RootMe CTF

Dure Shahwar
2 min readOct 29, 2023

--

  1. Deploy the machine (no answers needed)
  2. Reconnaissance

Use nmap -sV <ip_addr> to find how number of ports which are 2. ssh and http. Through this we also get version of Apache which is 2.4.29. Now the service on port 22 is ssh. To find directories on web server no answer needed. To open gobuster gobuster dir -u 10.10.121.221 -w WORDLIST_PATH
Wordlist path can be found in /root/Desktop/Tools/wordlists/dirbuster. Command that you need to run will be gobuster dir -u <ip_addr> -w /root/Dekstop/Tools/wordlists/dirbuster/directory-list-2.3-medium.txt. So now the hidden directory is panel.

3. To get a shell

In this case we need to go to the ip address through web browser. The hidden directory named panel will take you to the upload form. We can go here https://github.com/pentestmonkey/php-reverse-shell What we need to do is to create a shell.php file that we can upload onto the vulnerable server. nano shell.php will open the nano editor where you can copy-paste the payload from the git repository, then we need to change the ip_address and port that we want to be open for our communication.
However in this case I leave the port as default 1234. Once it is done, it’s time to upload it /panel/ folder which we found earlier. Server is not taking .php file. We know that we have .php file and .php file can go in different extensions, quick look into Google and you will see that other extensions are : .php3, .php4, .php5, .php7, .pthml, .pht.This is trial and error now, we need to see which one will be accepted. We need to simply edit the extension. I have changed the extension to .php5 and it was accepted by the server. Now we need to go to ip_addr/uploads/ . To open netcat listener open terminal and type nc -lvnp 1234 click on the shell in /upload/ directory and switch to netcat terminal window.

To find user.txt use find / -type f -name user.txt 2> /dev/null

  • -type f — you are telling find to look exclusively for files
  • -name user.txt — instructing the find command to search for a file with the name “user.txt”
  • 2> /dev/null — so error messages do not show up as part of the search result

We can see where the file is located, to open the file type cat /var/www/user.txt

answer: THM{y0u_g0t_a_sh3ll}

4. Privilege Escalation

Search for files with SUID permission. Run command find / -user root -perm /4000. It is looking for a file with SUID permission that can be run as root. Look into the output of the command to find which file can be exploited to gain root access.

Answer: /usr/bin/python

For GTFO go to GTFOBins https://gtfobins.github.io/ and look for Python GTFO. Copy this command into our user shell. We need to run the second part of the command here. Type whoami to get confirmation. To find the root.txt run this command in the terminal find / -type f -name root.txt

Answer: THM{pr1v1l3g3_3sc4l4t10n}

--

--