Overview
- Room URL: https://tryhackme.com/room/linuxprivesc
- Difficulty: Medium
- Time to complete: 75
Walkthrough
1. Deploy the Vulnerable Debian VM
Deploy the machine and login to the "user" account using SSH.
sudo openvpn <file>.ovpn
No answer needed!
Run the "id" command. What is the result?
user@debian:~$ id
uid=1000(user) gid=1000(user) groups=1000(user),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev)
=> Answer: uid=1000(user) gid=1000(user) groups=1000(user),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev)
2. Service Exploits
No hints needed!
3. Weak File Permissions - Readable /etc/shadow
What is the root user's password hash?
cat /etc/shadow
=> Answer: $6$Tb/euwmK$OXA.dwMeOAcopwBl68boTG5zi65wIHsc84OWAIye5VITLLtVlaXvRDJXET..it8r.jbrlpfZeMdwD3B0fGxJI0:17298:0:99999:7:::
What hashing algorithm was used to produce the root user's password hash?
- Copy the entire user root and its hash password:
root:$6$Tb/euwmK$OXA.dwMeOAcopwBl68boTG5zi65wIHsc84OWAIye5VITLLtVlaXvRDJXET..it8r.jbrlpfZeMdwD3B0fGxJI0:17298:0:99999:7:::
vim hash.txt
# Paste the user root above
john --wordlist-/usr/share/wordlists/rockyou.txt hash.txt
- You can find the hashing algorithm from the result of john-the-ripper.
=> Answer: sha512crypt
What is the root user's password?
=> Answer: password123
4. Weak File Permissions - Writable /etc/shadow
No answer needed!
5. Weak File Permissions - Writable /etc/passwd
Run the "id" command as the newroot user. What is the result?
- Follow step-by-step guide of the challenge you can get access as
newrootuser.
=> Answer: uid=0(root) gid=0(root) groups=0(root)
6. Sudo - Shell Escape Sequences
How many programs is "user" allowed to run via sudo?
sudo -l
=> Answer: 11
One program on the list doesn't have a shell escape sequence on GTFOBins. Which is it?
=> Answer: apache2
7. Sudo - Environment Variables
No answer needed!
8. Cron Jobs - File Permissions
No answer needed!
9. Cron Jobs - PATH Environment Variable
What is the value of the PATH variable in /etc/crontab?
cat /etc/crontab
# ...
PATH=/home/user:/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
# ...
=> Answer: /home/user:/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
10. Cron Jobs - Wildcards
No answer needed!
11. SUID / SGID Executables - Known Exploits
No answer needed!
12. SUID / SGID Executables - Shared Object Injection
No answer needed!
13. SUID / SGID Executables - Environment Variables
No answer needed!
14. SUID / SGID Executables - Abusing Shell Features (#1)
No answer needed!
15. SUID / SGID Executables - Abusing Shell Features (#2)
No answer needed!
16. Passwords & Keys - History Files
What is the full mysql command the user executed?
cat ~/.*history | less
=> Answer: mysql -h somehost.local -uroot -ppassword123
17. Passwords & Keys - Config Files
What file did you find the root user's credentials in?
user@debian:~$ cat /home/user/myvpn.ovpn
client
dev tun
proto udp
remote 10.10.10.10 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
tls-client
remote-cert-tls server
auth-user-pass /etc/openvpn/auth.txt
comp-lzo
verb 1
reneg-sec 0
user@debian:~$ cat /etc/openvpn/auth.txt
root
password123
=> Answer: /etc/openvpn/auth.txt
18. Passwords & Keys - SSH Keys
No answer needed!
19. NFS
What is the name of the option that disables root squashing?
=> Answer: no_root_squash
20. Kernel Exploits
No answer needed!
21. Privilege Escalation Scripts
No answer needed!