InfoSec Write-ups – Medium–
In this is a write-up of RooTMe, a THM beginner level challenge. Without any delay, let’s connect to our THM OpenVPN network and start hacking!!!
Task 1 Deploy the machine
Deploy the machine, and you will get your machine IP address. Your machine takes at least 2 mins to set up.
Task 2 Reconnaissance
- Scan your network using Nmap
nmap -A <machine-ip>
2. There are two open ports. Let us see what is in the HTTP(80) port.
3. It is just a static page. Let’s enumerate the webpage extensions through the Gobuster tool.
gobuster dir -u http://<machine-ip> -w 'wordlist'
4. Open the site extension that you found out. It is an uploading portal. Let us try uploading a PHP reverse shell.
Task 3 Getting a shell
1. Something interesting we got. Let’s try uploading a PHP reverse shell. You can find one here.
2. Before uploading, change the IP address to your system IP and set the port. Also, check whether the extension of your file is .php5 to get new features of PHP.
3. Simultaneously open a new terminal and listen to the port 1234 using Netcat.
nc -lvp 1234
4. Successfully we got our shell.
5. To find out the path of the “user.txt” file.
find -name 'user.txt'
6. Blast!!! We got our first flag.
Task 4 Privilege escalation
- Let’s escalate further to get the root flag. We can use LinPEAS for privilege escalation. You can start a python local server or apache2 and download the file into the machine shell.
2. Make the file executable and run it.
3. Through Python, we can get into the root directory.
python -c 'print(open("/root/root.txt").read())'
It was fun doing this challenge. I hope everyone learned something new:).