TryHackMe:RootMe

5 min readDec 21, 2020

It is the one the easiest challenge in web application penetration testing part on tryhackme.

TryHackMe is one of the best platform for the beginners as you get hints from the questions itself that are asked in the room. Also if you are stuck somewhere you can go to write-ups section and find out what to do!!
Only the thing is:
You should practice and solve the solved!!

One deals with basic scanning, directory and file enumeration, should know basic file upload vulnerability and sticky bits in linux systems.

I got the IP:10.10.252.136

One of the most basic and most important task of penetration testing is scanning the machine.

NMAP plays the most important role when it comes to scanning the machine. for what type of services are running on it and what are their versions.

So,
nmap -A -T4 -p- 10.10.252.136

Only two ports were opened on the machine 22 and 80!!
Apache 2.4.29 is running on the machine.

This my buddy command!!❤❤
And if you want to scan the UDP ports, add flag -sU in the command.

Analyzing the source code of the web application is also one the most sensitive part of penetration testing.So always analyze the code using CTRL+U.

Next part in routine is directory enumeration…..
You can use any tool like dirbuster,gobuster,dirsearch..

I will use dirsearch as its less time consuming and also i’m in love with its interface..🤣

So I got some of the hidden directories!!

Lets see them one by one!!

/index.php/login

YES I CAN ROOT YOU!!!!😁😁😁😁

Nothing in this!!!

2. /js/

I thought that i need to reverse the js file to get into the admin area.
But it didn’t have anything important in it.So lets go ahead.

3. /panel

Now this seems intersting…
This can be vulnerable to arbitrary file upload vulnerability!!!

Most basic and best type of malicious file uploaded on the web-applications are PHP file or shells.
So I think that I should go for b374kshell!!!
Its one of the best in our php shells arsenal.

So I downloaded the b374k shell.
Now while uploading the shell b374k.php on the application gives me the error that it cant be uploaded.

So *.php cant be uploaded!!!!

Next I tried using the null byte (%00) like b374k.php%00.txt
Because anything after null byte is not read or is not considered!!
So my file will become b374k.php
Its just to trick the filter or to bypass it!!

So the file got uploaded but it didnt’t get executed!!!

Next I thought of double extension….
i.e. renaming the file as b374k.php.php5

So my file got uploaded, lets see if it gets executed!!

Yes it got executed✌✌✌

Congratulations, You got the admin access!!!

Now you can cat out the user.txt flag!!! in /var/www.

Now its time for escalating the privileges!!!

At this point after traversing through different directories I got nothing!!!
So thought of getting the hint from thetryhackme’s room’s questions!!
THAT’S TRYHACKME FOR YOU!!!

What is this command: find / -user root -perm /4000?
→ ‘find’ is used to search the location or path.
→ ‘/’ is used to find the path starting with ‘/’
→ -user root means only root user.
→ -perm is the flag for permission whose value is 4000!!

Now what is this 4000???
After Googling , i got to know that 4000 is the permission for SETUID.
It is denoted by ‘s’.And “WE” can set it!!!

Wondering what is SETUID!?!?
Setuid, Setgid and Sticky Bits are special types of Unix/Linux file permission sets that permit certain users to run specific programs with elevated privileges.(from google)
SETGID has permission 2000.
If we want to find file with both 2000 and 4000 permissions we can search for file with permission 6000.

I copied the command and pasted in my php shell’s terminal!! and hit enter!

Here i got so many files, directories!!! with permission 4000.