mirror of
https://github.com/AbdullahRizwan101/CTF-Writeups
synced 2024-11-22 12:03:03 +00:00
209 lines
7 KiB
Markdown
209 lines
7 KiB
Markdown
|
# TryHackMe-Common Linux Privilege Escalation
|
||
|
|
||
|
## NMAP
|
||
|
|
||
|
```
|
||
|
Nmap scan report for 10.10.235.8 [37/154]
|
||
|
Host is up (0.20s latency).
|
||
|
Not shown: 994 closed ports
|
||
|
PORT STATE SERVICE VERSION
|
||
|
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
|
||
|
| ssh-hostkey:
|
||
|
| 2048 37:c9:2d:7e:01:c5:ea:33:a9:e2:19:ea:66:1c:95:82 (RSA)
|
||
|
| 256 9f:48:65:f7:67:2e:92:cf:73:ce:0e:69:f1:32:46:40 (ECDSA)
|
||
|
|_ 256 ac:5f:9a:38:23:ee:ac:14:88:9e:aa:08:df:98:f4:a7 (ED25519)
|
||
|
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
|
||
|
|_http-server-header: Apache/2.4.29 (Ubuntu)
|
||
|
|_http-title: Apache2 Ubuntu Default Page: It works
|
||
|
111/tcp open rpcbind 2-4 (RPC #100000)
|
||
|
| rpcinfo:
|
||
|
| program version port/proto service
|
||
|
| 100000 2,3,4 111/tcp rpcbind
|
||
|
| 100000 2,3,4 111/udp rpcbind
|
||
|
| 100000 3,4 111/tcp6 rpcbind
|
||
|
| 100000 3,4 111/udp6 rpcbind
|
||
|
| 100003 3 2049/udp nfs
|
||
|
| 100003 3 2049/udp6 nfs
|
||
|
| 100003 3,4 2049/tcp nfs
|
||
|
| 100003 3,4 2049/tcp6 nfs
|
||
|
| 100005 1,2,3 39913/tcp mountd
|
||
|
| 100005 1,2,3 43930/udp mountd
|
||
|
| 100005 1,2,3 50462/udp6 mountd
|
||
|
| 100005 1,2,3 53247/tcp6 mountd
|
||
|
| 100021 1,3,4 38879/tcp nlockmgr
|
||
|
| 100005 1,2,3 53247/tcp6 mountd
|
||
|
| 100021 1,3,4 38879/tcp nlockmgr
|
||
|
| 100021 1,3,4 40883/tcp6 nlockmgr
|
||
|
| 100021 1,3,4 47812/udp nlockmgr
|
||
|
| 100021 1,3,4 57217/udp6 nlockmgr
|
||
|
| 100227 3 2049/tcp nfs_acl
|
||
|
| 100227 3 2049/tcp6 nfs_acl
|
||
|
| 100227 3 2049/udp nfs_acl
|
||
|
|_ 100227 3 2049/udp6 nfs_acl
|
||
|
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
|
||
|
445/tcp open netbios-ssn Samba smbd 4.7.6-Ubuntu (workgroup: WORKGROUP)
|
||
|
2049/tcp open nfs_acl 3 (RPC #100227)
|
||
|
Service Info: Host: LINUX; OS: Linux; CPE: cpe:/o:linux:linux_kernel
|
||
|
|
||
|
Host script results:
|
||
|
|_clock-skew: mean: 1h40m00s, deviation: 2h53m12s, median: 0s
|
||
|
|_nbstat: NetBIOS name: LINUX, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
|
||
|
| smb-os-discovery:
|
||
|
| OS: Windows 6.1 (Samba 4.7.6-Ubuntu)
|
||
|
| Computer name: polobox
|
||
|
| NetBIOS computer name: LINUX\x00
|
||
|
| Domain name: \x00
|
||
|
| FQDN: polobox
|
||
|
|_ System time: 2020-11-21T10:27:08-05:00
|
||
|
| smb-security-mode:
|
||
|
| account_used: guest
|
||
|
| authentication_level: user
|
||
|
| challenge_response: supported
|
||
|
|_ message_signing: disabled (dangerous, but default)
|
||
|
| smb2-security-mode:
|
||
|
| 2.02:
|
||
|
|_ Message signing enabled but not required
|
||
|
| smb2-time:
|
||
|
| date: 2020-11-21T15:27:08
|
||
|
|_ start_date: N/A
|
||
|
|
||
|
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
|
||
|
Nmap done: 1 IP address (1 host up) scanned in 25.45 seconds
|
||
|
|
||
|
```
|
||
|
|
||
|
## Enumeration
|
||
|
|
||
|
|
||
|
|
||
|
1. First, lets SSH into the target machine, using the credentials user3:password. This is to simulate getting a foothold on the system as a normal privilege user.
|
||
|
`No answer needed`
|
||
|
|
||
|
2. What is the target's hostname?
|
||
|
|
||
|
|
||
|
`polobox`
|
||
|
|
||
|
<img src="https://imgur.com/cIQZlOM.png"/>
|
||
|
|
||
|
By reading the contents of `/etc/passwd` there are 8 users
|
||
|
|
||
|
3. Look at the output of /etc/passwd how many "user[x]" are there on the system?
|
||
|
|
||
|
`8`
|
||
|
|
||
|
<img src="https://imgur.com/ps8gddG.png"/>
|
||
|
|
||
|
4. How many available shells are there on the system?
|
||
|
|
||
|
`4`
|
||
|
|
||
|
<img src="https://imgur.com/1X1bWkQ.png"/>
|
||
|
|
||
|
5. What is the name of the bash script that is set to run every 5 minutes by cron?
|
||
|
|
||
|
`autoscript.sh`
|
||
|
|
||
|
6. What critical file has had its permissions changed to allow some users to write to it?
|
||
|
|
||
|
`/etc/passwd`
|
||
|
|
||
|
## Abusing SUID/GUID Files
|
||
|
|
||
|
<img src="https://imgur.com/b4T3log.png"/>
|
||
|
|
||
|
1. What is the path of the file in user3's directory that stands out to you?
|
||
|
`/home/user3/shell`
|
||
|
|
||
|
|
||
|
## Exploiting a writable /etc/passwd
|
||
|
|
||
|
1. Having read the information above, what direction privilege escalation is this attack?
|
||
|
`Vertical`
|
||
|
|
||
|
Now to generate a simple password hash , `openssl` can do that however it is not only used for generating md5 hash it's a cryptography toolkit implementing the Secure Sockets Layer (SSL v2/v3) and Transport Layer ,Security (TLS v1) network protocols and related cryptography standards required by them.
|
||
|
|
||
|
`openssl passwd -1 --salt abc 123` so let's breakdown this command
|
||
|
|
||
|
```
|
||
|
openssl , is the tool that we are using
|
||
|
passwd , is telling to generate a passwd
|
||
|
-1 ,it's telling to use md5 hashing algorithm
|
||
|
--salt ,telling to use the salt which is a random value but in this case we are using new and 123 is the actual password on which this alogrithm will be applied
|
||
|
```
|
||
|
|
||
|
|
||
|
<img src="https://imgur.com/o0VewRd.png"/>
|
||
|
|
||
|
2. What is the hash created by using this command with the salt, "new" and the password "123"?
|
||
|
`$1$new$p7ptkEKU1HnaHpRtzNizS1`
|
||
|
|
||
|
|
||
|
<img src="https://imgur.com/R8QFh9Y.png"/>
|
||
|
|
||
|
3. What would the /etc/passwd entry look like for a root user with the username "new" and the password hash we created before?
|
||
|
`new:$1$new$p7ptkEKU1HnaHpRtzNizS1:0:0:root:/root:/bin/bash`
|
||
|
|
||
|
## Escaping Vi Editor
|
||
|
|
||
|
Use "su" to swap to user8, with the password "password"
|
||
|
|
||
|
<img src="https://imgur.com/EBlBf5b.png"/>
|
||
|
|
||
|
Run it with `sudo /usr/bin/vi`
|
||
|
|
||
|
<img src="https://imgur.com/UkunmAC.png"/>
|
||
|
|
||
|
<img src="https://imgur.com/UySCvQ2.png"/>
|
||
|
|
||
|
1. `sudo -l` command, what does this user require (or not require) to run vi as root?
|
||
|
`NOPASSWD`
|
||
|
|
||
|
|
||
|
## Exploiting Crontab
|
||
|
|
||
|
We can see a cronjob running as `root` user
|
||
|
|
||
|
<img src="https://imgur.com/C6lsigg.png"/>
|
||
|
|
||
|
So now we have to create a payload and append it to the cron script
|
||
|
|
||
|
<img src="https://imgur.com/GOE3YSW.png"/>
|
||
|
|
||
|
<img src="https://imgur.com/Ld6hwUh.png"/>
|
||
|
|
||
|
<img src="https://imgur.com/1XcVEuU.png"/>
|
||
|
|
||
|
1. What directory is the "autoscript.sh" under?
|
||
|
|
||
|
`/home/user4/Desktop`
|
||
|
|
||
|
## Exploiting PATH Variable
|
||
|
|
||
|
<img src="https://imgur.com/m0y30wa.png"/>
|
||
|
|
||
|
1. Let's go to user5's home directory, and run the file "script". What command do we think that it's executing?
|
||
|
`ls`
|
||
|
|
||
|
<img src="https://imgur.com/JdKqiXI.png"/>
|
||
|
|
||
|
2. What would the command look like to open a bash shell, writing to a file with the name of the executable we're imitating
|
||
|
`echo "/bin/bash" `
|
||
|
|
||
|
3. Great! Now we've made our imitation, we need to make it an executable. What command do we execute to do this?
|
||
|
|
||
|
`chmod +x ls`
|
||
|
|
||
|
Now we must edit the $PATH variable to do this we must include the path for our `ls` binary
|
||
|
|
||
|
`export PATH=/tmp:$PATH` , when we run it in bash it would just invoke a bash
|
||
|
|
||
|
<img src="https://imgur.com/aJ8smTM.png"/>
|
||
|
|
||
|
<img src="https://imgur.com/tDyqlo0.png"/>
|
||
|
|
||
|
Now we are root !
|
||
|
|
||
|
To revert back and use `ls` command we can just edit the enviromental variable `$PATH` and remove the `/tmp` from it
|
||
|
|
||
|
<img src="https://imgur.com/I4iUuce.png"/>
|