RootMe (THM)

graybox pen test

TryHackMe – RootMe Write-Up

topics: Web application security, OWASP Top 10 (File upload bypass), Linux Privilege Escalation

Enumeration
Local Privilege Escalation
Root Privilege Escalation

tools: nmapAutomator, dirsearch, phtml reverse shell

Enumeration

initial nmap scan .././autonmap.sh $ip Basic

We have two ports open, SSH and HTTP. Lets run a dirsearch scan

python3 dirsearch.py -u $ip -e php,html,txt

We can see three unique directories, a login page, panel, and uploads.

Local Privilege Escalation

The panel directory permits unauthenticated file uploads, as we know from the nmap scan this website runs on PHP. Lets upload a PHP reverse shell, navigate to uploads and execute it.

Huh, apparently this website does not accept PHP files, instead lets try a similar PHP extension such as PHTML.

We got a success message, lets go to the uploads directory, listen for the shell and execute.

Root Privilege Escalation

The current user does not have sudo permissions for this machine, lets instead search for SUID files as this room instructs to do so.

find / -perm /4000 -type f -exec ls -lda {} \; 2>/dev/null

The python program is marked as an SUID file, we can use this to open the shell as root using python -c 'import os; os.execl("/bin/sh", "sh", "-p")'

PreviousStartup (THM)NextKenobi (THM)

Last updated 3 years ago