Writeups

Write ups and Walkthroughs about vulnerable machines

View on GitHub

RootMe

Backt to Tryhackme page

Enumeration

Using Nmap , we got there are 2 open ports.

nmap scan

Website

Website

Doesn’t have any hiddent details. Although PHPSESSID is shown indicating PHP is used in backend.

Directory Enumeration

Using gobuster , we get 2 directories like panel and uploads. Panel shows form to upload file. Uploads shows files uploaded from panels form.

gobuster

PHP Reverse shell

Panel can be used to upload file so I cloned php-reverse-shell repository.

php reverse shell

Tried uploading shell but failed. php rejected

Googled how to bypass php and found this on website.

change file extension

Changing .php to .phtml bypassed.

phtml accepted

Shell access

Tried running file from opening it through uploads directory. It gave error.

shell execution failed

But surprisingly , I got reverse shell.

Reverse shell

User flag

Found User flag.

user flag

SUID explotation

Tryhackme question specifically asked about SUID so checked for that.

suid finding

Checked gtfobins python suid.

gtfobins suid python

I got root access.

root access

Root flag

user flag

Source