For today walkthrough, let look into Rootme Walkthrough which it tests the player on the information gathering skills and test on privileged access knowledge.
We started by deploy the machine as usual.
Once the machine have been successfully run, we can start to do some information gathering on the machine by execute nmap -sV -sC -A -T4 <IP Address> -pn
From the output that we received, we can verify that the machine open the following port
- 22 – SSH (OpenSSH 7.6p1)
- 80 http (Apache httpd 2.4.29)
We also notice that the machine is running under Ubuntu Operating System.
Let’s dive into the website because we know the machine open the port 80.
I didn’t see anything odd on the website itself but we need to analysis the source code as well
There’s nothing suspicious on the source code and now we have nothing that we can use for now. Let’s run scanning tools to enumerate any folder that resides on the website.
On the challenges question, we are required to use gobuster for that activity but I will take a different tool to use on this activity. I will be using dirbuster or also can be known as dirb
Let’s run the tool!
Based on the output above, I found out the directory /panel/ as suspicious to be installed within the website.
Let’s check on the directory
Oh wow! We got a page that requires upload file as shown above. We can upload a shell into the website
We can retrieve the shell source code over here
Once upload the files on the website, we need to locate the file which just uploaded to the website.
Let’s re-check the dirb output, we notice that there’s an upload directory been created in the website.
Oh wow. We have found the location of the files upload just now. Before clicking on the shell, we need to start nc command to listen to the port by running the following command
nc -lvnp <port>
*Reminder: We will be listening to the port that we set up in the source code for the shell
You will get the connection back within second and it will look as below:
We have successfully into the server via shell. Now, we need to locate the files “user.txt” that have been saved in the server. We need to check each folder.
A faster way to locate the files is to use the command “find / -name “user.txt”
The file is located on /var/www and we need to access that directory in order to read the user.txt files
Got It! Now, we need to find on how to access the server via root privileges.
On the question, we are required to find weird files that use SUID permission.
The command that we might use can be seen as follows:
find / -user root -perm /4000
It’s hard to know which files are weird. For us to identify the weird files, we need to double-check with other machine which in this case is my original machine.
While comparing the files between machine and another machine, I notice that /usr/bin/python is not a normal process that runs in Linux Operating System.
We need to run the command that will automatically bring us to root privileges access.
Let’s google about the gtfobin!
For those are not familiar with GTFOBins, it been explained as follows:
GTFOBins is a curated list of Unix binaries that can be used to bypass local security restrictions in misconfigured systems. (Source: GTFOBins Github)
Let search python SUID exploit and we found the following result.
Let’s copy and paste the python command into /usr/bin like below:
We are in the root directory and we will use the same trick when we find “user.txt” (find / -name “root.txt”)
We need to red what’s written in the root.txt by running the cat root.txt
Happy Learning Guys!