CTF-Writeups/TryHackMe/Common_Linux_Privesc.md
2020-11-21 22:25:20 +05:00

7 KiB

TryHackMe-Common Linux Privilege Escalation

NMAP

Nmap scan report for 10.10.235.8                                                                             [37/154]
Host is up (0.20s latency).                               
Not shown: 994 closed ports                               
PORT     STATE SERVICE     VERSION         
22/tcp   open  ssh         OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:                                            
|   2048 37:c9:2d:7e:01:c5:ea:33:a9:e2:19:ea:66:1c:95:82 (RSA)
|   256 9f:48:65:f7:67:2e:92:cf:73:ce:0e:69:f1:32:46:40 (ECDSA)
|_  256 ac:5f:9a:38:23:ee:ac:14:88:9e:aa:08:df:98:f4:a7 (ED25519)
80/tcp   open  http        Apache httpd 2.4.29 ((Ubuntu))                                                            
|_http-server-header: Apache/2.4.29 (Ubuntu)                                                                         
|_http-title: Apache2 Ubuntu Default Page: It works                                                                  
111/tcp  open  rpcbind     2-4 (RPC #100000)                                                                         
| rpcinfo: 
|   program version    port/proto  service
|   100000  2,3,4        111/tcp   rpcbind
|   100000  2,3,4        111/udp   rpcbind
|   100000  3,4          111/tcp6  rpcbind
|   100000  3,4          111/udp6  rpcbind
|   100003  3           2049/udp   nfs
|   100003  3           2049/udp6  nfs
|   100003  3,4         2049/tcp   nfs
|   100003  3,4         2049/tcp6  nfs
|   100005  1,2,3      39913/tcp   mountd
|   100005  1,2,3      43930/udp   mountd
|   100005  1,2,3      50462/udp6  mountd
|   100005  1,2,3      53247/tcp6  mountd
|   100021  1,3,4      38879/tcp   nlockmgr
|   100005  1,2,3      53247/tcp6  mountd
|   100021  1,3,4      38879/tcp   nlockmgr
|   100021  1,3,4      40883/tcp6  nlockmgr
|   100021  1,3,4      47812/udp   nlockmgr
|   100021  1,3,4      57217/udp6  nlockmgr
|   100227  3           2049/tcp   nfs_acl
|   100227  3           2049/tcp6  nfs_acl
|   100227  3           2049/udp   nfs_acl
|_  100227  3           2049/udp6  nfs_acl
139/tcp  open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp  open  netbios-ssn Samba smbd 4.7.6-Ubuntu (workgroup: WORKGROUP)
2049/tcp open  nfs_acl     3 (RPC #100227)
Service Info: Host: LINUX; OS: Linux; CPE: cpe:/o:linux:linux_kernel

Host script results:
|_clock-skew: mean: 1h40m00s, deviation: 2h53m12s, median: 0s
|_nbstat: NetBIOS name: LINUX, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| smb-os-discovery: 
|   OS: Windows 6.1 (Samba 4.7.6-Ubuntu)
|   Computer name: polobox
|   NetBIOS computer name: LINUX\x00
|   Domain name: \x00
|   FQDN: polobox
|_  System time: 2020-11-21T10:27:08-05:00
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb2-security-mode: 
|   2.02: 
|_    Message signing enabled but not required
| smb2-time: 
|   date: 2020-11-21T15:27:08 
|_  start_date: N/A

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 25.45 seconds

Enumeration

  1. First, lets SSH into the target machine, using the credentials user3:password. This is to simulate getting a foothold on the system as a normal privilege user. No answer needed

  2. What is the target's hostname?

polobox

By reading the contents of /etc/passwd there are 8 users

  1. Look at the output of /etc/passwd how many "user[x]" are there on the system?

8

  1. How many available shells are there on the system?

4

  1. What is the name of the bash script that is set to run every 5 minutes by cron?

autoscript.sh

  1. What critical file has had its permissions changed to allow some users to write to it?

/etc/passwd

Abusing SUID/GUID Files

  1. What is the path of the file in user3's directory that stands out to you? /home/user3/shell

Exploiting a writable /etc/passwd

  1. Having read the information above, what direction privilege escalation is this attack? Vertical

Now to generate a simple password hash , openssl can do that however it is not only used for generating md5 hash it's a cryptography toolkit implementing the Secure Sockets Layer (SSL v2/v3) and Transport Layer ,Security (TLS v1) network protocols and related cryptography standards required by them.

openssl passwd -1 --salt abc 123 so let's breakdown this command

openssl , is the tool that we are using
passwd , is telling to generate a passwd
-1     ,it's telling to use md5 hashing algorithm
--salt ,telling to use the salt which is a random value but in this case we are using new and 123 is the actual password on which this alogrithm will be applied
  1. What is the hash created by using this command with the salt, "new" and the password "123"? $1$new$p7ptkEKU1HnaHpRtzNizS1
  1. What would the /etc/passwd entry look like for a root user with the username "new" and the password hash we created before? new:$1$new$p7ptkEKU1HnaHpRtzNizS1:0:0:root:/root:/bin/bash

Escaping Vi Editor

Use "su" to swap to user8, with the password "password"

Run it with sudo /usr/bin/vi

  1. sudo -l command, what does this user require (or not require) to run vi as root? NOPASSWD

Exploiting Crontab

We can see a cronjob running as root user

So now we have to create a payload and append it to the cron script

  1. What directory is the "autoscript.sh" under?

/home/user4/Desktop

Exploiting PATH Variable

  1. Let's go to user5's home directory, and run the file "script". What command do we think that it's executing? ls
  1. What would the command look like to open a bash shell, writing to a file with the name of the executable we're imitating echo "/bin/bash"

  2. Great! Now we've made our imitation, we need to make it an executable. What command do we execute to do this?

chmod +x ls

Now we must edit the $PATH variable to do this we must include the path for our ls binary

export PATH=/tmp:$PATH , when we run it in bash it would just invoke a bash

Now we are root !

To revert back and use ls command we can just edit the enviromental variable $PATH and remove the /tmp from it