Root Me

Root Me

This walkthrough is just the path to root not all of the Q&A in the room.

Looks like we have a basic website on port 80. Nothing special with this page or the source code.

Let's have a look at our NMAP scan. We have 80 and 22 with ssh open. Not a whole lot to go on.

Let's do some feroxbuster to and see if we can find some things.

Okay let's start poking around and see what we find.

So we have 2 interesting ones. Uploads and Panel. Uploads is empty but panel brings us to an actual upload section. Hmm let's give it a go.

When we try to upload a php shell file, shell.php we get the following error that basically looks like we can't upload a PHP file.

After trying a couple other file types that uploaded just fine I started trying to get my php shell to upload. A couple attempts later and shell.php5 uploaded and executed perfectly.

After stabilizing the shell and looking around a little bit we find the user flag.

Let's get root now.

Let's see what are SUID's are and what we have access to

Okay cool we got python. I'm also going to get linpeas going while we research if we can escalate with python.

Looks like linpeas picked out python as well as being vulnerable.

Let's go over to GTFO bins and see what it says.

Looks like we can priv esc with this. Let's give it a go.

We do have to modify this a little bit. The code above gives us a file not found error. So we add the /usr/bin/ in front of python to get it to work correctly.

/usr/bin/python -c 'import os; os.execl("/bin/sh", "sh", "-p")'

WE ARE ROOT!