TryHackMe: RootMe

Rootme is an easy TryHackMe machine in which we will bypass a file upload filter and exploit a SUID to elevate privileges on the system.

As usual in TryHackMe, we must connect to the VPN or use the AttackBox. I will choose the VPN. We press the Start Machine button, and a minute after, they show us the IP address. Now, we proceed to do the initial recognition with Nmap:

nmap -p- -sV -Pn $IP

The -p parameter with the hyphen indicates to scan all ports, the -sV parameter to fingerprint the versions used, and -Pn to scan the machine even if it does not respond to ping.

We can see that the machine has few services open, only SSH and a web server. Let’s dig into the web server.

Web server enumeration

Fuzzing directories, we found a couple of interesting entries:

In /panel, we find a file upload form. It seems that it does not allow uploading files with the .php extension. We could try with other extensions.

Our first task should be to find out the extensions allowed by the server. I will use the BurpSuite’s intruder for that, although it could be done simply by trying different extensions in the upload.

Now, we add a wordlist of common extensions and launch the attack.

In this case, it seems that we can upload files with the any extension but php. We need to check if the server executes any other extension as php code. For this task we could access to all the files on /uploads with dangeroues extensions, we can see that .php5 and .phtml are executed as php.

Now we can upload any PHP web shell to the server as c99 or similar by modifying the extension. For convenience, I will upload the PentestMonkey reverse shell to get a connection to my machine instead of working with a web shell.

GitHub - pentestmonkey/php-reverse-shell

To use this web shell, we will need to modify the two lines of code corresponding to the IP and port of the connection. In my case, I use port 443 for the listener and the IP of my TryHackMe machine. We can open the listener with the following command:

nc -lvnp 443

Now, we just need to upload our web shell and access the file to receive the connection.

As we can see, we have obtained command execution as the www-data user. It is time to see if we can pivot to another user and escalate privileges in the system.

First, we will test the usual suspects’ capabilities, SUID, executable commands as another user, etc… We will start by checking the binaries with SUID active using the following command:

find / -perm /4000 2> /dev/null

Among the results, we will see /bin/python, which is a known gtfobin that would allow us to elevate privileges by executing the following sequence of commands:

python -c 'import os; os.execl("/bin/sh", "sh", "-p")'

Now we can simply exec the command and get a shell with root group privileges.

PWNed!

I hope you enjoyed my article and found my content useful. See you in the next article.