Writeup — RootMe using pwncat

In this Writeup, we will approach a room of easy difficulty: RootMe. This room is available on the TryHackMe platform.

This Room is divided into 3 main parts:

• Reconnaissance
• Getting a shell
• Privilege Escalation

Let’s begin by a network scan using nmap

I’ll type nmap with some flags to display some detailled informations about the host: nmap -vv -sS -sV RHOST. -vv for verbosity level 2, -sS for TCP/SYN scan (bypass some basic firewalls, check how TCP packets handshake work), -sV to get version of services used by the host.

nmap output

We see that we have 2 ports open with services (22, that is default SSH port, and 80 that is default HTTP port, running with Apache)

Now, we know that we have a HTTP server open with Apache that serve a website. After manually navigating into this website, nothing seems to be interesting.

Let’s start to search for hidden files or directory this website could serve with gobuster. As we know, Gobuster is a bruteforce tool to search for hidden directory or files from a webserver. For this scan, I’ll tell to Gobuster to search for hidden directories with the common.txt wordlist located in /usr/share/wordlists/dirb directory:

gobuster dir --wordlist=”/usr/share/wordlists/common.txt --url=”http://RHOST”

gobuster output

Here it is. Something intersting. It looks like there is a hidden url on the site: /panel

/panel

The website ask us to upload a file… Remember that the website is served by Apache, so there is a good chance that the server will be able to interpret PHP.

Time to get a reverse shell with a PHP payload. For this trick I will use the good PHP Reverse Shell from pentestmonkey (don’t forget to change the host and port on the file) and pwncat for my listener.

If we try to upload this payload directly on the server, we have a problem: We can’t send a PHP file to the server. We have plenty of ways to circumvent this restriction but I’ll use the simplest: Replace my .php extension with .phtml

Once we have uploaded the file to the server, we can retrieve it via /uploads discovered earlier with gobuster

/uploads output

Now, before click on the payload, let’s listen for a connection with pwncat:

pwncat-cs bind://0.0.0.0:PORT

PORT is the port you have filled in the php-reverse-shell.phtml

listen with pwncat

Now, you can click on the file via /uploads and…. Tadam!! You have catched the connection on pwncat

catched connection

Now, it’s time to connect through SSH (with pwncat) on the reversed shell

session 0
CTRL D

You can navigate through /var/www and grab the user.txt

first flag

Okay so now it’s time to the final step: Privilege Escalation. Let’s search if we have some executables with a Suid bit to maybe exploit it

find /usr/bin -perm /4000

/usr/bin to search on executables, -perm /4000 to search all files with Suid bit set (4 to Suid bit)

find output

Interesting, we have python installed, with Suid bit set. Let’s check on GTFObins if we can exploit it

GTFOBins SUID section

Very interesting, we can spawn a shell with python. Let’s do this

python -c 'import os; os.execl("/bin/sh", "sh", "-p")'

Let’s go! We are root! Let’s check in the /root folder for the root.txt flag!