Technical Report

Detailed analysis for technical teams, covering methodologies, tools, and findings.

Technical Security Report: "RootMe" System

Purpose of the Report

This report documents a simulated security assessment conducted on the "Rootme" system from TryHackMe. The objective was to perform reconnaissance, obtain a remote shell, and escalate privileges to root, thereby demonstrating the potential attack vectors and highlighting key areas for security improvement.

Methodology

The assessment was executed in three primary phases:

  1. Reconnaissance: Identification of open ports and services using Nmap, directory enumeration via Dirbuster, and analysis of public files (e.g., robots.txt).

  2. Shell Acquisition: Exploiting a file upload vulnerability to bypass restrictions and deliver a PHP reverse shell.

  3. Privilege Escalation: Locating misconfigured SUID binaries and leveraging them (using GTFOBins) to escalate privileges to root.

Detailed Findings

1. Reconnaissance

  • Tool Used: Nmap

  • Command Executed:

    nmap -F -T5 -sVC <ip_target>

    • -F: Scans the top 100 common ports.

    • -T5: Uses aggressive timing for faster results.

    • -sVC: Executes default scripts for service and version detection.

  • Results: Two open ports were identified:

    • Port 22: SSH service.

    • Port 80: HTTP service.

  • Additional Enumeration:

    • Web Analysis: The HTTP service was examined by visiting http://<ip_target>:80. The source code and robots.txt file were inspected, yielding no significant details.

    • Directory Discovery:

      • Tool Used: Dirbuster

      • Outcome: The /panel/ directory was discovered, indicating the presence of a file upload interface.

2. Obtaining a Remote Shell

  • Vulnerability Exploited:

    • The /panel/ directory featured a file upload form. Attempts to upload a PHP reverse shell script were initially blocked due to extension restrictions.

  • Bypass Technique:

    • Modified the file extension to .php5 (and other variants such as .png.php and .pHp were attempted), with .php5 successfully bypassing the restrictions.

  • Reverse Shell Deployment:

    • Preparation:

      • A PHP reverse shell script (with customized connection details) was prepared.

      • The attacker set up a listener using Netcat:

        nc -lnvp 8888

    • Execution:

      • The crafted file was uploaded via the panel, and upon triggering, an interactive shell connection was established.

  • Post-Exploitation Check:

    • Running whoami confirmed the shell was operating as the www-data user.

3. Privilege Escalation

  • Objective: Escalate from www-data to root.

  • Initial Check:

    • Command Executed: sudo -l

    • Result: No direct sudo privileges were granted.

  • SUID Enumeration:

    • Command Executed:

      find / -type f -perm -04000 -ls 2>/dev/null

    • Observation: The binary /usr/bin/python was identified as a potential candidate for exploitation.

  • Exploitation via GTFOBins:

    • Technique: Leveraged the SUID bit on Python by executing:

      python -c 'import os; os.execl("/bin/sh", "sh", "-p")'

    • Outcome: The command spawned a shell with elevated privileges, effectively granting root access.

  • Verification:

    • The final step involved locating and reading the root.txt file to confirm complete system compromise:

      find / -type f -name "*root.txt*" 2>/dev/null

Conclusion

The "Rootme" system was successfully compromised by following a structured approach. Initial reconnaissance revealed basic services and a vulnerable file upload interface. Exploiting this vulnerability allowed the deployment of a PHP reverse shell, providing a foothold as the www-data user. Finally, leveraging a misconfigured SUID binary facilitated privilege escalation to root. This assessment underscores the importance of properly securing file upload functionalities, restricting SUID binaries, and continuously monitoring for misconfigurations to mitigate similar attacks in a production environment.

PreviousWrite-upNextExecutive Report

Last updated