Defeating RootME

Hello hackers,

Recently I started practicing on Tryhackme and came across this easy yet interesting machine named RootME by ReddyyZ. I strongly recommend the beginners to try this machine out as it would clear the following several concepts of yours one of them being how to bypass file upload functionality and gain a reverse shell on the target system. Not only that, but you'll also have a basic idea about how privilege escalation works. So without taking up any more time of yours, let's jump into the walkthrough.


                                                                                      : TASK 1 :

Deploying the machine😅

While some of you might think what madness this is we already know that!!

My dear friend, you're free to skip this portion then😊😌.


Step 1: Connect to OpenVPN [Check the OpenVPN room so that you have an idea]

Command used: openvpn {your openvpn file} 

Step 2: Click on Start Machine or Start Attack Box. [I think you can do this:)]

Step 3: That's all. Congratulations! You successfully completed task 1!

P.S Don't forget to click on Question Done :P

: TASK 2 :

Reconnaissance 🕵

Having deployed our Machine, let's jump right into recon/information gathering.


Q.1 How many ports are open?

Q.2 What version of Apache is running?

Q.3 What service is running on Port 22?

Train yourself in such a way that whenever in your life, you hear a question where it asks information regarding ports, your inner voice should say, NMAP!

Let's shoot down all the three questions given above with a single line of command.


Command used: nmap -sV {ip}

The -sV switch will display the services as well as their versions.




As you can see from the above image, we have 2 open ports. This solves our question 1.

Furthermore, you can see that at port 80, we have Apache 2.4.29 running which answers our question 2.

In addition to this, you'll see that we have the ssh service running on port 22 and that's the solution to our question 3.

Note: Try to remember some of the common ports and their names as they might come in handy.

Q.4 Finding the Directories on the server.

Remember: Make it a habit to check the help page of any new tool that you install to have a better understanding of it.


While the question focuses on Gobuster, I really don't know what was wrong with my system Gobuster just didn't work. 


A good alternative to it is dirb and is installed by default in your kali machine [if you have one].

So I fired dirb and got these directories.




Now, as you can see we have the uploads and the panel directories present. 

Let's visit both of them. 

Uploads Directory


  

Panel Directory





The answer to our question is panel as it is the entry point through which we can deliver something on the server.


Moreover, another point to note is that the uploads directory will also be helpful to us further.


: TASK 3:

Getting a shell🐚

Let's jump into the task and upload a shell.

You can download a PHP reverse shell from the web. Here's a link for the one which I used.

https://github.com/pentestmonkey/php-reverse-shell


Having downloaded the shell, let's try to upload it.




To begin with, learning Portuguese, the above sentence says PHP is not allowed.

Well in real-life scenarios as well, the file upload functions are strict and you generally cannot upload PHP files to places where you are supposed to upload a resume, photos, etc. 

But sometimes what happens is that the upload function blocks a specific extension but similar extensions are still accepted. For example, PHP has various versions such as PHP3, PHP4, PHP5, etc.

As an attacker, you can always keep an eye on such possible misconfigurations.

In this case, we can bypass this upload function by using the php5 extension.


Well, now it says "File uploaded successfully".
Congratulations!🎉 We just bypassed the file upload functionality. (Who says computers can replace humans :P You just fooled one!)

Now what I want you to do is quickly open the PHP shell file and you'll see a region in the code where you're supposed to change the IP address and the Port number, quickly grab the IP by typing ifconfig and copy the IP address starting from 10.x.x.x under the interface tun0.

Put it in there and type the PORT number like 1337 or any other uncommon port number which is not usually under the active use of the system.

Now, let's upload the updated shell again to the system. Or you can edit the shell first and then push it.

It's time to get the shell on our system. In your command line type nc -nvlp 1337 or each switch separately as shown in the image below.

What we typed was for our system to activate a remote shell as well as listen to every activity that takes place on port 1337. Visit the uploads directory and click on the shell file. Come back to your system and see the magic that the shell performed for you!


We're now into the website's server.

Type whoami to see the name of the user you are currently logged in as now.

Our next task is to find user.txt so that we can find the flag.

To find the file, type find / user.txt you'll see that you have a path for the same where you're not denied any permissions.

To view the contents of the file type cat /var/www/user.txt. You'll see the flag!



Task 3 conquered!


: TASK 4:

Escalating privileges 🚩


Here comes the final showdown.

Q.1 Find file containing suid bit.

Q.2 Find a form to escalate your privileges. 

For finding a file with suid bit, we type find / -user root -perm /4000

The significance of the file containing the SUID bit is that even if we run it, it will execute as the root user



Here, the weird file seems to be /usr/bin/python as per an educated guess from the answer pattern.

Thus we got the answer to Questions 1 & 2.


Now comes the last one.

Well, the hint in question 2 days that visit GTFObins.

We can find SUID here and copy the code.

Thus our  command will be 

cd  /usr/bin

./python -c 'import os; os.execl("/bin/sh", "sh", "-p")'

type whoami to see whether you're root or not



Since we're root now the final question left is 

Q.3 root.txt

For finding root.txt, we can simply type 

find / root.txt | grep root.txt



That's all... The final command will be cat /root/root.txt



You'll find the final flag there and that's how we defeated RootME.!


Key Takeaways:

  •  Whenever you come across questions related to ports and services, NMAP can come in handy.
  • Make sure to remember some common port numbers and services associated with them.
  • Try to look for hidden directories. You might end up getting something juicy.
  • Always try to bypass file upload by using alternative or similar extensions.
  • Once you upload the shell, try to locate it so that you can access it.
  • Try to find files with SUID bits for privilege escalation.
FUN FACT: You're now familiar with a few Portuguese sentences now :P

If you like the content then do consider connecting with me and pour your knowledge into my DM!!😇 


DO NOT FORGET TO CHECK OUT TRYHACKME FOR MORE INTERESTING ROOMS.


















Comments

Post a Comment

Popular posts from this blog

TCS HACKQUEST PLAYGROUND WALKTHROUGH

Image
Hello Hackers! I hope you're doing well. This blog is a part of KeyCybr Internship. Recently I came across the TCS Hackquest Playground, and here I'll be giving an insight into the solution for the same. The link to register for the same is  https://play.tcshackquest.com/register   This playground is like a warm-up before the actual TCS Hackquest, which is probably scheduled for January 2022. Let's dive into the challenges. Challenge 1: Time to play with J.S.   As you click on "Link here" you'll be redirected to a page that looks like  You'll have to enter the value here to get the flag. Now, since there's nothing visible on the page, the fundamental thing that should strike you must be viewing the page source! As you visit the page source, you'll see The variable contains a base 64 string. On decoding it with the base 64 decoder You'll get submitthis: {text_to_be_submitted} As you submit the text and click on Retrieve the Flag, you'll rece
Read more

OWASP TOP 10 Explained

Image
  Hello World! Through this write-up, I’ll try to educate you about OWASP and the OWASP top 10 Vulnerabilities for Web Applications. What is OWASP? OWASP stands for O pen W eb A pplication S ecurity P roject. What does OWASP do? The Internet has connected almost everything to the online world. From making a call to sending messages, making payments, sharing stories, making groups, creating a thread on any topic, and having opinions from various people across the globe and what not! The Internet has made the world a very small place it seems! Now, when you’re spending so much of your time on the internet, it's obvious that your data goes online wherever you sign up. Being a citizen of the modern world, every person who is connected to the internet must know that their data is their ultimate strength and weakness. If in the wrong hands, your data can be used in a way that you cannot even imagine in the wildest of your dreams! Moreover, the recent data breaches and cyber-attacks
Read more