RootMe CTF | TryHackMe | Nmap, Gobuster & Reverse Shell Guide

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

hi everybody my name is Ron and welcome to my walkthrough for the room root me from triac me in this challenge I'll be using my own Cali VM and we'll be using tools such as nmap for scanning and discovering open ports Go Buster to help us identify hidden directories we'll also explore techniques for file upload bypass we'll also be creating a PHP reverse shell and we'll be using netcat now before we jump in I'm making this video not just to guide you through the challenge but also to reinforce my own learning I want to share with you my experience and thought process for this challenge I did enjoy this one this was fairly simple straightforward and I thought the room was well designed and without further Ado let's get into it all right let's get started with the root me room from try hack me a CTF for beginners can you root me the difficulty is easy so first thing deploy the machine I already did that and I have about six minutes in so the machine should be working and let's go ahead with task 2 reconnaissance first let's get information about the target scan the machine how many ports are open so first thing we're going to do is do an nmap scan a dash SV C Dash o n uh let's call it notes and we have the IP address so briefly nmap is a powerful open source tool used for network discovery and security auditing Dash a enables OS detection version detection script scanning and trace route it's an aggressive scan option that gathers a lot of information about the target Dash SV is version detection it probes for open ports to determine service and version info Dash SC runs a script scan using the default sets of script from nmaps scripting engine and dash on outputs the results into a normal readable format and saves it to a file called notes so scan the machine how many ports are open we saw two ports open 22 and 80. what version of Apache is running we have version 2.49 next question what service is running on Port 22 typically it is SSH find directories on the web server using gobuster tool what is the hidden directory so when you go to the website it looks just like this so we're going to use go Buster for directory this is the URL and we're going to use the word list this should be in user share or list uh I say go Buster directory so I used gobuster der specifies the mode of operation in this case it's set to directory brute forcing the URL Dash W is the word list and here is the address of the word list in my case it's the word lists for dirtbuster it's another tool similar to Ghostbuster and so far it found slash upload CSS JS and panel and for the sake of this video I'm going to go ahead and stop the search and let you guys know that the directory that they're looking for is panel what is the hidden directory panel task three getting a shell find a form to upload and get a reverse shell and find the flag let's look at the hint search for file upload bypass and PHP reverse shell file upload bypass file upload mechanisms are very common on websites but sometimes have poor validation this allows attackers to upload malicious files to the web server which can be executed by other users or the server itself this can also happen in authenticated areas of a website so here it gives you file extensions and alternates PHP you can submit phtml PHP php345 and so that's what we're going to do we're going to go ahead and download a shell from GitHub here's the PHP reverse shell copy this download the raw file let's go ahead and uh put this in my THM folder paste and let's rename it to let's do PHP 1 and let's make some changes within the document so there's really one thing I'm going to change here and that is the IP address we'll be putting the attacker's IP address which in my case it's my virtual IP address from try hack me that is 10 13 oh that's 12 and we'll keep the port number at one two three four so we're going to go ahead and save this file let's browse okay and let's go ahead and upload this reverse shell upload and looks like it succeeded now the next thing we're going to do is start a listener we will be using netcat so let's go ahead and open another terminal here and we're gonna net cat Dash lvnp one two three four so briefly NC stands for netcat this is the Swiss army knife of networking it's a versatile tool used for a variety of networking tasks from simple file transfers to setting up backdoor Dash L is listen mode this makes netcat act as a server waiting for incoming connections Dash V is for Boss mode netcat will provide more detailed output about the connection dash n is no DNS resolution this tells netcat not to resolve host names working purely with IP addresses and Dash p is the port number and in this case we'll be using Port one two three four so now that we have netcat up and running we'll go to uploads because we saw uploads discovered during our Go Buster enumeration and we see PHP reverse shell dot php1 now once I click this we should see some action happening on our listener it looks like it didn't work so let's rename it to another PHP let's go back to panel to php5 let's give that a shot we have our listener going still and let's see if it works this time yep it works this time I don't know why that php1 did not work so let's see who am I am dub dub dub data so find a form to upload to get a reverse shell and find the flag we did that and we are looking for user.txt so we're gonna look for that user.txt file we're going to do find on the root so forward slash name user.txt and let's go to Dev no and it's in VAR dub dub dub user.txt so we're gonna go ahead and just cat bar dub .txt and there we go okay next task 4 privilege escalation now that we have a shell let's escalate our privileges to root search for files with suid permission which file as weird so I'm looking at the hint here and here is a command that they want us to use I'm going to add something extra here just because I want it to look a little bit neater so here are all the binaries with the suid bit set and I'm gonna just save you some time and tell you that what we're looking for is user bin Python and how we can check that this has suid permission we can do the following command ls-l user bin python the s that we see here indicates suid permission so suid on the python interpreter can be a significant security risks if an attacker can execute python with elevated privileges they can run arbitrary code as the files owner often root always ensure that only necessary binaries have the suid bit set and regularly audit your system for unexpected suid files so to simplify suid means a program runs with the Privileges of the file's owner not the person running it it's like borrowing someone's ID card to enter a building if python has this it could be a concern because someone might misuse it so now that we know that python has the suid permission that set we're going to go to GTFO bins and we will look for python suid and we will use the following command foreign let's see who am I oops there it goes I am root so now we're looking for root.txt so like before how we found our first flag fine slash Dash name root Dot txt and there it is it's on cat Roots roots third is THM privilege escalation and that concludes the root me room from try hack me I thought this was enjoyable fairly simple easy to understand I thought they designed this room in a fun way and definitely beginner friendly anyways that's my walk through slash review of the root me Room video I hope you enjoyed it I hope you found it useful and see you on the next one

Info

Channel: RonR1337

Views: 278

Rating: undefined out of 5

Keywords:

Id: A6AY4AExXhA

Channel Id: undefined

Length: 12min 14sec (734 seconds)

Published: Wed Sep 13 2023