🚩
Anthony Morell's Gitbook
Capture The Flag
CertificationsCapture The FlagBug BountiesHome
Capture The Flag
CertificationsCapture The FlagBug BountiesHome
  • 🖥️CTF Writeups
  • 🟦TryHackMe
    • THM Overview
      • Reverse Engineering
      • Game Server
      • Obscure Web Vulns
      • UltraTech
      • Linux Privilege Escalation
      • The Marketplace
      • RootMe
      • Agent Sudo
      • Startup
      • Lian_Yu
      • Advent of Cyber 2022
        • [Day 1] Frameworks
        • [Day 2] Log Analysis
        • [Day 3] OSINT
        • [Day 4] Scanning
        • [Day 5] Brute-Forcing
        • [Day 6] Email Analysis
        • [Day 7] CyberChef
        • [Day 8] Smart Contracts
        • [Day 9] Pivoting
        • [Day 10] Hack a game
        • [Day 11] Memory Forensics
        • [Day 12] Malware Analysis
        • [Day 13] Packet Analysis
        • [Day 14] Web Applications
        • [Day 15] Secure Coding
        • [Day 16] Secure Coding
        • [Day 17] Secure Coding
        • [Day 18] Sigma
        • [Day 19] Hardware Hacking
        • [Day 20] Firmware
        • [Day 21] MQTT
        • [Day 22] Attack Surface Reduction
        • [Day 23] Defence in Depth
        • [Day 24] The End
  • 🟫PentesterLab
    • PL Overview
      • Recon Badge
        • Badge Solutions
  • 🟩Hack The Box
    • HTB Overview
      • HTB Post
  • 🟧BurpSuite Academy
    • BSA Overview
      • GraphQL API vulnerabilities
        • Accessing private GraphQL posts
        • Accidental exposure of private GraphQL fields
        • Finding a hidden GraphQL endpoint
  • 🏁Competitions
    • Competition Overview
      • GM Bug Bounty Competition
Powered by GitBook
On this page
  1. TryHackMe
  2. THM Overview

RootMe

November 20, 2022

PreviousThe MarketplaceNextAgent Sudo

Last updated 2 years ago

Reconnaissance

Scan the machine, how many ports are open? 2

What version of Apache is running? 2.4.29

What service is running on port 22? SSH

What is the hidden directory? /panel/

Although its loud and an overkill, here is the information from the nmap scan:

Then the hidden directory with dirb:

Getting a Shell

On http:<IP>/panel/ there is a file upload that forbids .php file uploads.

First I set up my nc listener on my attacking machine. It then took me a minute because I had to figure out which extensions would be filtered out. You can see I had tried many extensions to bypass the filter. However the phpRS.phtml file led me to success. There was a great resource to help understand file upload restrictions: https://lazarv.com/posts/bypassing-file-upload-restrictions/

Once I was in the /uploads directory I simply clicked on my file and was granted a shell on my attacker machine. I then used the find command to find which directory the flag "user.txt" would be in.

Privilege Escalation

Using find again to search for SUID permissions, I find /usr/bin/python. This can be exploited using GTFObins.

/usr/bin/python -c 'import os; os.execl("/bin/sh", "sh", "-p")'

I am then granted root privileges!

🟦
  • Reconnaissance
  • Getting a Shell
  • Privilege Escalation
LogoTryHackMe | RootMeTryHackMe
LogoGTFOBins