THM — Linux Priv Esc

This room is aimed at walking you through a variety of Linux Privilege Escalation techniques. Below are some of the tasks:

Task 2 : Service Exploits

Located within the VM is a file under the name raptor_udf2.c. This is a helper dynamic library for local privilege escalation through MySQL run with root privileges. Compiling and executing this file allows us to connect to MySQL shell and to create a UDF:“do_system”.

Executing the command do_system to copy /bin/bash to /tmp/rootbash and set the SUID permission:

Exiting MySQL, we attempt to run the /tmp/rootbash executable with -p to gain a shell running with root privileges:

Task 3: Weak File Permissons: /etc/shadow

Each line of the file represents a user. A user’s password hash (if they have one) can be found between the first and second colons (:) of each line.

Switching over to our Kali Linux VM, we can utilize John The Ripper to crack the hash.

Task 6: Sudo Shell Escape Sequences

Searching the above programs in GTFOBins shows us how to potentially raise our privileges. Of the list above, we attempt to login as root with the man command. For the man command in GTFOBins, we can escalate our privileges by: sudo man man and !/bin/sh within the man page. Below is our attempt:

Task 7: Sudo — Environment Variables

This exploit works by using both LD_PRELOAD and LD_LIBRARY_PATH. Preload loads a shared object before any others when a program is run. LD_LIBRARY_PATH provides a list of directories where shared libraries are searched for first. This exploit works by setting LD_PRELOAD to the path of a shared object, that file will be loaded before any other library, which allows us to choose the path with LD_LIBRARY_PATH. Running the command given to us we see that from our vulnerable sudo program man, we can gain root shell.

Attempting this same approach on apache2. We first load all the libraries for apache2. We then compile a similar file to libcrypt using the code located at /home/user/tools/sudo/library_path.c. We then run apache2 using sudo, while settings the LD_LIBRARY_PATH environment variable to /tmp, which is where we have our compiled code .

Task 8 - Cron Jobs: File Permissions

The same method can be used for PATH environment variables.

Task 16: History Files

In the screenshot above we can see that a user mistyped the command to the sql server. The user forgot to leave a space between the -p option and the password.

Task 17- Config Files



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store