TryHackMe – RootMe (Write-up)

Enumeration 🤔

Use RustScan to scan the server.

Now, let’s find some hidden directories with gobuster.


Uploading a reverse shell 💀

Uploading section of the server is very weak. It only check the extension.

Download PenTestMonkey’s php reverse shell from here and edit it suitabaly.(Add your IP address and a port)

Now Start a listener using nc -lvnp 9090. You can use any port number. (Make sure to edit the reverse shell too)

Now, when I tried to upload it, it didn’t work. So, I tried changing the MIME type via BurpSuite and it didn’t work too.

Then I tried to use Magic Bytes of GIF (GIF87a) and it uploaded but when I tried to open it using the browser it detects it as a image and gives an error message.

So, Then I started to bruteforce extensions that are allowed to upload. I found that except .php every other php extension were allowed to upload.

PHP has alternative extensions such as .php, .php1, .php2, .php3, .php4, .php5, .phtml
I used *.phtml extension and it worked!
e6623a85890e537bf873da073f8e699a.png

Now, navigate to http://<SERVER-IP>/uploads/ you will find your reverse shell.

Now stabilize the shell using,

  • python3 -c 'import pty; pty.spawn("/bin/bash")'
  • export TERM=xterm
  • Press CTRL+Z
  • stty raw -echo; fg


Privillage Escalation (Root) 🦾

Find SUID binary’s using find / -user root -perm /4000
868b72659ca4ea9cee6b5032f724c615.png

You will find /usr/bin/python there. It is vulnerable and can be exploited with /usr/bin/python -c 'import os; os.execl("/bin/sh", "sh", "-p")' command.

80c51374f1c9293da825a0e91cfe41a3.png


Thanks 🙏🏽

Thanks lot for reading this article.

Category:
Tryhackme Writeups

Leave a Comment