Question 1: Scan the machine, how many ports are open?
Question 2: What version of Apache is running?
Question 3: What service is running on port 22?
Reconnaissance The journey begins with minimal information - only the knowledge of an IP address. The first logical step is to gather more information about the target. This is where Nmap, a powerful network scanning tool, comes into play. We initiate an initial scan with the following command:
'nmap -sS <targetIP> -sV'
-sS: This option specifies a SYN scan, which is a fast and common scan type used for identifying open ports on a target system. It sends SYN packets to the target ports and listens for responses.
-sV: This option enables version detection, which attempts to determine the service and version running on the open ports. This information can be crucial for identifying potential vulnerabilities or misconfigurations.
The reason for starting with this command is to quickly identify which services are running on the target system and gather information about their versions. This initial scan helps you understand the attack surface and may reveal services that are ripe for further exploration and exploitation.
Answer 1
2
Answer 2
2.4.29
Answer 3
SSH
Question 4: What is the hidden directory?
Web Enumeration With knowledge of the web server's presence, we delve into web enumeration to identify potential entry points. Gobuster, a directory and file brute-forcing tool, is used to discover hidden directories. Here's the command used:
'gobuster dir -u <targetIP> -w /usr/share/wordlist/dirbuster/directory-list-2.3-medium.txt'
This command will search for hidden directories and files on the website using a medium-sized wordlist.
During this enumeration, a promising discovery is made - a directory named '/panel' is found, hinting at the possibility of uploading files.
Answer 4
/panel
Question 5: Find a form to upload and get a reverse shell, and find the flag.
user.txt
Reverse Shell Upload The '/panel' directory offers an opportunity to upload files. We decide to leverage this to gain control of the system. A PHP reverse shell, conveniently available on GitHub (PentestMonkey's repository), is downloaded. We modify the IP and port within the shell script to match our own setup. The PHP shell is then uploaded to the '/panel' directory.
It's important to note that the initial upload may fail if the server only accepts a specific PHP version (e.g., PHP5), as was the case here.
Remote Access With the PHP reverse shell successfully uploaded, we navigate to '/uploads' on the web server and execute the shell. This establishes a connection back to our machine, allowing us to interact with the target system remotely. We listen on a specific port (e.g., 9999) and trigger the shell, achieving remote access to the server.
'nc -lvnp 9999'
Flag Retrieval Our primary goal in CTF challenges is often to locate flags. To find the user flag, we use the 'find' command to search for files named 'user.txt' throughout the system:
'find / -type f -name user.txt'
This command successfully leads us to the location of the user flag.
Answer 5
THM{y0u_g0t_a_sh3ll}
Question 6: Search for files with SUID permission, which file is weird?
Privilege Escalation To elevate privileges and gain root access, we employ another 'find' command to search for SetUID (SUID) permissions. These permissions allow us to run executables with the privileges of the file owner (often root). The command used is as follows:
'find / -type f -user root -perm 4000 2>/dev/null'
-perm 4000: This part of the command specifies the permission filter. In Unix-based systems, files with SUID permissions have the numeric permission value of 4 as the first digit. The SUID permission (set user ID) allows a user to execute a file with the permissions of the file's owner, often root. By specifying -perm 4000, you are telling the find command to look for files with exactly the SUID permission bit set. This is a common way to identify potentially interesting files for privilege escalation.
2>/dev/null: This part of the command is a redirection. It redirects the standard error (file descriptor 2) to /dev/null, which effectively discards error messages. It ensures that only the search results (i.e., files with SUID permissions) are displayed, making the output cleaner and more focused on the task at hand.
Answer 6
/usr/bin/python
We discover an interesting executable located at '/bin/python'. To escalate our privileges further, we reference GTFOBins, a resource that provides information on privilege escalation techniques, and copy the code associated with '/bin/python'. This maneuver enables us to gain access to the root directory.
'python -c 'import os; os.execl("/bin/sh", "sh", "-p")'
Question 7: What's the root flag?
root.txt
Root Flag Retrieval Finally, with root-level access, we navigate to the root directory using the
'cd /root'
command and retrieve the root flag using
'cat root.txt'
Answer 7
THM{pr1v1l3g3_3sc4l4t10n}
The RootMe CTF challenge takes us on a journey from minimal information to full control of the target system. Through reconnaissance, web enumeration, reverse shell upload, and privilege escalation, we successfully retrieve both the user and root flags, demonstrating the importance of a systematic approach and a solid understanding of common penetration testing tools and techniques.