THM - RootMe with a twist
Introduction
A ctf for beginners, can you root me?
I’ve thought a few times that maybe I could do a THM room entirely on my phone. Not because I had to, but for the additional challenge. If you’ve ever seen Mitten Squad on YouTube you might get the idea. Today I did one, and this is how.
Now, you might be thinking that yeah there are definitely rooms you can do on a phone, and there are a few I can think of that I could go back to and do on the phone. But that’s because I already know how to solve them. That’s not the point here: what I’m doing is a room, from zero, no hints.
Ground rules
So I have an Android phone; it’s not particularly recent or special. The idea is to complete this challenge only with tools installed on the phone, or that can be installed if they aren’t already. So SSH-ing into an attack machine in the cloud or somewhere else doesn’t count.
Connecting to the VPN
OpenVPN has an Android app; you simply import the connection file and click connect. It’s no more difficult than it is on Kali; you just have to install the app first.
nmap
So, how do we go about running a port scan on Android? Well, I use Termux. What’s Termux? According to the wiki:
Termux is an Android terminal emulator and Linux environment application that works directly with no rooting or setup required. A minimal base system is installed automatically, additional packages are available using the package manager.
What does this mean? It’s essentially a CLI for your phone, which is exactly both as convenient and inconvenient as you might expect. You get it from the Play Store, just like the OpenVPN app.
I don’t recall if it came with nmap out of the box so to speak, but nmap is available via the package manager:
package install nmap
And once it’s installed, nmap works just like it does on Kali, although more slowly (this will be a recurring theme).
Anyway I saw I had ports 22 and 80 and got impatient and cancelled the scan.
Gobuster?
No; I’m on my phone remember? We have no gobuster here, and no WFUZZ either. What we do have is dirb, and it works just fine in Termux, provided you aren’t in a hurry.
package install dirb
It helpfully identifies a couple of potentially interesting sounding directories in panel and uploads just with the default common.txt wordlist. It also comes with big.txt but we don’t need it.
Browser whingeing
So I’m using Chrome on my phone after recently nuking Firefox because of their latest update which I hated. But Chrome has some limitations that you wouldn’t normally notice until you start doing something like this - you can’t view the page source, and if you want to visit a particular page on a site, the address bar seems to assume you want an entirely new site and forces you to retype the base URL - that’s annoying. Anyway, the panel page allows you to upload a file, and uploads is where it goes. Since this is a beginner level challenge, a reverse shell seems like a good upload choice.
Just on the page source: you can use wget and cat in Termux, so that’s one option for viewing page sources.
Pentestmonkey
I didn’t have the pentestmonkey PHP reverse shell on my phone so I went and downloaded it. Termux allows you to extract tar.gz files so apart from mucking about with download locations and whatnot that was fine. You can also use nano in Termux to edit the IP for your shell, which was the same as I usually get from THM - you can check it with ifconfig.
Filter
I tried to upload the file, but PHP files - or more accurately, files with the .php extension - were banned. So I renamed my file to shell.phtml and that was accepted.
Listener
You can start a netcat listener in Termux just like in Kali, e.g.
nc -nvlp 1234
Visting the uploads page and choosing the shell file launches the connection - success!
Linpeas
Normally at this point I would fire up a python webserver on Kali and wget Linpeas onto the box. Can I do that here? Dunno…maybe. We can install python in Termux and do python -m http.server. Supposedly we can have multiple Termux sessions but I couldn’t get that to work, so I’d have kill my shell to upload the script - and then how would I wget it? Hmmm.
As an alternative, what about the upload function on the web page - will it accept a bash script? Actually, yes it will. So now we can go find the file on the server with our shell - and it’s in /var/www/html/uploads, which is what you’d expect. We can chmod it and run it where it sits, because we are already www-data so we own the directory.
Privesc
Linpeas tells us that python is running with the SUID bit set, so all I had to do was this:
/usr/bin/python -c 'import os; os.execl("/bin/sh", "sh", "-p")'
And I was root. So that was that, and I’d completed the room on my phone. Well, I hadn’t answered any of the questions on the THM webpage, but I was root, and that was the aim of the exercise.
Final Thoughts
After getting the shell on Termux and upgrading to a proper TTY with python the text in Termux got all screwy and every character I typed was displayed twice. Through some trial and error, I found that from the server point of view the text was only entered once, so it still worked but it looked fatally broken on my end. Not sure what that was about. Also backspace didn’t seem to work.
Overall it was more difficult, and I wouldn’t choose to approach things like this as a matter of first choice - but if the room is suitable you can solve it with Android and Termux.