tryhackme.com Open in urlscan Pro
2606:4700:10::ac43:1b0a Public Scan

Back to summary

URL:
https://tryhackme.com/room/linprivesc
Submission: On January 31 via api (January 31st 2023, 2:50:18 pm UTC) from TN — Scanned from DE

Form analysis
1 forms found in the DOM

POST /feedback

<form method="post" action="/feedback" id="roomFeedbackForm" class="d-none mt-3">
  <input type="hidden" name="_csrf" value="tjYk4pam-5OecKU754lw6OaJlriHf2HHgTpc">
  <input type="hidden" name="roomCode" value="linprivesc">
  <input type="hidden" name="type" value="rooms">
  <input type="hidden" name="redirect" value="json">
  <div class="form-group">
    <label class="mb-0" for="like">What do you like about the room?</label>
    <textarea type="text" name="like" id="like" class="form-control"></textarea>
  </div>
  <div class="form-group">
    <label class="mb-0" for="dislike">What don't you like about the room?</label>
    <textarea type="text" name="dislike" id="dislike" class="form-control"></textarea>
  </div>
  <div class="form-group">
    <label class="mb-0" for="details">Please send your suggestions, ideas and comments!</label>
    <textarea id="details" type="text" name="details" class="form-control" style="padding: 5px;"></textarea>
  </div>
  <button type="submit" id="submitBtn" class="btn btn-success">Send Feedback</button>
</form>

Text Content

We use cookies to ensure you get the best user experience. For more information
contact us. Read more
Got it!
* Learn
* Compete
King of the Hill
Attack & Defend

Leaderboards
Platform Rankings
* Networks
Throwback
Attacking Active Directory

Wreath
Network Pivoting
* For Education
Teaching
Use our security labs

Create Labs
Upload & Deploy VMs
* For Business

* Login
* Join Now

* Learn
* Compete
King of the Hill
Attack & Defend

Leaderboards
Platform Rankings
* Networks
Throwback
Attacking Active Directory

Wreath
Network Pivoting
* For Education
Teaching
Use our security labs

Create Labs
Upload & Deploy VMs
* For Business

* Login
* Join Now

2074

LINUX PRIVILEGE ESCALATION

Start AttackBox
Use Kali Linux
Web-based Kali Machine
Use AttackBox
Recommended
Show Split View Cloud Details Awards Help
Clone Room Writeups Reset Progress Leave

Learn the fundamentals of Linux privilege escalation. From enumeration to
exploitation, get hands-on with over 8 different privilege escalation
techniques.

To access material, start machines and answer questions login.

* Chart
* Scoreboard
* Discuss
* Writeups
* More

Difficulty: Medium

Rank Username Total Score

DISCORD

Come join our Discord server for support or further discussions

FORUM

Read or post on the dedicated forum post
Try Hack Me Linux PrivEsc Capstone Challenge by ekiminu
TryHackMe Linux PrivEsc writeup by Hacker5preme
TryHackMe — Linux PrivEsc walkthrough by hb
The Complete Linux Privilege Escalation Capstone | TryHackMe Junior Penetration
Tester by motasemhamdan
Linux PrivEsc — TryHackMe Write-up by mohsin92006

Add Writeup
Submit

Writeups should have a link to TryHackMe and not include any passwords/cracked
hashes/flags

This is a free room, which means anyone can deploy virtual machines in the room
(without being subscribed)! 46524 users are in here and this room is 470 days
old.

Created by tryhackme

Active Machine Information
Loading...
Loading...
Loading...
Loading...
0%
Task 1 Introduction

Privilege escalation is a journey. There are no silver bullets, and much depends
on the specific configuration of the target system. The kernel version,
installed applications, supported programming languages, other users' passwords
are a few key elements that will affect your road to the root shell.

This room was designed to cover the main privilege escalation vectors and give
you a better understanding of the process. This new skill will be an essential
part of your arsenal whether you are participating in CTFs, taking certification
exams, or working as a penetration tester.

Answer the questions below
Read the above.

What does "privilege escalation" mean?

At it's core, Privilege Escalation usually involves going from a lower
permission account to a higher permission one. More technically, it's
the exploitation of a vulnerability, design flaw, or configuration oversight in
an operating system or application to gain unauthorized access to resources that
are usually restricted from the users.

Why is it important?

It's rare when performing a real-world penetration test to be able to gain a
foothold (initial access) that gives you direct administrative access. Privilege
escalation is crucial because it lets you gain system administrator levels of
access, which allows you to perform actions such as:

* Resetting passwords

* Bypassing access controls to compromise protected data
* Editing software configurations
* Enabling persistence
* Changing the privilege of existing (or new) users
* Execute any administrative command

Answer the questions below
Read the above.
Login to answer..
Task 3 Enumeration
Start Machine

Note: Launch the target machine attached to this task to follow along.

You can launch the target machine and access it directly from your browser.

Alternatively, you can access it over SSH with the low-privilege user
credentials below:

Username: karen

Password: Password1

Enumeration is the first step you have to take once you gain access to any
system. You may have accessed the system by exploiting a critical vulnerability
that resulted in root-level access or just found a way to send commands using a
low privileged account. Penetration testing engagements, unlike CTF machines,
don't end once you gain access to a specific system or user privilege level. As
you will see, enumeration is as important during the post-compromise phase as it
is before.

HOSTNAME

The hostname command will return the hostname of the target machine. Although
this value can easily be changed or have a relatively meaningless string (e.g.
Ubuntu-3487340239), in some cases, it can provide information about the target
system’s role within the corporate network (e.g. SQL-PROD-01 for a production
SQL server).

UNAME -A

Will print system information giving us additional detail about the kernel used
by the system. This will be useful when searching for any potential kernel
vulnerabilities that could lead to privilege escalation.

/PROC/VERSION

The proc filesystem (procfs) provides information about the target system
processes. You will find proc on many different Linux flavours, making it an
essential tool to have in your arsenal.

Looking at /proc/version may give you information on the kernel version and
additional data such as whether a compiler (e.g. GCC) is installed.

/ETC/ISSUE

Systems can also be identified by looking at the /etc/issue file. This file
usually contains some information about the operating system but can easily be
customized or changes. While on the subject, any file containing system
information can be customized or changed. For a clearer understanding of the
system, it is always good to look at all of these.

PS COMMAND

The ps command is an effective way to see the running processes on a Linux
system. Typing ps on your terminal will show processes for the current shell.

The output of the ps (Process Status) will show the following;

* PID: The process ID (unique to the process)
* TTY: Terminal type used by the user
* Time: Amount of CPU time used by the process (this is NOT the time this
process has been running for)
* CMD: The command or executable running (will NOT display any command line
parameter)

The “ps” command provides a few useful options.

* ps -A: View all running processes
* ps axjf: View process tree (see the tree formation until ps axjf is run
below)

* ps aux: The aux option will show processes for all users (a), display the
user that launched the process (u), and show processes that are not attached
to a terminal (x). Looking at the ps aux command output, we can have a better
understanding of the system and potential vulnerabilities.

ENV

The env command will show environmental variables.

The PATH variable may have a compiler or a scripting language (e.g. Python) that
could be used to run code on the target system or leveraged for privilege
escalation.

SUDO -L

The target system may be configured to allow users to run some (or all) commands
with root privileges. The sudo -l command can be used to list all commands your
user can run using sudo.

One of the common commands used in Linux is probably ls.

While looking for potential privilege escalation vectors, please remember to
always use the ls command with the -la parameter. The example below shows how
the “secret.txt” file can easily be missed using the ls or ls -l commands.

The id command will provide a general overview of the user’s privilege level and
group memberships.

It is worth remembering that the id command can also be used to obtain the same
information for another user as seen below.

/ETC/PASSWD

Reading the /etc/passwd file can be an easy way to discover users on the system.

While the output can be long and a bit intimidating, it can easily be cut and
converted to a useful list for brute-force attacks.

Remember that this will return all users, some of which are system or service
users that would not be very useful. Another approach could be to grep for
“home” as real users will most likely have their folders under the “home”
directory.

HISTORY

Looking at earlier commands with the history command can give us some idea about
the target system and, albeit rarely, have stored information such as passwords
or usernames.

IFCONFIG

The target system may be a pivoting point to another network. The
ifconfig command will give us information about the network interfaces of the
system. The example below shows the target system has three interfaces (eth0,
tun0, and tun1). Our attacking machine can reach the eth0 interface but can not
directly access the two other networks.

This can be confirmed using the ip route command to see which network routes
exist.

NETSTAT

Following an initial check for existing interfaces and network routes, it is
worth looking into existing communications. The netstat command can be used with
several different options to gather information on existing connections.

* netstat -a: shows all listening ports and established connections.
* netstat -at or netstat -au can also be used to list TCP or UDP protocols
respectively.
* netstat -l: list ports in “listening” mode. These ports are open and ready to
accept incoming connections. This can be used with the “t” option to list
only ports that are listening using the TCP protocol (below)

* netstat -s: list network usage statistics by protocol (below) This can also
be used with the -t or -u options to limit the output to a specific protocol.

* netstat -tp: list connections with the service name and PID information.

This can also be used with the -l option to list listening ports (below)

We can see the “PID/Program name” column is empty as this process is owned by
another user.

Below is the same command run with root privileges and reveals this information
as 2641/nc (netcat)

* netstat -i: Shows interface statistics. We see below that “eth0” and “tun0”
are more active than “tun1”.

The netstat usage you will probably see most often in blog posts, write-ups, and
courses is netstat -ano which could be broken down as follows;

* -a: Display all sockets
* -n: Do not resolve names
* -o: Display timers

FIND COMMAND

Searching the target system for important information and potential privilege
escalation vectors can be fruitful. The built-in “find” command is useful and
worth keeping in your arsenal.

Below are some useful examples for the “find” command.

Find files:

* find . -name flag1.txt: find the file named “flag1.txt” in the current
directory
* find /home -name flag1.txt: find the file names “flag1.txt” in the /home
directory
* find / -type d -name config: find the directory named config under “/”
* find / -type f -perm 0777: find files with the 777 permissions (files
readable, writable, and executable by all users)
* find / -perm a=x: find executable files
* find /home -user frank: find all files for user “frank” under “/home”
* find / -mtime 10: find files that were modified in the last 10 days
* find / -atime 10: find files that were accessed in the last 10 day
* find / -cmin -60: find files changed within the last hour (60 minutes)
* find / -amin -60: find files accesses within the last hour (60 minutes)
* find / -size 50M: find files with a 50 MB size

This command can also be used with (+) and (-) signs to specify a file that is
larger or smaller than the given size.

The example above returns files that are larger than 100 MB. It is important to
note that the “find” command tends to generate errors which sometimes makes the
output hard to read. This is why it would be wise to use the “find” command with
“-type f 2>/dev/null” to redirect errors to “/dev/null” and have a cleaner
output (below).

Folders and files that can be written to or executed from:

* find / -writable -type d 2>/dev/null : Find world-writeable folders
* find / -perm -222 -type d 2>/dev/null: Find world-writeable folders
* find / -perm -o w -type d 2>/dev/null: Find world-writeable folders

The reason we see three different “find” commands that could potentially lead to
the same result can be seen in the manual document. As you can see below, the
perm parameter affects the way “find” works.

* find / -perm -o x -type d 2>/dev/null : Find world-executable folders

Find development tools and supported languages:

* find / -name perl*
* find / -name python*
* find / -name gcc*

Find specific file permissions:

Below is a short example used to find files that have the SUID bit set. The SUID
bit allows the file to run with the privilege level of the account that owns it,
rather than the account which runs it. This allows for an interesting privilege
escalation path,we will see in more details on task 6. The example below is
given to complete the subject on the “find” command.

* find / -perm -u=s -type f 2>/dev/null: Find files with the SUID bit, which
allows us to run the file with a higher privilege level than the current
user.

GENERAL LINUX COMMANDS

As we are in the Linux realm, familiarity with Linux commands, in general, will
be very useful. Please spend some time getting comfortable with commands such as
find, locate, grep, cut, sort, etc.

Answer the questions below
What is the hostname of the target system?

What is the Linux kernel version of the target system?

What Linux is this?

What version of the Python language is installed on the system?

What vulnerability seem to affect the kernel of the target system? (Enter a CVE
number)

Several tools can help you save time during the enumeration process. These tools
should only be used to save time knowing they may miss some privilege escalation
vectors. Below is a list of popular Linux enumeration tools with links to their
respective Github repositories.

The target system’s environment will influence the tool you will be able to use.
For example, you will not be able to run a tool written in Python if it is not
installed on the target system. This is why it would be better to be familiar
with a few rather than having a single go-to tool.

* LinPeas:
https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/tree/master/linPEAS
* LinEnum: https://github.com/rebootuser/LinEnum
* LES (Linux Exploit Suggester):
https://github.com/mzet-/linux-exploit-suggester
* Linux Smart Enumeration:
https://github.com/diego-treitos/linux-smart-enumeration
* Linux Priv Checker: https://github.com/linted/linuxprivchecker

Answer the questions below
Install and try a few automated enumeration tools on your local Linux
distribution

Note: Launch the target machine attached to this task to follow along.

You can launch the target machine and access it directly from your browser.

Alternatively, you can access it over SSH with the low-privilege user
credentials below:

Username: karen

Password: Password1

Privilege escalation ideally leads to root privileges. This can sometimes be
achieved simply by exploiting an existing vulnerability, or in some cases by
accessing another user account that has more privileges, information, or access.

Unless a single vulnerability leads to a root shell, the privilege escalation
process will rely on misconfigurations and lax permissions.

The kernel on Linux systems manages the communication between components such as
the memory on the system and applications. This critical function requires the
kernel to have specific privileges; thus, a successful exploit will potentially
lead to root privileges.

The Kernel exploit methodology is simple;

1. Identify the kernel version
2. Search and find an exploit code for the kernel version of the target system
3. Run the exploit

Although it looks simple, please remember that a failed kernel exploit can lead
to a system crash. Make sure this potential outcome is acceptable within the
scope of your penetration testing engagement before attempting a kernel exploit.

Research sources:

1. Based on your findings, you can use Google to search for an existing exploit
code.
2. Sources such as https://www.linuxkernelcves.com/cves can also be useful.
3. Another alternative would be to use a script like LES (Linux Exploit
Suggester) but remember that these tools can generate false positives
(report a kernel vulnerability that does not affect the target system) or
false negatives (not report any kernel vulnerabilities although the kernel
is vulnerable).

Hints/Notes:

1. Being too specific about the kernel version when searching for exploits on
Google, Exploit-db, or searchsploit
2. Be sure you understand how the exploit code works BEFORE you launch it. Some
exploit codes can make changes on the operating system that would make them
unsecured in further use or make irreversible changes to the system,
creating problems later. Of course, these may not be great concerns within a
lab or CTF environment, but these are absolute no-nos during a real
penetration testing engagement.
3. Some exploits may require further interaction once they are run. Read all
comments and instructions provided with the exploit code.
4. You can transfer the exploit code from your machine to the target system
using the SimpleHTTPServer Python module and wget respectively.

Answer the questions below
find and use the appropriate kernel exploit to gain root privileges on the
target system.

What is the content of the flag1.txt file?

Note: Launch the target machine attached to this task to follow along.

You can launch the target machine and access it directly from your browser.

Alternatively, you can access it over SSH with the low-privilege user
credentials below:

Username: karen

Password: Password1

The sudo command, by default, allows you to run a program with root privileges.
Under some conditions, system administrators may need to give regular users some
flexibility on their privileges. For example, a junior SOC analyst may need to
use Nmap regularly but would not be cleared for full root access. In this
situation, the system administrator can allow this user to only run Nmap with
root privileges while keeping its regular privilege level throughout the rest of
the system.

Any user can check its current situation related to root privileges using the
sudo -l command.

https://gtfobins.github.io/ is a valuable source that provides information on
how any program, on which you may have sudo rights, can be used.

Leverage application functions

Some applications will not have a known exploit within this context. Such an
application you may see is the Apache2 server.

In this case, we can use a "hack" to leak information leveraging a function of
the application. As you can see below, Apache2 has an option that supports
loading alternative configuration files (-f : specify an alternate
ServerConfigFile).

Loading the /etc/shadow file using this option will result in an error message
that includes the first line of the /etc/shadow file.

Leverage LD_PRELOAD

On some systems, you may see the LD_PRELOAD environment option.

LD_PRELOAD is a function that allows any program to use shared libraries. This
blog post will give you an idea about the capabilities of LD_PRELOAD. If the
"env_keep" option is enabled we can generate a shared library which will be
loaded and executed before the program is run. Please note the LD_PRELOAD option
will be ignored if the real user ID is different from the effective user ID.

The steps of this privilege escalation vector can be summarized as follows;

1. Check for LD_PRELOAD (with the env_keep option)
2. Write a simple C code compiled as a share object (.so extension) file
3. Run the program with sudo rights and the LD_PRELOAD option pointing to our
.so file

The C code will simply spawn a root shell and can be written as follows;

#include <stdio.h>
#include <sys/types.h>
#include <stdlib.h>

void _init() {
unsetenv("LD_PRELOAD");
setgid(0);
setuid(0);
system("/bin/bash");
}

We can save this code as shell.c and compile it using gcc into a shared object
file using the following parameters;

gcc -fPIC -shared -o shell.so shell.c -nostartfiles

We can now use this shared object file when launching any program our user can
run with sudo. In our case, Apache2, find, or almost any of the programs we can
run with sudo can be used.

We need to run the program by specifying the LD_PRELOAD option, as follows;

sudo LD_PRELOAD=/home/user/ldpreload/shell.so find

This will result in a shell spawn with root privileges.

Answer the questions below
How many programs can the user "karen" run on the target system with sudo
rights?

What is the content of the flag2.txt file?

How would you use Nmap to spawn a root shell if your user had sudo rights on
nmap?

What is the hash of frank's password?

Note: Launch the target machine attached to this task to follow along.

You can launch the target machine and access it directly from your browser.

Alternatively, you can access it over SSH with the low-privilege user
credentials below:

Username: karen

Password: Password1

Much of Linux privilege controls rely on controlling the users and files
interactions. This is done with permissions. By now, you know that files can
have read, write, and execute permissions. These are given to users within their
privilege levels. This changes with SUID (Set-user Identification) and SGID
(Set-group Identification). These allow files to be executed with the permission
level of the file owner or the group owner, respectively.

You will notice these files have an “s” bit set showing their special permission
level.

find / -type f -perm -04000 -ls 2>/dev/null will list files that have SUID or
SGID bits set.

A good practice would be to compare executables on this list with GTFOBins
(https://gtfobins.github.io). Clicking on the SUID button will filter binaries
known to be exploitable when the SUID bit is set (you can also use this link for
a pre-filtered list https://gtfobins.github.io/#+suid).

The list above shows that nano has the SUID bit set. Unfortunately, GTFObins
does not provide us with an easy win. Typical to real-life privilege escalation
scenarios, we will need to find intermediate steps that will help us leverage
whatever minuscule finding we have.

The SUID bit set for the nano text editor allows us to create, edit and read
files using the file owner’s privilege. Nano is owned by root, which probably
means that we can read and edit files at a higher privilege level than our
current user has. At this stage, we have two basic options for privilege
escalation: reading the /etc/shadow file or adding our user to /etc/passwd.

Below are simple steps using both vectors.

reading the /etc/shadow file

We see that the nano text editor has the SUID bit set by running the find /
-type f -perm -04000 -ls 2>/dev/null command.

nano /etc/shadow will print the contents of the /etc/shadow file. We can now use
the unshadow tool to create a file crackable by John the Ripper. To achieve
this, unshadow needs both the /etc/shadow and /etc/passwd files.

The unshadow tool’s usage can be seen below;
unshadow passwd.txt shadow.txt > passwords.txt

With the correct wordlist and a little luck, John the Ripper can return one or
several passwords in cleartext. For a more detailed room on John the Ripper, you
can visit https://tryhackme.com/room/johntheripper0

The other option would be to add a new user that has root privileges. This would
help us circumvent the tedious process of password cracking. Below is an easy
way to do it:

We will need the hash value of the password we want the new user to have. This
can be done quickly using the openssl tool on Kali Linux.

We will then add this password with a username to the /etc/passwd file.

Once our user is added (please note how root:/bin/bash was used to provide a
root shell) we will need to switch to this user and hopefully should have root
privileges.

Answer the questions below

Which user shares the name of a great comic book writer?

What is the password of user2?

What is the content of the flag3.txt file?

Note: Launch the target machine attached to this task to follow along.

You can launch the target machine and access it directly from your browser.

Alternatively, you can access it over SSH with the low-privilege user
credentials below:

Username: karen

Password: Password1

Another method system administrators can use to increase the privilege level of
a process or binary is “Capabilities”. Capabilities help manage privileges at a
more granular level. For example, if the SOC analyst needs to use a tool that
needs to initiate socket connections, a regular user would not be able to do
that. If the system administrator does not want to give this user higher
privileges, they can change the capabilities of the binary. As a result, the
binary would get through its task without needing a higher privilege user.
The capabilities man page provides detailed information on its usage and
options.

We can use the getcap tool to list enabled capabilities.

When run as an unprivileged user, getcap -r / will generate a huge amount of
errors, so it is good practice to redirect the error messages to /dev/null.

Please note that neither vim nor its copy has the SUID bit set. This privilege
escalation vector is therefore not discoverable when enumerating files looking
for SUID.

GTFObins has a good list of binaries that can be leveraged for privilege
escalation if we find any set capabilities.

We notice that vim can be used with the following command and payload:

This will launch a root shell as seen below;

Answer the questions below
Complete the task described above on the target system

How many binaries have set capabilities?

What other binary can be used through its capabilities?

What is the content of the flag4.txt file?

Note: Launch the target machine attached to this task to follow along.

You can launch the target machine and access it directly from your browser.

Alternatively, you can access it over SSH with the low-privilege user
credentials below:

Username: karen

Password: Password1

Cron jobs are used to run scripts or binaries at specific times. By default,
they run with the privilege of their owners and not the current user. While
properly configured cron jobs are not inherently vulnerable, they can provide a
privilege escalation vector under some conditions.
The idea is quite simple; if there is a scheduled task that runs with root
privileges and we can change the script that will be run, then our script will
run with root privileges.

Cron job configurations are stored as crontabs (cron tables) to see the next
time and date the task will run.

Each user on the system have their crontab file and can run specific tasks
whether they are logged in or not. As you can expect, our goal will be to find a
cron job set by root and have it run our script, ideally a shell.

Any user can read the file keeping system-wide cron jobs under /etc/crontab

While CTF machines can have cron jobs running every minute or every 5 minutes,
you will more often see tasks that run daily, weekly or monthly in penetration
test engagements.

You can see the backup.sh script was configured to run every minute. The content
of the file shows a simple script that creates a backup of the prices.xls file.

As our current user can access this script, we can easily modify it to create a
reverse shell, hopefully with root privileges.

The script will use the tools available on the target system to launch a reverse
shell.
Two points to note;

1. The command syntax will vary depending on the available tools. (e.g. nc will
probably not support the -e option you may have seen used in other cases)
2. We should always prefer to start reverse shells, as we not want to
compromise the system integrity during a real penetration testing
engagement.

The file should look like this;

We will now run a listener on our attacking machine to receive the incoming
connection.

Crontab is always worth checking as it can sometimes lead to easy privilege
escalation vectors. The following scenario is not uncommon in companies that do
not have a certain cyber security maturity level:

1. System administrators need to run a script at regular intervals.
2. They create a cron job to do this
3. After a while, the script becomes useless, and they delete it

4. They do not clean the relevant cron job

This change management issue leads to a potential exploit leveraging cron jobs.

The example above shows a similar situation where the antivirus.sh script was
deleted, but the cron job still exists.
If the full path of the script is not defined (as it was done for the backup.sh
script), cron will refer to the paths listed under the PATH variable in the
/etc/crontab file. In this case, we should be able to create a script named
“antivirus.sh” under our user’s home folder and it should be run by the cron
job.

The file on the target system should look familiar:

The incoming reverse shell connection has root privileges:

In the odd event you find an existing script or task attached to a cron job, it
is always worth spending time to understand the function of the script and how
any tool is used within the context. For example, tar, 7z, rsync, etc., can be
exploited using their wildcard feature.

Answer the questions below
How many user-defined cron jobs can you see on the target system?

What is Matt's password?

Note: Launch the target machine attached to this task to follow along.

You can launch the target machine and access it directly from your browser.

Alternatively, you can access it over SSH with the low-privilege user
credentials below:

Username: karen

Password: Password1

If a folder for which your user has write permission is located in the path, you
could potentially hijack an application to run a script. PATH in Linux is an
environmental variable that tells the operating system where to search for
executables. For any command that is not built into the shell or that is not
defined with an absolute path, Linux will start searching in folders defined
under PATH. (PATH is the environmental variable were are talking about here,
path is the location of a file).

Typically the PATH will look like this:

If we type “thm” to the command line, these are the locations Linux will look in
for an executable called thm. The scenario below will give you a better idea of
how this can be leveraged to increase our privilege level. As you will see, this
depends entirely on the existing configuration of the target system, so be sure
you can answer the questions below before trying this.

1. What folders are located under $PATH
2. Does your current user have write privileges for any of these folders?
3. Can you modify $PATH?
4. Is there a script/application you can start that will be affected by this
vulnerability?

For demo purposes, we will use the script below:

This script tries to launch a system binary called “thm” but the example can
easily be replicated with any binary.

We compile this into an executable and set the SUID bit.

Our user now has access to the “path” script with SUID bit set.

Once executed “path” will look for an executable named “thm” inside folders
listed under PATH.

If any writable folder is listed under PATH we could create a binary named thm
under that directory and have our “path” script run it. As the SUID bit is set,
this binary will run with root privilege

A simple search for writable folders can done using the “find / -writable
2>/dev/null” command. The output of this command can be cleaned using a simple
cut and sort sequence.

Some CTF scenarios can present different folders but a regular system would
output something like we see above.

Comparing this with PATH will help us find folders we could use.

We see a number of folders under /usr, thus it could be easier to run our
writable folder search once more to cover subfolders.

An alternative could be the command below.

find / -writable 2>/dev/null | cut -d "/" -f 2,3 | grep -v proc | sort -u

We have added “grep -v proc” to get rid of the many results related to running
processes.

Unfortunately, subfolders under /usr are not writable

The folder that will be easier to write to is probably /tmp. At this point
because /tmp is not present in PATH so we will need to add it. As we can see
below, the “export PATH=/tmp:$PATH” command accomplishes this.

At this point the path script will also look under the /tmp folder for an
executable named “thm”.

Creating this command is fairly easy by copying /bin/bash as “thm” under the
/tmp folder.

We have given executable rights to our copy of /bin/bash, please note that at
this point it will run with our user’s right. What makes a privilege escalation
possible within this context is that the path script runs with root privileges.

Answer the questions below

What is the odd folder you have write access for?

Exploit the $PATH vulnerability to read the content of the flag6.txt file.

What is the content of the flag6.txt file?

Note: Launch the target machine attached to this task to follow along.

You can launch the target machine and access it directly from your browser.

Alternatively, you can access it over SSH with the low-privilege user
credentials below:

Username: karen

Password: Password1

Privilege escalation vectors are not confined to internal access. Shared folders
and remote management interfaces such as SSH and Telnet can also help you gain
root access on the target system. Some cases will also require using both
vectors, e.g. finding a root SSH private key on the target system and connecting
via SSH with root privileges instead of trying to increase your current user’s
privilege level.

Another vector that is more relevant to CTFs and exams is a misconfigured
network shell. This vector can sometimes be seen during penetration testing
engagements when a network backup system is present.

NFS (Network File Sharing) configuration is kept in the /etc/exports file. This
file is created during the NFS server installation and can usually be read by
users.

The critical element for this privilege escalation vector is the
“no_root_squash” option you can see above. By default, NFS will change the root
user to nfsnobody and strip any file from operating with root privileges. If the
“no_root_squash” option is present on a writable share, we can create an
executable with SUID bit set and run it on the target system.

We will start by enumerating mountable shares from our attacking machine.

We will mount one of the “no_root_squash” shares to our attacking machine and
start building our executable.

As we can set SUID bits, a simple executable that will run /bin/bash on the
target system will do the job.

Once we compile the code we will set the SUID bit.

You will see below that both files (nfs.c and nfs are present on the target
system. We have worked on the mounted share so there was no need to transfer
them).

Notice the nfs executable has the SUID bit set on the target system and runs
with root privileges.

Answer the questions below
How many mountable shares can you identify on the target system?

Gain a root shell on the target system

What is the content of the flag7.txt file?

By now you have a fairly good understanding of the main privilege escalation
vectors on Linux and this challenge should be fairly easy.

You have gained SSH access to a large scientific facility. Try to elevate your
privileges until you are Root.
We designed this room to help you build a thorough methodology for Linux
privilege escalation that will be very useful in exams such as OSCP and your
penetration testing engagements.

Leave no privilege escalation vector unexplored, privilege escalation is often
more an art than a science.

You can access the target machine over your browser or use the SSH credentials
below.

* Username: leonard
* Password: Penny123

Answer the questions below
What is the content of the flag1.txt file?
Login to answer..

What is the content of the flag2.txt file?

Created by tryhackme

This is a free room, which means anyone can deploy virtual machines in the room
(without being subscribed)! 46524 users are in here and this room is 470 days
old.

--------------------------------------------------------------------------------

LEARN

* Hacktivities
* Leaderboards
* Paths

DOCS

* Teaching
* About Us
* Blog
* Buy Vouchers

SOCIALS

* Twitter
* Email
* Discord
* Forum

WEB-BASED MACHINE INFORMATION

Use the web-based machine to attack other target machines you start on
TryHackMe.

* Public IP:
* Private IP: (Use this for your reverse shells)
* Username:
* Password:
* Protocol:

--------------------------------------------------------------------------------

* To copy to and from the browser-based machine, highlight the text and press
CTRL+SHIFT+C or use the clipboard
* When accessing target machines you start on TryHackMe tasks, make sure you're
using the correct IP (it should not be the IP of your AttackBox)

Complete the room to earn this badge

QUESTION HINT

...

CONGRATULATIONS

You've completed the room! Share this with your friends:

Leave feedback

What do you like about the room?
What don't you like about the room?
Please send your suggestions, ideas and comments!
Send Feedback

TO ACCESS THIS MACHINE, YOU NEED TO EITHER

Use a VPN

Connect to our network via a VPN

See Instructions
or

Use the AttackBox

Use a web-based attack machine (recommended)

Start AttackBox

EXPIRING SOON

Your machine is going to expire soon. Close this and add an hour to stop it from
terminating!

EXPIRED MACHINE

Your machine has expired and terminated.

HOW TO ACCESS MACHINES

Now you've started your machine, to access it you need to either

Download your VPN configuration file and import it into a OpenVPN client

Control a web-based machine with everything you need, all from inside your
browser

RESET YOUR PROGRESS

×
Warning You will keep your points but all your answers in this room will be
erased.
Yes, please!

CLOUD INFORMATION

×
* Environment
* Credentials

GENERATING YOUR CERTIFICATE

HEY THERE, WHAT'S YOUR NAME?

If you want your name to appear on your certificate, please fill the field
below.

Full Name

YOU'RE HERE INCOGNITO? IT'S OK!

If you chose skip, your username will be used instead!

Generate with my full name
Generate with my username
Video Solution
Writeups

Forum Post

Knowledge Base

Ask Community
Show Connection Options

To access target machines you need to either:

AttackBox

Use a browser-based attack machine

OpenVPN

Connect to our network via a VPN

View the dedicated OpenVPN access page for more information

WHAT OPERATING SYSTEM ARE YOU USING?

* Windows
* Linux
* MacOS

1. Download your OpenVPN configuration pack.
2. Download the OpenVPN GUI application.
3. Install the OpenVPN GUI application. Then open the installer file and follow
the setup wizard.
4. Open and run the OpenVPN GUI application as Administrator.

5. The application will start running in the system tray. It's at the bottom of
your screen, near the clock. Right click on the application and click Import
File.

6. Select the configuration file you downloaded earlier.
7. Now right click on the application again, select your file and click Connect

1. Download your OpenVPN configuration pack.
2. Run the following command in your terminal: sudo apt install openvpn
3. Locate the full path to your VPN configuration file (normally in your
~/Downloads folder).
4. Use your OpenVPN file with the following command: sudo openvpn
/path/to/file.ovpn

1. Download your OpenVPN configuration pack.
2. Download OpenVPN for MacOS.
3. Install the OpenVPN GUI application, by opening the dmg file and following
the setup wizard.

4. Open and run the OpenVPN GUI application.
5. The application will start running and appear in your top bar. Right click
on the application and click Import File -> Local file.

6. Select the configuration file you downloaded earlier.
7. Right click on the application again, select your file and click connect.

HAVING PROBLEMS?

* If you can access 10.10.10.10, you're connected.
* Downloading and getting a 404? Go the access page and switch VPN servers.
* Getting inline cert error? Go the access page and switch VPN servers.
* If you are using a virtual machine, you will need to run the VPN inside that
machine.
* Is the OpenVPN client running as root? (On Windows, run OpenVPN GUI as
administrator. On Linux, run with sudo)
* Have you restarted your VM?
* Is your OpenVPN up-to-date?
* Only 1 OpenVPN connection is allowed. (Run ps aux | grep openvpn - are there
2 VPN sessions running?)
* Still having issues? Check our docs out.

ATTACKBOX

Use your own web-based linux machine to access machines on TryHackMe

To start your AttackBox in the room, click the Start AttackBox button. Your
private machine will take 2 minutes to start.

You can also use the dedicated My-Machine page to start and access your machine.
From here you can also deploy:

* AttackBox - Custom cyber-ready linux instance
* Kali Linux - Industry standard security linux instance
* Free AttackBox - Less powerful Attackbox with no internet

Free users get 1 free AttackBox hour. Subscribed users get more powerful
machines with unlimited deploys.

Hide IP

tryhackme.com Open in urlscan Pro 2606:4700:10::ac43:1b0a Public Scan

Form analysis 1 forms found in the DOM

POST /feedback

Text Content

tryhackme.com Open in urlscan Pro
2606:4700:10::ac43:1b0a Public Scan

Form analysis
1 forms found in the DOM