Scribd
Upload
50 views19 pages

Linux PrivEsc Arena

The document outlines a series of tasks for privilege escalation on a target machine, including methods such as exploiting SSH keys, stored passwords, weak file permissions, and SUID binaries. It provides specific commands and techniques to gain root access through various vulnerabilities. Each task builds on the previous one, demonstrating different exploitation strategies in a Linux environment.

Uploaded by

ganeshsanap462003
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
50 views19 pages

Linux PrivEsc Arena

The document outlines a series of tasks for privilege escalation on a target machine, including methods such as exploiting SSH keys, stored passwords, weak file permissions, and SUID binaries. It provides specific commands and techniques to gain root access through various vulnerabilities. Each task builds on the previous one, demonstrating different exploitation strategies in a Linux environment.

Uploaded by

ganeshsanap462003
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 19

You can launch the target machine and access it directly from your

browser.(https://tryhackme.com/room/linuxprivescarena)

>Task 3: Privilege Escalation — Kernel Exploits

Connect to the target server using ssh

The host key is an important part of the SSH protocol and is used to ensure
the authenticity of the server you are connecting to. The error message
indicates that the server supports two key types: ssh-rsa and ssh-dss, but
your SSH client is not configured to accept these key types. So we will use
the following command
ssh TCM@10.10.58.31 -oHostKeyAlgorithms=+ssh-rsa

Enter the following command to find exploits on the target server


now let’s enter the following command to exploit the target server

we managed to exploit the target machine successfully

>Task 4: Privilege Escalation — Stored Passwords (Config Files)

let’s review the myvpn.ovpn file using the following command


cat /home/user/myvpn.ovpn
here we can see auth-user-pass file

Here we can already see the username and password


>Task 5:Privilege Escalation — Stored Passwords (History)

we can see the transaction history using the following command


cat ~/.bash_history | grep -i passw

>Task 6:Privilege Escalation — Weak File Permissions

To increase the permissions, let’s first check the permissions of the


/etc/shadow command
ls -la /etc/shadow

retrieve root and other user passwords using the following command
cat /etc/shadow
and now let’s try to crack this password on our own machine
from here we managed to find the root password

Question :What were the file permissions on the /etc/shadow file?

>Task 7: Privilege Escalation — SSH Keys

Let’s search for files named “id_rsa” starting from the root directory (/) of
the file system
find / -name id_rsa 2> /dev/null

Let’s copy the contents of the id_rsa file to our vm


>Task 8:Privilege Escalation — Sudo (Shell Escaping)

Let’s enter the following command to find ways to increase the authority
sudo -l

Let’s become root user using the following command


sudo find /bin -name nano -exec /bin/sh \;z

>Task 9: Privilege Escalation — Sudo (Abusing Intended Functionality)


Let’s become root user using the following command
sudo -l

Use this space to get the hash of the root password

and now let’s break this hash in our vm

>Task 10: Privilege Escalation — Sudo (LD_PRELOAD)


LD_PRELOAD is an environment variable used on Unix-like operating
systems to specify a list of additional shared libraries to be loaded before
others. This variable allows users to place their own functions in a dynamic
binding, which allows them to override or extend the behavior of other
functions in applications.

let’s exploit it

>Task 11: Privilege Escalation — SUID (Shared Object Injection)

find files with suid bit


The strace command is used for tracing system calls and signals. In the
command you provided

now let’s exploit this machine


>Task 12:Privilege Escalation — SUID (Symlinks)

The dpkg -l command is used to list all packages installed on a Debian-based


system. When you combine it with grep nginx, it filters the output to show
only lines containing the term “nginx”.

we need to be www-data user to upgrade to root using this


At this stage, the system waits for logrotate to execute. In order to speed up
the process, this will be simulated by connecting to the Linux VM via a
different terminal.

Linux VM — Terminal 2

Linux VM — Terminal 1

>Task 13:Privilege Escalation — SUID (Environment Variables #1)


find / -type f -perm -04000 -ls 2>/dev/null

From the output, make note of all the SUID binaries.


strings /usr/local/bin/suid-env

The strings command is used to print printable characters from a binary file,
which can be useful for examining the contents of non-text files such as
executables. When you run lines in an executable, it will try to extract and
display any human-readable lines in the binary.

Exploitation
>Task 14:Privilege Escalation — SUID (Environment Variables #2)

>Task 15: Privilege Escalation — Capabilities


In command prompt type
getcap -r / 2>/dev/null

The getcap command is used to get the capabilities of files in a file system.
File capabilities in Linux provide a way to grant certain privileges to specific
processes without giving them full superuser (root) rights.

Exploitation

Enjoy root!

>Task 16: Privilege Escalation — Cron (Path)


Exploitation

In command prompt type:


echo 'cp /bin/bash /tmp/bash; chmod +s /tmp/bash' > /home/user/overwrite.sh

In command prompt type


chmod +x /home/user/overwrite.sh

Wait 1 minute for the Bash script to execute.

>Task 17:Privilege Escalation — Cron (Wildcards)


>Task 18: Privilege Escalation — Cron (File Overwrite)
>Task 19: Privilege Escalation — NFS Root Squashing
The /etc/exports file is used to configure options and settings for exporting
directories via the Network File System (NFS) protocol on Unix-like operating
systems, including Linux. NFS allows file systems to be shared between
multiple computers on a network.

Exploitation

Attacker(My) VM

You might also like