THM | Linux PrivEsc
Shells and Privilege Escalation | Linux PrivEsc | Summary:
This series of walkthroughs aims to help out complete beginners with finishing the Complete Beginner path on the TryHackMe website. It is based on the learning content provided in the Linux PrivEsc room.
Disclaimer: Please note that this write-up is NOT intended to replace the original room or its content, but rather serve as supplementary material for those who are stuck and need additional guidance.
Task | 01 | Deploy the Vulnerable Debian VM
Question 1: Deploy the machine and login to the "user" account using SSH.
No answer needed
Question 2: Run the "id" command. What is the result?
uid=1000(user) gid=1000(user) groups=1000(user),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev)
Task | 02 | Service Exploits
Question 1: Read and follow along with the above.
No answer needed
Task | 03 | Weak File Permissions - Readable /etc/shadow
Question 1: What is the root user's password hash?
$6$Tb/euwmK$OXA.dwMeOAcopwBl68boTG5zi65wIHsc84OWAIye5VITLLtVlaXvRDJXET..it8r.jbrlpfZeMdwD3B0fGxJI0
Question 2: What hashing algorithm was used to produce the root user's password hash?
sha512crypt
Question 3: What is the root user's password?
password123
Task | 04 | Weak File Permissions - Writable /etc/shadow
Question 1: Read and follow along with the above.
No answer needed
Task | 05 | Weak File Permissions - Writable /etc/passwd
Question 1: Run the "id" command as the newroot user. What is the result?
uid=0(root) gid=0(root) groups=0(root)
Task | 06 | Sudo - Shell Escape Sequences
Question 1: How many programs is "user" allowed to run via sudo?
11
Question 2: One program on the list doesn't have a shell escape sequence on GTFOBins. Which is it?
apache2
Question 3: Consider how you might use this program with sudo to gain root privileges without a shell escape sequence.
No answer needed
Task | 07 | Sudo - Environment Variables
Question 1: Read and follow along with the above.
No answer needed
Task | 08 | Cron Jobs - File Permissions
Question 1: Read and follow along with the above.
No answer needed
Task | 09 | Cron Jobs - PATH Environment Variable
Question 1: What is the value of the PATH variable in /etc/crontab?
/home/user:/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
Task | 10 | Cron Jobs - Wildcards
Question 1: Read and follow along with the above.
No answer needed
Task | 11 | SUID / SGID Executables - Known Exploits
Question 1: Read and follow along with the above.
No answer needed
Task | 12 | SUID / SGID Executables - Shared Object Injection
Question 1: Read and follow along with the above.
No answer needed
Task | 13 | SUID / SGID Executables - Environment Variables
Question 1: Read and follow along with the above.
No answer needed
Task | 14 | SUID / SGID Executables - Abusing Shell Features (#1)
Question 1: Read and follow along with the above.
No answer needed
Task | 15 | SUID / SGID Executables - Abusing Shell Features (#2)
Question 1: Read and follow along with the above.
No answer needed
Task | 16 | Passwords & Keys - History Files
Question 1: What is the full mysql command the user executed?
mysql -h somehost.local -uroot -ppassword123
Task | 17 | Passwords & Keys - Config Files
Question 1: What file did you find the root user's credentials in?
/etc/openvpn/auth.txt
Task | 18 | Passwords & Keys - SSH Keys
Question 1: Read and follow along with the above.
No answer needed
Task | 19 | NFS
Question 1: What is the name of the option that disables root squashing?
no_root_squash
Task | 20 | Kernel Exploits
Question 1: Read and follow along with the above.
No answer needed
Task | 21 | Privilege Escalation Scripts
Question 1: Experiment with all three tools, running them with different options. Do all of them identify the techniques used in this room?
No answer needed