SecurityNguyen
Posts Tags About Categories
SecurityNguyen

Contents

Capstone Challenge

Nguyen Nguyen included in Penetration Testing
   982 words   5 minutes 

Room: https://tryhackme.com/room/linprivesc

You have gained SSH access to a large scientific facility. Try to elevate your privileges until you are Root.

We designed this room to help you build a thorough methodology for Linux privilege escalation that will be very useful in exams such as OSCP and your penetration testing engagements.

Leave no privilege escalation vector unexplored, privilege escalation is often more an art than a science.

You can access the target machine over your browser or use the SSH credentials below.

  • Username: leonard
  • Password: Penny123

Before we start, we have to remember to answer this question: What is the content of the flag1.txt file? What is the content of the flag2.txt file?

What I want to do was go down the list:

  • Kernel Exploits
  • Sudo
  • Capabilities
  • Cron Jobs
  • PATH
  • NFS

Kernel Exploits

First one is Kernel Exploits, Essentially, the goal of kernel exploits is to see if the system is running a kernel that has vulnerability due to being a older version. One website I often use to search for vulnerability is searchsploit which is the offline version of exploitdb. A good habit to have is to gather information about the target before exploiting.
For this vulnerability, we need to find the kernel version of the client and the OS that this computer is on. To find the kernel version of a client, we can use the uname -a. The information we got was: Linux 3.10.0-1160.el7.x86_64.

Now, we need to find the operating system. To find the operating we can run cat /proc/version. This is the result we got: Linux version 3.10.0-1160.el7.x86_64 (mockbuild@kbuilder.bsys.centos.org) (gcc version 4.8.5 20150623 (Red Hat 4.8.5-44) (GCC) ) #1 SMP Mon Oct 19 16:18:59 UTC 2020. This look the operating system is Red Hat.

Now we need to find exploits for this kernel. I am going use exploit-db but you can use whatever you want. I was able to find a exploit that correspond to the target operating system: https://www.exploit-db.com/exploits/45516. I’m going download the exploit to my attacker machine and compile the code and then set up a python http server to transfer the malicious program to the target.

To compile the code, we are going use this command: gcc scriptName -o programName -w
However, the code doesn’t work. Time to go back to square one. However, it doesn’t look like any of the exploit listen are going work with this OS. Time to move on to the second technique.

Sudo

To exploit with Sudo, We need to find command that are given to the user to use sudo. To find this information we need to use this command: sudo -l. When we run the command, the server reply with sorry, user Leonard may not run sudo. Let’s move to SUID

SUID

We need to find the command that has SUID bit - denoted as s. To find this we are going use this command: find / -type f -perm -04000 -ls 2>/dev/null | awk '{print $3, $5, $6, $NF}' | grep /usr/bin/.

Right now, we are currently just focusing only on binary. Here are the result:


Then you would go to GTFOBins -> SUID and see what command you can use to exploit SUID. For me, I chose base64. https://gtfobins.github.io/gtfobins/base64/#suid. I read the POC of SUID and see if I can read /etc/passwd with the code that GTFO provided.

Command: base64 /etc/passwd | base64 --decode It worked but it was too much information. Then I narrow my search to only include actual user. To do this I ran this command: base64 /etc/passwd | base64 --decode | grep /home/.
Here are the result:


There is another user that we can pivot to name missy. Let's see if we can crack brute force missy account. We can do this by gathering information from passwd and shadow. Each information are in the separate file.

This is what is inside of passwd.txt and shadow.txt:

Now, we just need to combine them into an single txt file. `unshadow passwd.txt shadow.txt > missy.txt`

Now we will try to brute force the account using rockyou wordlist. `Command: `john --wordlist=/usr/share/wordlists/rockyou.txt missy.txt` After a couple second, I found out the password to missy account.

Now that we have Missy account. Let's go into the account and see what we can discover. `su missy` and then type the password (Password1). I discovered that there are files in the home directory name leonard, missy, and rootflag. I'm assuming these directory hold that flag to the challenge.

Let’s go inside missy directory to see if there anything important there. After going through the files, inside the Document Directory, there is a flag1.txt and the flag is THM-42828719920544. Let’s see if we can find flag2.txt using find / -name flag2.txt 2>/dev/null and I got nothing.

Let look like we need to escalate our permission from missy to root. Let’s see if there is any sudo command given to us: sudo -l It look like find command has been given to us.


ALL mean any host. NOPASSWD mean allows the find command to be able to execute with sudo without entering a password. Now, that we found a command that was given sudo to us, we can refer to GTFOBins https://gtfobins.github.io/#+sudo and find the find command. All we have to do is drop this command in the target machine and hopefully get root privilege.

We got root!

Lesson Learned

The key thing I learned from this activity is that one path might be closed but it won’t be closed forever. For example, Leonard didn’t have any sudo ability. But, when we got access to missy account, she was given sudo permission. You can see from the pictures below:

Leonard:

Missy:


Think of privilege escalation as a stair, each user can provide you a step close to root. It doesn't have to be from one user to root. It could take multiple users to reach root. Privilege escalation is an art.
Updated on 2023-06-29
 Red TeamLinux
Back | Home