RootMe Try Hack Me <

Reconnaissance

For this phase, im using nmap to scan open port at ip 10.10.52.203. Im using command -sS -sC -sV -T4. As we can see in Figure 1.0 there are 2 port open which is http port/80 and ssh port/22. Let's take a look what we have in the http port.

Enumeration

To enumerate what have in the web directory, we can use tools name dirsearch to scan the web directory. As we can see in Figure 2.0 there are 2 interesting web directory which is '/panel/' and '/uploads/.'

Let's take a look what is in the directory.

if we open directory '/panel/', we can see that this website has upload page which is we can upload our reverse shell file from this page.

Then if we go to directory '/uploads/' we can enter to index of uploads page, which is this page will save what we upload from '/panel/' directory.

Getting a Shell.

Change the ip to your machine ip.

Let's try upload our reverse shell file to gain reverse shell. Unfortunately, the upload file has some kind of protection. This protection call file type filtering. Which means our .php reverse shell file cannot uploaded to the web server. However, we can bypass this type of filtering.

Bypass File Upload Filtering

Intercept the upload process by using burpsuite. Actually, the original file name is .php then i change it to .php5 this is one of the method to bypass the file upload filtering. After that we forward the request.

As we can see in Figure 8.0 we can find that our reverse shell file has successful uploaded to the web server.

Setup our listener

Setup our listener by using this command netcat -lvnp <port number>. Click the reverse shell file in the index of uploads page. Then, we get our reverse shell as in Figure 9.0

Let's stable our shell.

Let's stable our shell so we can have a proper shell to pivoting in the server. To stable it by using this command:

//step1:
python3 -c 'import pty;pty.spawn("/bin/bash")'

//step2:
export TERM=xterm (give us access to term command like clear)

//step3:
Ctrl + Z (Finally (and most importantly) we will background the shell using
)

//step4:
stty raw -echo; fg (Back in our own terminal we use)

Let's find our flag

For the first flag, the flag contain in user.txt. So if we want to cut our time finding the flag use this command:

find / -type f -name "user.txt" 2>dev/null

Then we have our path to user.txt. Then let's cat this file.

We found our first flag.

Let's find our root flag.

To find our root flag we need to gain privilege esclation first.

Based on try hack me question we need to find files with SUID permission. To find the file we can use this command:

find / -type f -user root -perm -4000 2>/dev/null

Then we can find, there is /usr/bin/python with SUID permission. Let's take advantage of this by go to https://gtfobins.github.io/.

At gtfo website, search python and find SUID.

By using command in Figure 14.0, we get our root shell.

By using same command to find user.txt file, we just need to change it to 'root.txt' and then we will get our path to 'root.txt. After just 'cat' it to get the flag.

Last updated 1 year ago

hashtagReconnaissance

hashtagEnumeration

hashtagGetting a Shell.

hashtagBypass File Upload Filtering

hashtagSetup our listener

hashtagLet's stable our shell.

hashtagLet's find our flag

hashtagLet's find our root flag.