Tryhackme-RootME-ctf writeup
First of all lets ping our machine ip to check if its alive
ping 10.10.61.192
lets scan for open ports using nmap
nmap 10.10.142.185 -T4so the target machine is basically blocking out our requests giving the results to nmap that the host machine is down but it was alive when we pinged it so we can use the Pn flag to treat the target machine as alive and scan for open ports.
nmap -Pn 10.10.64.209 -T4
so we have 2 ports open at our target machine
lets check the port 80 in more detail
so this is the website being hosted at the http service port:
we have Apache 2.4.29 version running at our target machine lets visit the hosted site first
now lets use the gobuster tool to see if there are any hidden directories:
gobuster dir -u 10.10.246.140 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
now if you let the scan complete entirely , you will find another hidden directory other then the uploads , the panel directory lets visit that panel directory in our web browser
here we get the options to uploads file probably images , lets upload a image here and capture that request in our brup suite.
our image is uploaded
this is image upload request that we are going to send to our burp suite repeater and check if can send a payload instead of uploading a normal image
this is our request in repeater
now since we know that we have our website running on a apache server and it usually uses a php backend we can try injecting a payload for a reverse php shell , you can get that script from the below link
https://github.com/pentestmonkey/php-reverse-shell/blob/master/php-reverse-shell.php
replace the content of the file with script and change the port + ip address from the script
NOTE: give the ip that is assigned to you by the hack the box
lets change the file extension as well
we will use the php5 extension , but you might wanna try different php extension and see which one works for you
https://book.hacktricks.xyz/pentesting-web/file-upload
now lets send our request from burp suite
our script is uploaded now lets start a listener first on the same port number as we specified in our reverseshell script then execute our payload on the server.
our listener is started
lets go to the /uploads directory of the website to execute our reverse shell script
and here we go , we got the reverse shell
using this command we can search for the user.txt
find / -type f -name user.txt 2> /dev/null
seeing the content of the file
Congratulations !!! 🥂 the box is finished ✅
