Latest issue
RootMe
Room
- Name: RootMe
- Site: tryhackme.com
- Difficulty: Easy
Write up
- Recon
- Ports
- 22
- 80
- http
- Important endpoints
- /uploads
- /panels
- /panels blocks php upload
- /panels allows phtml uploads
- Webshell uploaded
- user.txt file in /var/www
- got a reverse shell using https://www.revshells.com/
- find SUID binaries using
find / -type f -user root -perm -u=s 2>/dev/null
- /usr/bin/python has SUID flag
- go to https://gtfobins.github.io/ and find a command to run to get root
- run
/usr/bin/python -c 'import os; os.execl("/bin/sh", "sh", "-p")'
- get root