THM RootMe Walkthrough



Welcome back geeks (a term of endearment I assure you).

Today we are going to do a quick guided walkthrough of the RootMe box by TryHackMe. Without further ado, start your engines and get ready for the nmap scan.


This answers the first two questions:

Scan the machine, how many ports are open?

What version of Apache is running?

It then tells us to perform a directory list scan on the box, and find the hidden directory. Easy enough!


Browsing to our secret directory, we find a landing page with what looks to be an upload form. Im going to go straight for gold and see if it will take a php reverse shell. The one we are going to be using is the PentestMonkey PHP-Reverse-Shell. Make sure to edit the shell to contain your IP and listening port before uploading.


Nope. Not sure what language that is, but I'm pretty certain it translates as "Nice try, not going to happen". I'm guessing it's a file extension filter, we can try and bypass that by changing our shell to php5.




Green and "sucesso!". This looks more promising. We can see from our earlier gobuster scan that there was an /uploads directory. Running a quick check shows us that our shell has landed on the server as expepcted.


Before we open the shell we uploaded, we need to start netcat on our machines specified listening port (1337 of course!) in order to catch the reverse shell. Then go ahead and click on the file we uploaded to the server.


We got a low-level shell as user www-data. Still probably enough to get the user flag, so let's go ahead and grab that.


Time for root. The box instructions give us a big hint here, and suggest looking for files with SUID permission, so that's what we will do!


Python.... Ok! As usual GTFOBins gives us a helping hand here in escalating privileges using this binary.



Just like that. We are root.

Thanks for following along, I find that writing these things down helps to cement my learning. And hopefully you learnt something new yourself!

Comments

Post a Comment

Popular posts from this blog

Defending against physical intrusion attacks - The under door tool.

Image
Good morning all, how are we doing today? Watch anything good on Netflix recently? Many plans for the bank holiday weekend? Did you remember to deadbolt the office before you left yesterday? Wait… what? Yesterday the postman came. And this is what he brought me: What the hell is that?   Well it’s an under door tool (UDT) of course. A thin piece of flexible metal attached to a string, that can be folded away and neatly concealed in a rucksack, belt, or there are even versions that can be dismantled and stored in a pocket  (great video by the notsocivilengineer - showing a homemade collapsable UDT). So what does it do? And why should I care about your stupid bendy metal rubbish? This tool is designed to bypass the type of doors that are locked from the outside, but open with just an operation of the handle from the inside. They are usually accompanied by an RFID entry system or a code. This means you need to have the authentication to get in, but anyone can get out. And herein lies the f
Read more

THM Brooklyn Nine Nine Walkthrough

Image
Welcome to my walkthrough of the Brooklyn Nine Nine box from TryHackMe.com. This is my first writeup, so apologies in advance for any mistakes. I will try to keep things spoiler free whilst also showing as much information as possible. So without further delay, lets begin. First things first, start both the machine and the Attack Box, this takes a few minutes, so I'm going to grab a brew in the meantime. Hacking doesn't work without caffeine (and a black hoodie of course)! Ok. so coffee is sorted and box is loaded. Lets begin with an nmap scan, we're not trying to be stealthy here so I use aggressive mode with a full TCP connect and scan all ports. THM are known to hide things on obscure ports so best to check them all even if it does take a little longer. Scan results are in! We have port 21 running an FTP server, anonymous login is allowed and looks like we have an interesting file called "note_to_****.txt" . We are also running SSH on port 22 and HTTP on port 8
Read more