Day-01: TryHackme [rrootme] room Walkthrough
![Day-01: TryHackme [rrootme] room Walkthrough](/_next/image?url=https%3A%2F%2Fcdn.hashnode.com%2Fuploads%2Fcovers%2F6914271866fe9f4d18f8b8c2%2F13f0e755-d48e-4e80-8845-ede491728c92.jpg&w=3840&q=75)
Hello there I'm Adbin Magar a person behind the TheGreyLens. I decide to do challenge where I will do TryHackme CTF challenge daily with writing walkthrough of it. Now, I am in Day 1 of my challenge and as a friend I give you advice to do this challenge also. Now lets Start:
Phase 1: Reconnaissance (Information Gathering)
First, I use nmap tool to map my target. Now lets understand the option that i used so that you can know why I used okay.
-sV: It stand for service version so basically to see service version.-vV: It stand for very verbose so basically it does is that it gives me high level detail of information in real time without missing anything.-T5: It stands for Timing Template 5. Think of it as having 5 workers (threads) doing the job at once, which makes the scan run very fast. But, keep in mind that Nmap’s default speed is -T4. In real-world professional environments, we usually stick to -T4 or lower to avoid being detected or crashing the target server, but for learning labs like TryHackMe, -T5 is great for getting results quickly.-p-: It stands for port which allows to send request in specific port only if we mention but using-p-means to scan in all port.
Phase 2: Enumeration
After identifying SSH and HTTP services, I used Gobuster with common.txt to brute-force directories. This revealed a /panel directory for file uploads and an /uploads directory where uploaded files are stored. Gobuster output there i found /panel directory where we can upload file and there is /uploads directory where we can see the uploaded file.
Phase 3: Exploitation (Upload & Execute)
Since, the target has upload feature, I performed Upload and Execute Attack using pre written script from github so lets do first git clone:
git clone https://github.com/pentestmonkey/php-reverse-shell
Also, we can used this tools https://www.revshells.com/ where we can just type IP and port then it will automatically generate the one liner command for almost every language. Using this also we can get reverse shell okay save it in bookmarks.
After that i open php file where i update my attacker ip and port. Also, In here I find that PHP extension file is restricted so that to bypass it I renamed the file to .phtml which is a php html embedded file.
After that i upload a php-reverse-shell.phtml file in /panel directory form which now it show success.
After that I used netcat which is a networking tool used here to listen for the incoming connection from the target. Lets remember earlier in pre written script we update port as 1234 here also I wil listen in 1234:
In uploads/ directory we can see that our script was uploaded which i click and it instanlty give me access in my attacker machine terminal .
Boom we did the reverse shell as you can see i can view the target folder by dong now just ls command which means i am inside in the target.
Now I need to find user.txt so lets not waste time and use our command find command to loacate user.txt:
find / -type f -name user.txt
Okay from our find output we can see there is user.txt file in /var/www/ folder. Then using cat command to read user.txt there we got the flag. Mission complete getting user.txt file flag.
Next, I searched for SUID binaries files that allow a normal user to execute them with the privileges of the file owner (root) even though I am normal user. Think of this as a 'VIP badge' left on a table that grants temporary root access. I used:
find / -name root -perm /400 - type f 2>/dev/null
okay I discovered the weird file is /usr/bin/python2.7 because this file is often used in privelege escalation.
After, that for privilege escalation I go to the https://gtfobins.org/gtfobins/python/ Since /usr/bin/python2.7 had the SUID bit set, I navigated to the 'SUID' section on the site. There, I found the specific command needed to leverage the SUID permission and elevate my privileges to root.
Boom We successfully escalate from normal user to root. Now, My goal was to find root.txt file. So, I first did is ls and from its output i feel like flag will be in root folder but I decide to search the root.txt file directly before hand which eventually tell me that there is root.txt file in root folder.
After finding that the root.txt file is in root folder. I use cat command to read root.txt file which get me the root.txt file flag easily.
🎯 Day 1 Mission Accomplished
Flag Captured ! That concludes my Day 1 of my daily CTF Journey Challenge. Today was a great learning hope you learn some also now lets meet in Day 2.
Happy Hacking :)
