Writeup — RootMe using pwncat
This Room is divided into 3 main parts:
- Getting a shell
- Privilege Escalation
Let’s begin by a network scan using nmap
I’ll type nmap with some flags to display some detailled informations about the host: nmap -vv -sS -sV RHOST. -vv for verbosity level 2, -sS for TCP/SYN scan (bypass some basic firewalls, check how TCP packets handshake work), -sV to get version of services used by the host.
We see that we have 2 ports open with services (22, that is default SSH port, and 80 that is default HTTP port, running with Apache)
Now, we know that we have a HTTP server open with Apache that serve a website. After manually navigating into this website, nothing seems to be interesting.
Let’s start to search for hidden files or directory this website could serve with gobuster. As we know, Gobuster is a bruteforce tool to search for hidden directory or files from a webserver. For this scan, I’ll tell to Gobuster to search for hidden directories with the common.txt wordlist located in /usr/share/wordlists/dirb directory:
gobuster dir --wordlist=”/usr/share/wordlists/common.txt --url=”http://RHOST”
Here it is. Something intersting. It looks like there is a hidden url on the site: /panel
The website ask us to upload a file… Remember that the website is served by Apache, so there is a good chance that the server will be able to interpret PHP.
Time to get a reverse shell with a PHP payload. For this trick I will use the good PHP Reverse Shell from pentestmonkey (don’t forget to change the host and port on the file) and pwncat for my listener.
If we try to upload this payload directly on the server, we have a problem: We can’t send a PHP file to the server. We have plenty of ways to circumvent this restriction but I’ll use the simplest: Replace my .php extension with .phtml
Once we have uploaded the file to the server, we can retrieve it via /uploads discovered earlier with gobuster
Now, before click on the payload, let’s listen for a connection with pwncat:
PORT is the port you have filled in the php-reverse-shell.phtml
Now, you can click on the file via /uploads and…. Tadam!! You have catched the connection on pwncat
Now, it’s time to connect through SSH (with pwncat) on the reversed shell
You can navigate through /var/www and grab the user.txt
Okay so now it’s time to the final step: Privilege Escalation. Let’s search if we have some executables with a Suid bit to maybe exploit it
find /usr/bin -perm /4000
/usr/bin to search on executables, -perm /4000 to search all files with Suid bit set (4 to Suid bit)
Interesting, we have python installed, with Suid bit set. Let’s check on GTFObins if we can exploit it
Very interesting, we can spawn a shell with python. Let’s do this
python -c 'import os; os.execl("/bin/sh", "sh", "-p")'
Let’s go! We are root! Let’s check in the /root folder for the root.txt flag!