is used to find, filter, or search files and folders in your system according to user-specified conditions and perform several operations on them.
-type f : To search for files
-name : To search the file by name
2>/dev/null : Used to discard errors
Congratulations! You found the first flag.
Privilege Escalation
Now that we have a shell, let’s escalate our privileges to root.
A privilege escalation attack is a cyberattack designed to gain unauthorized privileged access into a system.
Answer the questions below
Q1: Search for files with SUID permission, which file is weird? (find / -user root -perm /4000)
A1: /usr/bin/python
We can use the following command to find the applications that have root access.
-user : To search for specified user
-perm : To search a file by permission
2>/dev/null: Used to discard errors
Q2: Find a form to escalate your privileges. (Search for gtfobins)
A2: No answer needed
GTFOBins is a curated list of Unix binaries that can be used to bypass local security restrictions in misconfigured systems.
Q3: root.txt
A3: *************************
Congratulations! You found the second flag.
Thank you for your time. See you soon! Until that time.. Happy Hacking ❤
Resources:
https://addons.mozilla.org/tr/firefox/addon/wappalyzer
https://www.hostinger.com/tutorials/what-is-apache
https://www.ssh.com/academy/ssh/protocol
https://www.ssh.com/academy/ssh/openssh
https://www.kali.org/tools/gobuster
https://resources.infosecinstitute.com/topic/icmp-reverse-shell
https://github.com/pentestmonkey/php-reverse-shell
https://www.atlassian.com/git/tutorials/setting-up-a-repository/git-clone
https://pentestmonkey.net/tools/web-shells/php-reverse-shell
https://portswigger.net/web-security/file-upload
https://book.hacktricks.xyz/pentesting-web/file-upload
https://linuxhint.com/linux-mv-command-examples
https://www.geeksforgeeks.org/introduction-to-netcat
https://blog.ropnop.com/upgrading-simple-shells-to-fully-interactive-ttys
https://linuxhint.com/use-the-find-command-in-linux-to-search-files
https://www.crowdstrike.com/cybersecurity-101/privilege-escalation
