Introduction
This is my write-up for TryHackMe’s RootMe Room.
Enumeration
Using nmap, I saw that this box has ports 22, and 80 open.
I saw the following when I checked the webpage with my browser.
Running gobuster, I found a few directories:
Looking at the /panel directory, I see a file upload page.
Exploitation
Trying to upload a PHP reverse shell found at pentestmonkey.net leads to an error. It seems that there is some server-side checks involved.
But when I rename the php file to .php5, it was successfully uploaded.
Checking the /uploads directory, I find that it was indeed uploaded.
Clicking on the file gives me a remote shell.
Privilege Escalation
Looking for files whose SUID bit was set, I saw a peculiar file.
Checking GTFOBins, I found a way to escalate my privileges and gain root.
Originally published at https://m0ndzon3.blogspot.com
