Skip to content

TryHackMe’s RootMe Realistic Write-up

Walk-through of TryHackMe’s RootMe Room.

The room can be found here; go give it a try! https://tryhackme.com/room/rrootme

This is my first real blog post and realistic write-up of a TryHackMe room. I’m going to walk-through my process of the room RootMe. Welcome!

RootMe seems to be a room designed to implement some of the early strategies we learn on TryHackMe. We use NMAP for recon, GoBuster for web server directory discovery, a simple file-format bypass, a reverse shell, and SUID Linux permissions. Let’s get into it!

First, just like most TryHackMe rooms, we need to deploy the machine. If you don’t know how to do that, head back to the OpenVPN room first and get comfortable deploying machines. You’re going to need it if you’re going to continue learning on TryHackMe.

Once the machine has deployed and you have an IP address we’re going to run NMAP to find open ports. NMAP is a very useful tool that you will use often so it’s worth learning it’s many options. Today though we are just going to use the -sV and -v options. -sV probes open ports to determine service/version info, which will give us the answer to the first few questions. -v is just to make NMAP more verbose which helps us see what it’s doing. It’s not necessary but I like it.

NMAP code to find open ports and running services

After running this code you should get an output about 30 lines long explaining what NMAP did. It’s probably worth reading through since we’re here to learn, right? If you get an error, try to fix it. A common error is NMAP not being able to resolve the IP address. If that happens ping the IP address to see if you are connected. If Ping can’t see the room you might need to make sure you’re connected, it’s probably worth going back to step 1. (or comment below and I’ll try to help)

In the NMAP output there should be a couple lines that look similar to this:

NMAP output showing open ports and service versions

Congrats! You can now answer the first three questions in Task 2!

Now for the fun part: the actual hacking! Looking at the two open ports we see an ssh and an http service running. We could try to connect to the ssh service on port 22 but it’s worth checking out the http service first. What does http make you think of? If you said “the internet” you’re on the right track. HTTP (hypertext transfer protocol) is the protocol for transmitting HTML and other website stuff. In other words, it’s a website! To access it we simply type the IP address of the room into our web browser and it should bring up a site that types out root@rootme:~#.

Cool. Great, I hear you say. It’s just a web page that doesn’t do anything. Yippy.

You’re right! Kinda. Let’s find out if there is anything else on this website that’s hidden. GoBuster is a tool that’s built into Kali (you’re using Kali, right?) that brute-forces websites to try and find hidden pages. Basically it sends repeated requests to the website using a wordlist you specify to guess page names. You can learn more here: https://www.kali.org/tools/gobuster/

The command I ran is here:

GoBuster command to brute-force site pages

The dir -u command tells gobuster to use directory enumeration mode and the website to attack (in our case the IP address of the room). -w tells gobuster the location and filename of the wordlist we are going to use. I kinda randomly picked this one — from the included wordlists in Kali — because the list is shorter and this is a simple room. I didn’t expect the page we are looking for to be hard to find. I figured any one I picked would probably include the word we need. If the file you pick doesn’t find anything, try another. It’ll find it eventually. (probably)

Gobuster is going to run for a long time, especially if you pick a file with lots of words. Fortunately it tells us as it finds sites, so feel free to try them in the answer box as they pop up. You can kill gobuster with ctrl+c when you get the right one.

Navigating to the secret page you discovered in the web browser brings us to a file upload page. That’s interesting! I wonder if we can upload a malicious file and get it to run on the web server? I can already hear you ask, “how do we know what to upload?! Are we just supposed to guess?!” I mean, kinda. You can google Apache webserver and figure out what kind of scripts it can run. (lua, php, perl, and probably others, idk) Fortunately the hint next to the question tells us what to google. The first thing we need to do is find a reverse shell script. Obviously if we weren’t script kiddies we would write our own, right? But since we either don’t know how or don’t want to spend the time we’re just going to google it.

About here is where I should say NEVER RUN CODE YOU DON’T UNDERSTAND!!!! Especially if you download it off the internet. I strongly suggest you read through any code you find and do your best to understand what it’s going to do. We’re hackers dealing with hackers. Sometimes hackers do questionable things. Trust nobody, including me!

That being said I ran the code from here: https://github.com/pentestmonkey/php-reverse-shell/blob/master/php-reverse-shell.php

I simply copy the text and paste it into a new file on my computer. Call it something like php_reverse_shell.php and upload it to the website. When you did that did you get a big red block that said something angry in Spanish and when you checked the uploads page there was nothing? What the hell, this was supposed to be easy?! Congrats, you found the file upload filter. It filters out file types that might be malicious code, very much like the malicious php file we just tried to upload. At least it’s good at it’s job, right? Well, kinda. It turns out it’s only checking for some common file types (which is why the hint suggested googling “file upload bypass”). After googling around you should find that we can try alternate php file types to try and bypass the filter. Change your reverse-shell file to a different file type and give it a try. If you get a green box that says something happy in Spanish you found one that works.

(If you don’t understand Spanish, did you find a way to translate it? If not, why not. You’re hackers, always understand error messages)

As you know you need a listener on your machine to catch the reverse shell. Netcat is great for that. Running:

Netcat code to catch the reverse shell

should work. -l (that’s a lowercase L) opens the listener. -v is verbose so we can see what it’s doing. -n only listens for ip addresses not dns. I don’t think that’s important here but I usually use it so we’re using it today. -p specifies the port we’re listening on.

Now that we have a listener running we just need to run the file we uploaded. Navigate to the upload page we found with GoBuster (you did find that, right?) and click on the file you uploaded. Did your listener catch the shell? If so, good job, skip to the next paragraph! Did you get an error that mentions something like Failed to Daemonise…? Yeah, that’ll happen. I have a couple likely possibilities for why that happened. It’s quite possible you didn’t heed my warning above and didn’t read through the code before running it. Is that you? Do you feel bad? Go back and read the code. If you did read the code and it still didn’t work I’m guessing the problem is with these lines:

reverse shell code that needs to be correct

Obviously the port is the port your listener is listening on, but what is the ip? A common error is to use the room’s ip. That’s not going to work. That’s sending the reverse shell to the webserver, which isn’t listening and doesn’t care. You want your ip address (which you can find with ifconfig on Linux or ipconfig on Windows) If you are using a virtual machine and openvpn there will be a tun0 block. Use that IP address. (it took me quite a bit of googling and reading TryHackMe forums to figure that out) Change the reverse shell to the correct ip address and port number, reupload it, and try to click on it again. It should work now.

Now that you have a shell we need to find the user.txt file. The simplest way is to use “find” to search for it. If you aren’t familiar with the find command in Linux I strongly suggest you read up on it. It will help you so much today and in the future!

find command to search for the file

You’ll get a long list of files, most of which will say permission denied at the end. Somewhere in the middle will be the file you’re looking for. If you’re feeling a little more comfortable with linux you can use grep to filter out the file you want. Feel free to play around with grep; it will simplify your life so much!

grep to find the file you want

Use cat to read the file and copy and paste it into the answer box. Yay! First one found! Half way there!

Now for a tricky part. We need to escalate to root privileges. Fortunately the questions give us a very strong set of hints. SUID permissions mean that when the file is run it’s run with the permissions of the owner of the file, not the permissions of the user running it. This is a significant security flaw, as we shall see. The hint shows us what “find” command to run but let’s see what the command does. (remember, don’t run code you don’t understand! Also, we’re here to learn, right?)

TryHackMe hint

“find” is obviously the find command. The first “/” tells find to start in the lowest part of the directory tree so we check all the files we can. “-user root” looks for the root user. “-perm /4000” tells find to look for permissions set to the numeric permissions notation for the SUID bit. This site below has a good table and examples of what that means:

https://www.cyberciti.biz/faq/unix-linux-bsd-chmod-numeric-permissions-notation-command/

Here is where I got frustrated with TryHackMe. “Which file is weird?” How the hell do I know?! It’s a giant list of files and they all look the same?! WTF

One thing that helps is to use grep to make things easier to read.

Make things easier to read.

“-v denied” separates all the lines with “permission denied” from the ones without and puts the files we want on the bottom of the list. We can’t access the “denied” ones anyway until we get root so we can ignore them. Now that things are a little more organized do you see anything that stands out? Go look, I’ll wait…

Don’t give up. You’re a hacker, you’ll figure it out.

Want a hint?

We need to run a command that will read a file. Can we do that with anything that’s listed?

One last hint: What program can we use to execute a script?

(sorry, I’m totally paying attention and wasn’t on Twitter…)

Did you find it?

Yep, it’s Python, everyone’s favorite programming language! Fortunately for us Python has built in functionality that can access files on a computer. We just need to figure out the code to run that will find and read a file. The hint suggests we look at GTFOBins. Looking in the python section we find the “file read” section that gives us code like this:

Read a file with python!

Which works!! Now, how did I know the path to the file? I guessed. Fortunately TryHackMe usually puts the files in the same place which makes guessing really easy. If you’re not happy with guessing you can try the SUID code in GTFOBins which should give you a shell you can use to navigate the file system.

Python Shell with Root Permissions
Hacking We Are In GIF by Debby Ryan - Find & Share on GIPHY

Overall I thought this was a fun room with a couple tricky parts that uses some of the lessons from TryHackMe’s educational information.

Thanks for reading. If you have questions leave a comment, I’ll try and help. If you want to read more check out my other write-ups.

Tags:

1 thought on “TryHackMe’s RootMe Realistic Write-up”

  1. Pingback: LazyAdmin Write-up - Fyodor Hacks Stuff

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.