So Lets Make Ittt→
$1- First Deploy the machine over tryhackme
$2- Scanning and Enumeration( Reconnaissance) -
Using the nmap tool lets just scan the machine by using command
nmap -A -T4 <IP-Address>
So, here we get 2 ports open:
ssh- 22
http- 80
Now After this scan we are able to answer some of the questions
2.1 Scan the machine, how many ports are open?
Ans: 2
2.2 What version of Apache is running?
Ans: 2.4.29
2.3 What service is running on port 22?
Ans: ssh
So when we open the webserver on port-80 we get a website which is challenging us to root it.
And We have accepted the challenge!!!!!!!!!!!!!!!!!
Now Lets do some directory busting to find the hidden files for that I used GOBUSTER.
*Gobuster:
gobuster dir -u http://<IP-ADDRESS>/ -w <PATH_TO_WORDLIST>
Here we got 2 interesting directories
1- /panel
2-/uploads
Here is the picture of these webpages
So, here we got the answer for question 1.4.
2.4 — What is the hidden directory?
Ans- /panel/
$3 Getting a shell
So when I tried try to upload file using /panel/ directory we are able to access it from /uploads/ so lets try to upload the php reverse shell on /panel/ directory and try to execute it from /uploads/ from we can get the reverse web shell of the machine. You can also checkout the hints for more clarification.
Here is the link of a good PHP reverse shell which I used during solving this machine.
So download this reverse shell and change the $ip and $port according to your host machine.
Note — Don’t put your device IP in IP address section of the reverse shell you have to put the IP Address provided to you by the vpn for the reverse connection.
When I tried to uploads the php reverse shell it was showing PHP is not allowed! so we are not allowed to upload anything with php extension.
We will rename the script using the command to bypass the file-upload restrictions:
mv php_reverse_shell.php php_reverse_shell.phtml
To understand file upload restictions refer this link — https://sushant747.gitbooks.io/total-oscp-guide/content/bypass_image_upload.html
We have successfully uploaded the script. Leading to our next step, we will start a listener on netcat. I am using 5555 port and I have already inserted the same port alongside the host IP of my machine in the script that we uploaded.
We are listening on port 5555.
Alongside to get the reverse shell we need to execute the uploaded file the /uploads/ directory of website.
After executing the script we get the reverse shell at our netcat listner.
Now lets find the user flag feom the machine using command.
find / -type f -name user.txt | grep userAnd we got it
Navigate to /var/www/user.txt
4.1 user.txt
Ans- THM{************}
$4 Privilege escalation
Now its time to get the root flag for that we need to do Privilege escalation.
But in the CTF we already have the hints for this
To look for the files with SUID permission we can use the command:
find / -type f -perm -u=s 2>/dev/null
Here python look bit juicy and interesting so we the answer for the next question.
4.1- Search for files with SUID permission, which file is weird?
Ans- /usr/bin/python
Now lets go to my favorite place for privilege escalation and search for python.
From gtfobins we got the payload for python SUID method.
python -c 'import os; os.execl("/bin/sh", "sh", "-p")' Always read the description before copying commands. We can skip the first command as the binary has already SUID permission. Copy the second command and paste in the shell to see if it works. Remove ./ from the command and run it.
YES,,, It worked we got the root shell.
Now lets go to the root folder and get root flag.
use command and you will get your root flag.
cat root.txt4.3 root.txt
Ans — THM{*****************}
Congratulation !~~~~ We have completed the the CTF challenge and it was great working with you.
If you liked the post and the post has helped you in any way possible, let me know in comments or sharing the love by claps.
And If you have any doubt kindly ask in the comments.
Thank you for reading Have A GOOOOOOOD Day.
