TryHackMe! RootMe - Uploading Shells & SUID // CTF (Easy)

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
hello hello in this video we're gonna do the box called root me on the try hack me platform so stick around if this is the first time they're meeting welcome to my channel my name is john good and here i get to spread my passion for cybersecurity training tips and tricks and career advice to help you go further make sure that you hit the subscribe button and the bell icon so you don't miss future content and make sure to leave a comment for the youtube algorithm also check out my website at johngood.com where you can find career coaching consulting services and training check out my youtube membership program by clicking the join button down below and you'll see the different tiers that are available also check out my getting started page where you can grab a free copy of my ebook on cyber security careers alright so to find the box what we're gonna do is we're gonna go to try hack me and then we're gonna go to learn and then all rooms we're going to go to free only because it's the free only box and then we're going to go ctfs and then we're going to go to easy again we're going to do the root me box so we'll click that and just like any box on here or any room you have to join that room first and we'll go ahead and hit start machine now i'm going to use the attack box with in the browser to do this but you can of course use your cali instance and connect that way as well and so we'll go ahead and start this and we'll check back once this is done all right now the box is launched so let's go ahead and get started here so we'll hit complete on here because we did that and now it wants us to scan the system so let's open up the terminal window here and the ip address that we need is right here so let's do nmap we'll do pn because we know the box is up and we'll do dash a 10 10 77 207 now this dash a that's going to do a lot of initial enumeration so things like service checks and looking for the version and the open ports all right so that's done now the first question is how many ports are open on the box so we see ssh on port 22. http on port 80 and that's it so we have two ports let's go ahead and put two in here and submit that and then which version of apache is running two four two nine let's put that in here submit that which service is running on port 22 we have ssh running on port 22. so let's put ssh in here now it wants us to run go buster against the web browser so let's go ahead and let's copy the ip address and we will open up a new tab and we'll do go buster we're going to search directories the word list that we're going to use is going to be user share word list and this is the one that i always use so we will use the small version of this one and then the url is gonna be that all right let's go ahead and hit enter and search this okay so pretty quick results here so we have uploads and we'll make this here bigger here so you can see it so we have uploads we have css js and panel now it completed on this because we scanned it what is the hidden directory so i'm going to guess that it's panel because these other ones probably are visible so let's go ahead and put panel in there and that was correct awesome all right so let's go ahead and go to the actual url here we will open that link and this is the main page here so we're going to go to that panel website it's an uploadable page so let's go ahead and let's find out what we can upload into here so let's make this full screen here and actually let's see here it wants us to find a flag once we do that all right so let's minimize that and what we're going to do is we're going to upload a shell into here so there are some pre-loaded shells that we can use so if we look at user share web shells and php there is this php reverse shell so what we're going to do is we're going to copy that to our desktop and we're going to call it shell.php right now there are some modifications that you have to make to that shell so first of all we need to get our ip address so let's do ifconfig and our ip address is right here so we'll go ahead and copy that and let's do vi shell.php so we can edit this file right and we're using the down arrow to scroll down here and we need to modify this variable here so i press i to insert and we're going to put in our ip address here i do control shift v that inserts that ip address that we just copied we'll hit escape and then escape one more time because it's in the browser and it gets kind of weird then we'll hit shift colon and then wq for right quipped that's going to save that ip address to that file all right so let's make this big again here all right so let's go ahead and upload that shell to the actual victim so we'll do that shell.php that we just modified and we'll hit upload not permitted not allowed well that's not helpful so what kind of file types can we actually upload well there's a quick and easy way to do this of course you can change the extensions on the actual file but if there's a lot of different extensions that you want to try i have a better way to do it i hope that you enjoyed the content in this video so far if you are make sure to hit the subscribe button and the bell icon so you don't miss future content if you have any questions let me know down in the comment section below alright let's get back to the content let's go ahead and open up burp suite and we're not going to update we're just going to use the default settings here so we'll hit next and start burp and we'll go back to our web browser here and actually first we're going to go to the proxy tab and intercept is on so we just want to make sure that that's turned on and we're gonna go to browse and actually before we do that too so foxy proxy we need to actually enable burp suite to capture our traffic so we'll select burp here and then now we will go ahead and try to upload that again so we'll browse to it and we'll hit upload burp is going to capture our traffic here so we'll go back to burp and we're going to go ahead and forward all this on we can turn this off now so we'll turn that back on and we'll go to the http history so we're going to look at this and this is our shell.php so what we're going to do is we're going to right click on this traffic we're going to send it to intruder we'll go to the intruder tab and we'll go to positions now we're going to hit clear because that's going to clear out all the things that can get modified we're going to select php from our file that we tried to upload and we're going to hit add you want to make sure this is sniper because it's going to mess with one variable one section and then we'll go to payloads and in this payloads option this simple list we're going to add some file type extensions so we're going to do text txt we're going to do php5 and we'll do back just for the heck of it right and then we're going to start our attack and community version saying it's going to throttle certain attacks or certain things we'll hit okay it's not going to affect us and actually what we need to do as well we need to actually add php in here so you can see the difference so we'll do php we'll add that and we'll hit start attack all right so you can see with the length here there's different links for php we know that got rejected it's got a different length than the other ones so these ones this text back and php5 those are successful so now if we go back to our web browser we can go to the uploads folder and we need to turn off our proxy so if we go back to burp and intercept we can turn that intercept off and we're actually done with burp so we can go ahead and close out of that as well and turn off our foxy proxy as well so we can see php5 was uploaded so what we're going to do now is we are going to turn on netcat so nc nlvp 1234 because that was the port that's set in that file where we modified our ip address so we'll hit return go back to our web browser and we will execute this file and there you go now we have a shell for the user level on the box great so we'll go ahead and minimize that and we'll make this bigger here awesome so now we need to find the user.txt file because that's going to have the flag in it that we need so we're going to do find we're going to do type we're going to look for files and we're looking for something with the name user.txt and we got a whole bunch of other stuff here so a quick way to get rid of all that stuff if you do find type file name user.txt and then we direct everything else to null here we go so that is the location of our flag that we need for the user so if we do cat var and then we do that file we can see the actual flag all right so if we go back here and we put that in here all right awesome and now what's the next section we need to search for files with the set uid permission all right so basically with the set uid permission that means that you can run files or scripts or whatever as that user that owns it so it can be very dangerous so let's go ahead and go back to our window here and we're going to type find type file again going to look for user root so something that's owned by the root with the permissions of set uid and then we're going to send everything else to devnl right so these are all the files that have the permission set uid on them okay so let's look through these real quick here now this one right here is particularly interesting so let's think about that and then also too another possible quick thing that you can do too on some of these boxes is if you do sudo l that will tell you if you can run pseudo commands so if you can run things as root you can't on this box so it's fine but that's just another thing to be considerate of since we have the python that we can run as a set uid that's pretty interesting all right so we're going to bring in another web browser here and we're going to go to google and we're going to search for gtfo bins all right and we'll select this first option here so we're going to search for python right and we're looking for the set uid or the suid so we see this right here okay so what we want to do is we want to copy this and we'll go back to our window here and actually let's go back in here real quick to the questions here the thing that we think is weird is user ben python that's correct so we definitely need to use that so we'll go back here and it's not going to let us paste that command in there unfortunately so we'll type it in here python and there we are we are now root user awesome so we'll hit completed on here for that and now we need to find that root flag same thing it's going to be root.text so we're going to do find we'll look for a file and it's going to be called root.text right so there is the file right there and we're going to go ahead and we're going to cap the contents of that out so cat and then there we go put that in here and because i'm using the browser version it's a little bit weird with the copy paste sometimes it doesn't work which is unfortunate so it might be a reason to actually use a real instance of cali but we'll hit submit on here and hopefully i type that right there we go successfully compromise this box and you can share it to twitter facebook linkedin whatever you want question of the day going through this box were there some common issues that you had let me know down in the comment section below in this video we went through the root me box on the try hack me platform as always make sure to subscribe hit the bell icon and leave a thumbs up for this video if you enjoyed it and i'll see you next time [Music] you
Info
Channel: Jon Good
Views: 5,989
Rating: undefined out of 5
Keywords: burp, ctf, cyber security, cybersecurity, ethical hacker, ethical hacking, ethical hacking career, ethical hacking for beginners, ethical hacking training, ethical hacking tutorial, ethical hacking tutorials, ethical hacking tutorials for beginners, hacker, hacking, kali linux, penetration testing, rootme, rootme tryhackme, rootme tryhackme walkthrough, rootme writeup, tryhackme, tryhackme ctf, tryhackme room, tryhackme root me walkthrough, tryhackme rootme, tryhackme walkthrough
Id: _l3sadte0jg
Channel Id: undefined
Length: 15min 43sec (943 seconds)
Published: Fri Aug 20 2021
Related Videos
TryHackMe! Sudo - CVE-2019-14287
John Hammond
48K
Beginner and Easy CTF | TryHackme Wget CTF
Motasem Hamdan
6.6K
TryHackMe! PickleRick - BYPASSING Denylists
John Hammond
280K
Why I HATE Cyber Security Bootcamps
Jon Good
28K
I Played HackTheBox For 30 Days - Here's What I Learned
Grant Collins
235K
TryHackMe! Basic Penetration Testing
John Hammond
2.4M
You’re TOO OLD for Cyber Security if THIS is TRUE
Jon Good
6.4K
TryHackMe! Skynet - Wildcard Injection
John Hammond
108K
The Absolute Beginner Pentesting : Pickle Rick CTF TryHackMe
Motasem Hamdan
15K
TryHackMe ! RootMe - PHP Reverse Shell// walk-through
Yesspider
17K
TryHackMe! Abusing SETUID Binaries - Vulnversity
John Hammond
140K
Lazy Admin Walkthrough - TryHackMe
shenetworks
9.3K
How I Passed the CISSP Cyber Security Exam in Two Weeks
Jon Good
142K
tryhackme RootMe Walkthrough
CyberWorldSec
20K
TryHackMe OhSINT Official Walkthrough
DarkSec
10K
CTF Walkthrough with John Hammond
David Bombal
169K
THM Chill Hack - Narrated Walkthrough
MrLDGCA
3.8K
TryHackMe RootMe - Walkthrough | CTF For Beginners
Antoine Matthews
7.3K
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.