top of page
Image by Blake Cheek
  • Writer's pictureBeri Contraster

RootMe: TryHackMe Walkthrough



Difficulty: Easy

Created by: ReddyyZ


Welcome Reader. Today we'll hack RootMe from TryHackMe. Let's start with an Nmap scan.



Nmap


It's a Ubuntu with Apache running on port 80. Let's take a look at the web.



Just a simple page with "Can you root me?" on it. There is nothing on the source page let's do directory fuzzing and see if we can uncover some hidden treasure.



The Panel directory has a file uploader running.



Let's try to upload a PHP reverse shell. I'll be using this one. Change the IP address and port (optional).



I cannot upload a PHP file. Let's try changing the extension to bypass the file upload filters.



It worked I changed the file extension to .phar from .php. You can read more about file upload bypasses and extensions here. Fire up your Netcat listener and visit http://10.10.20.239/uploads/shell.phar. It'll give you a reverse shell. The uploads directory was discovered earlier in our gobuster fuzzing.


USER


let's do a shell upgrade. You can read more about the shell upgrade here.



Now that we have a stable shell let's root this box. The user flag is under /var/www/user.txt.



ROOT

I always do manual enumeration before moving on to automated scripts like linpeas.



During the enumeration of files with SUID permission I found Python in it which seems odd. Let's try escalating privileges with Python.


I used a simple command from GTFOBins and popped a root shell. "GTFOBins is a curated list of Unix binaries that can be used to bypass local security restrictions in misconfigured systems".



Thanks for reading. If you have any questions please don't hesitate to ask.

15 views0 comments

Recent Posts

See All

Comments


bottom of page