First things first, we will do some reconnaissance with a nmap scan. We are looking to find out how many ports are open, what version of Apache is running, what service is running on port 22 and what the name of a hidden directory is in the reconnaissance section.
So, let’s get started with our initial nmap scan:
Here we can see that we have 2 ports open, port 22 and port 80. Additionally, we can see some information about the http service running on port 80 and which version it is running: 2.4.29. On port 22 we have an SSH service. Now we’re going to use the GoBuster tool to see if we can find that hidden directory:
And after a short wait we can go ahead and see that /panel/ has shown up… seems like this might be useful! Let’s go ahead and take a look at what the /panel/ offers us:
A file upload! Excellent, so now let’s work on getting ourselves a reverse shell. For this, I’m going to use the popular pentestmonkey php-reverse-shell.
Once downloaded, I’ll need to make sure to replace the IP/port inside to match mine.
An important thing to note, is that a lot of times you will run into issues with uploading a straight .php file, so we’re going to resave the php-reverse-shell.php as php-reverse-shell.phtml instead.
Now we’re ready to upload and to start a netcat listener on the port we selected when we edited the reverse-shell file:
Looks like it was accepted, good thing we used .phtml! Now we will start our netcat listener and go ahead and navigate/execute our reverse shell. We know from our directory enumeration earlier that we can access /uploads/ so let’s go there and make sure our shell uploaded correctly:
Great, looks like it uploaded correctly. Now let’s go ahead and click on it and check back in our netcat window to look for our new shell:
Now we’re looking for a user.txt file that will contain our flag. For this I used find -name user.txt (I assume there is probably a better way to do this, but this ended up working out regardless):
Eventually a result stands out:
And now we can use cat ./var/www/user.txt to get the flag:
Now it’s time to see if we can do some privilege escalation. The room wants us to search for files with SUID permission and take notice of which file is weird. For this we will once again use the Find command, however this time we’re going to refine it a bit better thanks to the help of this great post. So let’s search:
At first I wasn’t sure which file exactly stood out, but luckily TryHackMe provided a format for what I was looking for: /***/***/******. Looks like /usr/bin/python is a great fit so I went ahead and did a search for this on google and came across GTFOBins. This section in particular looked helpful:
Let’s go ahead and try that second command and see if it will work:
Oops, forgot to get rid of the / on my first attempt, but on second attempt success and we can see now that we have root access! Perfect, now let’s find that last flag! For this we will navigate to /root/ and read out the contents of root.txt.
And now we have successfully completed this room. On to the next one!
For more interesting reading, feel free to check out my other blog post: SETTING UP AN UBUNTU LINUX VIRTUAL MACHINE – WALKTHROUGH AND TUTORIAL
Questions, comments, notice a spelling error or a grammatical mistake? Did I provide the wrong information anywhere? Please, feel free to reach out to me either through email or through my contact page on this website!
Thank you for taking the time to read my blog and I look forward to hearing from you!