RootMe — TryHackMe Write-up

05-10 Archivist
3 min readAug 8, 2021
https://tryhackme.com/room/rrootme

A ctf for beginners, can you root me?

Reconnaissance

nmap -sC -sV 10.10.161.38

As we can see there are two ports; 22 (ssh) and 80 (http). Let’s focus more on port 80 as this is more likely to give us an entry point.

  • Scan the machine, how many ports are open? 2
  • What version of Apache is running? 2.4.29
  • What service is running on port 22? SSH
http://10.10.161.38/

The website doesn’t show anything aside from the text above. The page source also doesn’t show anything interesting.

Time to enumerate!

Enumeration

gobuster dir — random-agent -u http://10.10.161.38/ -w /usr/share/wordlists/dirb/common.txt -t 10

That /panel looks interesting. Let’s take a peek.

  • What is the hidden directory? /panel

This is perfect. This could allow us to upload a web shell.

There are lots of available web shells out there but I’ll be using this one from Pentest Monkey.

Looks like uploading php files is not permitted.

Reference 1
Reference 2
Reference 3

I found 3 references on how to bypass php file upload restrictions like this one. The easiest method would be to change the file extension to something like “phtml

We might as well start our netcat listener in case it’s successful.

We’ve successfully uploaded the shell! Now we just need to trigger it.

We have now a shell

Finding the User flag

  • user.txt? THM{y0u_g0t_a_sh3ll}

Privilege Escalation

We have to find a file that has a SUID permission set.

That python file looks interesting since python doesn’t usually have this kind of permission.

  • Search for files with SUID permission, which file is weird? /usr/bin/python

For this system binaries exploit like this we have to refer to GTFObins.

We are now root!

  • root.txt? THM{pr1v1l3g3_3sc4l4t10n}

--

--