Introduction
RootMe is a beginner-level capture-the-flag challenge from TryHackMe. The tasks are arranged to help newcomers through the processes of hacking this machine. It starts with enumerating the system by scanning for open ports and directories. Next, we will bypass the website’s upload restrictions and gain a reverse shell on the webserver. Finally, we will abuse SUID permissions to escalate user privileges to root.
Information Gathering
There is not a lot of information to be gathered during the information-gathering phase. Almost all of the reconnaissance task questions can be answered through Nmap.
There are 2 open ports on this machine. This Ubuntu server is using Apache version 2.4.29 and is running SSH on port 22.
The last thing to find is if there are any hidden directories on the Apache webserver.
Gobuster found a couple of directories, but the ones of importance are /panel and /uploads.
Exploitation
Let’s check out the /panel/ directory.
It looks like we can upload any file we want to it. Let’s try uploading a PHP reverse shell. “A reverse shell is a shell session established on a connection that is initiated from a remote machine, not from the attacker’s host.”
It looks like the webserver does not allow PHP files to be uploaded to it. “Developers may blacklist specific file extensions and prevent users from uploading files with extensions that are considered dangerous.”
We can try to bypass the file upload blacklist by changing the extension of the file. For example, I have changed the file from reverse.php to reverse.php.php5.
The file has been successfully uploaded! We can even check out the /uploads/ directory to confirm that the file has been uploaded.
We can use the netcat tool to listen for incoming IP connections to port 4444. After opening the /uploads/reverse.php.php5 file on the web browser it makes the connection.
We can use the find command to search for files on the system. Since we know the file we are searching for is named user.txt we can use the -name flag to search for it. The 2> /dev/null at the end of the command make sure that nothing else is outputted to the command line.
Post Exploitation
Before this challenge, I had no idea what SUID permissions were. “It is special file permission for executable files. This enables other users to run the file with the effective permissions of the file owner.”
The question hint gives the command find / -user root -perm /4000. This command finds files and directories, starting at directory /, displays files owned by root, and with permissions set to 4000. With permissions set to 4000, a user can set the setuid bit and if the file is owned by root, they can escalate their privileges to root. If a user executes that program it will do so as if they are the user root instead of themselves.
One that sticks out to us is the /usr/bin/python file. We might be able to execute python code that will set the SUID bit and escalate our privileges to root.
This python code should spawn an interactive bash shell as root.
Just like that, after changing our directory to the /usr/bin and executing the python code we are root. The root.txt file is found in the root directory.
Conclusion
In conclusion, RootMe was a fun challenge with a lot to learn from. We enumerated the services running on the machine, bypassed file upload restrictions, and escalated our privileges through setting SUID permissions. File permissions can cause unauthorized users to have access to resources that they were not intended to have.
