First of many writeups for CTF boxes.
Word of caution.
I believe it’s important to document the roadblocks along the way as I figure out the solution so this may be longer than the others you may find on the Internet.
Goals.
Find flag in “user.txt”.
Find flag in “root.txt”.
Starting with some simple service enumeration with an nmap scan.
We now know that 2 ports are open, 22 and 80. Let’s also utilise gobuster to see if there any hidden directories available to us.
Running a quick scan, we have a few interesting options.
Navigating to /panel/, we find an upload form.
Let’s try uploading a non-malicious common format to see if it is accepted.
Success! We now know that the portal accepts .jpg and we can use this information for later.
Navigating to /uploads/, we can also confirm our file has been successfully uploaded.
Now let’s try a little something more malicious courtesy of pentestmonkey, a PHP reverse shell.
Github — https://github.com/pentestmonkey/php-reverse-shell
Let’s try uploading it as-is.
No dice. The upload form rejects our .php file.
Let’s try some low hanging fruit before utilising Burp or messing around with magic bits like renaming the file!
No dice. How about an alternative .php extensions like .php5?
Bingo. Let’s confirm that our file has been uploaded in /uploads/.
With our reverse shell uploaded, let’s start a netcat listener on our machine.
Great! We have a connection and our reverse shell is working.
Using the command “find . -name user.txt”, we find the text file we need for our first flag.
With the command “cat /var/www/user.txt”, we achieve our first goal!
Now let’s have a look at what we are able to execute and possibly escalate our privileges. By using “find . -perm /4000”, we see that we have python available to us.
From here, I had to do some googling to find what I could do with python that would allow me to escalate my privileges and it led me to gtfobins.
Link — https://gtfobins.github.io/
Let’s see what we can do python SUID misconfigurations.
It seems that if we run python and call/execute the system shell, it should allow us to escalate our privileges.
Success! Now let’s look for our second goal, the contents of “root.txt”.
Utilising the same commands we used for “user.txt”, we can find our second flag!
/ctf/tryhackme/RootMe complete.
