Tryhackme - Linux PrivEsc

Tryhackme – Linux PrivEsc

In this walk through, we will be going through the Linux PrivEsc from Tryhackme. This room is rated as Medium on the platform and covers a variety of Linux Privilege escalation techniques and more. So, let’s get started without any delay.

Tryhackme - Linux PrivEsc

Task 1 – Deploy the Vulnerable Debian VM

Task 1 - Deploy the Vulnerable Debian VM

Question 1 – Deploy the machine and login to the “user” account using SSH.

Done

  • username – user
  • password – password321

ssh login

Question 2 – Run the “id” command. What is the result?

id

uid=1000(user) gid=1000(user) groups=1000(user),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev)

Task 2 – Service Exploits

Question 1 – Read and follow along with the above.

Done

gcc
mysql -u root
use mysql;

rootbash -p
Task 2 - Service Exploits

Task 3 – Weak File Permissions – Readable /etc/shadow

Question 1 – What is the root user’s password hash?

cat /etc/shadow

 $6$Tb/euwmK$OXA.dwMeOAcopwBl68boTG5zi65wIHsc84OWAIye5VITLLtVlaXvRDJXET..it8r.jbrlpfZeMdwD3B0fGxJI0:17298:0:99999

Question 2 – What hashing algorithm was used to produce the root user’s password hash?

SHA512crypt
sha512crypt

Question 3 – What is the root user’s password?

John cracking

root password

password123

Task 3 - Weak File Permissions - Readable /etc/shadow

Task 4 – Weak File Permissions – Writable /etc/shadow

Question 1 – Read and follow along with the above.

Done

ls -l /etc/shadow
root password

Task 4 - Weak File Permissions - Writable /etc/shadow

Task 5 – Weak File Permissions – Writable /etc/passwd

Question 1 – Run the “id” command as the newroot user. What is the result?

cat /etc/passwd
cat /etc/passwd
cat /etc/passwd

su root
su newroot

uid=0(root) gid=0(root) groups=0(root)

Task 5 - Weak File Permissions - Writable /etc/passwd

Task 6 – Sudo – Shell Escape Sequences

Question 1 – How many programs is “user” allowed to run via sudo?

sudo -l

11

Question 2 – One program on the list doesn’t have a shell escape sequence on GTFOBins. Which is it?

apache2
GTFObins apache2

Question 3 – Consider how you might use this program with sudo to gain root privileges without a shell escape sequence.

Done

sudo /usr/sbin/apache2 -f /etc/shadow

  • Getting the root user hash. Cracking it with John and we will root the machine.

Getting root

Task 6 - Sudo - Shell Escape Sequences

Task 7 – Sudo – Environment Variables

Question 1 – Read and follow along with the above.

Done

sudo -l

preload.c

ldd /usr/sbin/apache2

ldd /usr/sbin/apache2

Task 7 - Sudo - Environment Variables

Task 8 – Cron Jobs – File Permissions

Question 1 – Read and follow along with the above.

Done

cat /etc/crontab

locate overwrite.sh

getting a reverse shell
Task 8 - Cron Jobs - File Permissions

Task 9 – Cron Jobs – PATH Environment Variable

Question 1 – What is the value of the PATH variable in /etc/crontab?

cat /etc/crontab

nano overwrite.sh

editing overwrite.sh
Task 9 - Cron Jobs - PATH Environment Variable
 /home/user:/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin

Task 10 – Cron Jobs – Wildcards

Question 1 – Read and follow along with the above.

Done
compress.sh
msfvenom shell.elf
python3 -m http.server

wget shell.elf

shell.elf

netcat listener

Task 10 - Cron Jobs - Wildcards

Task 11 – SUID / SGID Executables – Known Exploits

Question 1 – Read and follow along with the above.

Done

using find

Exim 4.84-3 Local Privilege Escalation

CVE-2016-1531

Task 12 – SUID / SGID Executables – Shared Object Injection

Question 1 – Read and follow along with the above.

Done

suid-so

strace

Task 12 - SUID / SGID Executables - Shared Object Injection

Task 13 – SUID / SGID Executables – Environment Variables

Question 1 – Read and follow along with the above.

Done

suid-env

Task 13 - SUID / SGID Executables - Environment Variables

Task 14 – SUID / SGID Executables – Abusing Shell Features (#1)

Question 1 – Read and follow along with the above.

Done

strings

Task 14 - SUID / SGID Executables - Abusing Shell Features (#1)

Task 15 – SUID / SGID Executables – Abusing Shell Features (#2)

Question 1 – Read and follow along with the above.

Done

env -i

Task 15 - SUID / SGID Executables - Abusing Shell Features (#2)

Task 16 – Passwords & Keys – History Files

Question 1 – What is the full mysql command the user executed?

cat ~/.*history | less

bash history

Task 16 - Passwords & Keys - History Files

mysql -h somehost.local -uroot -ppassword123

Task 17 – Passwords & Keys – Config Files

Question 1 – What file did you find the root user’s credentials in?

myvpn.ovpn

Task 17 - Passwords & Keys - Config Files

/etc/openvpn/auth.txt

Task 18 – Passwords & Keys – SSH Keys

Question 1 – Read and follow along with the above.

Done

Listing directories

SSH directory

scp file transfer
Task 18 - Passwords & Keys - SSH Keys

Task 19 – NFS

Question 1 – What is the name of the option that disables root squashing?

cat /etc/exports
making directory

mounting NFS

Task 19 - NFS
no_root_squash

Task 20 – Kernel Exploits

Question 1 – Read and follow along with the above.

Done

Linux Exploit Suggester

dirty cow exploit

Task 20 - Kernel Exploits

Task 21 – Privilege Escalation Scripts

Task 21 - Privilege Escalation Scripts

Also Read: Tryhackme – Linux Fundamentals Part 2

So that was “Linux PrivEsc” for you. In this room, we covered a variety of Linux privilege escalation techniques which we can use once we landed in a linux machine. Well, the best thing on any machine is to be root and today we have learned on how we can get to that point. On that note, i would take your leave and will meet you in next one. Till then, “Happy hacking”.

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top