Root Me | TryHackMe Writeup
Task1 : Deploy the machine
Connect to tryhackme vpn
1- click to OpenVPN
2- download VPN file
3- run the file (sudo openvpn file.ovpn)
Task2 : Reconnaissance
nmap -sV <Machine IP>
- -sV : Version detection
There are 2 ports open :
22/ssh — OpenSSH 7.6p1
80/http — Apache httpd 2.4.29
#1.1- Scan the machine , how many ports are open ?
#1.2- What version of Apache is running?
#1.3- What service is running on port 22?
next step : fuzzing directories using Gobuster tool
gobuster dir -w <Path_To_Wordlist> -u http://<Machine_IP>
- w : wordlist
- -u : url
#1.4- Find directories on the web server using the GoBuster tool.
No answer needed
#1.5- What is the hidden directory?
Task3 : Getting a shell
navigate to url http://<Machine_IP>
it’s not an important page
check the panel directory
includes file upload vulnerability , try to upload file with php extension
php extension not permitted
try to upload file with php5 extension
php5 is permitted
so , search for php reverse shell pentester monkey on github
open the file and change the ip to your attacker ip and the listener port on your machine
try to upload the file and check the uploads directory
click to shell.php5 and listen with your port ( nc -nv 4444 )
we got a shell
i need the user flag , so i can search on terminal about user.txt by following command
find / -type f -name user.txt
/ : root directory
- type f : file
- -name : file name
user.txt exists on /var/www
Task5 : Privilege escalation
Search for files with SUID permission, which file is weird?
With the find command we can look at the binary file who have SUID, and /usr/bin/python is an interesting file.
2.Find a form to escalate your privileges.
Just click Completed
Because I just need to read root.txt, so I use File read command from gtfobins.
So, to read root.txt file write this command
python -c ‘print(open(“/root/root.txt”).read())’
Machine hacked done ..