Friday is here and it’s time for more THM!
We will pick up where we left off yesterday, which was midway through the Linux Privilege Escalation module!
We moved on to the Privilege Escalation: SUID section of the module.
We start off by using the command “find / -type -perm -04000 -ls 2>/dev/null” which should show all the files/binaries which can be ran as root or with escalated privileges.
We try a few but are unsucsessful and then we get a hint about what to try next.
We then take a look at base64 and check out the https://gtfobins.github.io/gtfobins/base64/ and find the following below.
We run the command we found where LFILE=/etc/shadow which appears to store the directory /etc and the shadow file within a variable and then we are able to use base64 “$LFILE” | base64 –decode in order to read the contents of the shadow file.
I then copy the hash for user2 out of the shadow file and create a file called hash.txt and then cat that file to make sure it has been saved correctly.
We then run john using rockyou.txt as a wordlist and as we know from previous rooms/modules we need to use the format of “–format=sha512crypt” for /etc/shadow hashes and we reveal that the password for user2 is the same as it is for the user karen (Password1).
We then su to user2 and see that user2 also is not a priviledged however we are going to use the same trick using base64 SUID bits in order to get this flag
In this instance I just checked (even though this is always where it would be) where the flag3.txt was and then as mentioned used the same technique as previously by setting the LFILE= parameter as the variable being the flag3.txt and then used base64 “$LFILE” and piped it to | base64 –decode which allowed me to get the flag.
Flag – THM-3847834
In this next section we use the command getcap which allows us to see the capabilities of binaries which we may be able to use in order to escalate our privileges.
We find that we are able to use the ‘view’ binary which has been highlighted below, with this information to hand we locate flag4.txt and we use the view command to get the flag which also is noted below.
Flag – THM-9349843
In the next task we exploited the cron jobs present on the machine.
Firstly we viewed the /etc/crontab present on the box and found four jobs which were running as root, one of which was in the user directory of karen which we had access to.
We checked the file permissions to confirm this and we can see that the file is indeed writable via our current user.
We edit the file with a bash one line reverse shell back to our local machine.
We check that the file has been updated and we chmod +x the backup.sh file to ensure that it is executable.
We set up a netcat listener for incoming connections and as the cronjob runs we catch a shell which is running as root. (I tried previously launching the shell directly but as you may of guessed this loaded the shell as karen and not root).
We find the location of the flag and then cat the flag.
Flag – THM-383000283
We then cat the /etc/shadow file and grab matt’s hash from the file.
We create a hash.txt file and pass this to john in order to crack the hash which found the password was 123456.
That’s enough for today, we will continue this over the weekend and or Monday!
Until next time & don’t sleepwalk through life!
Alweda