Monday is here and we’re back and it’s time for more THM!
Today we continue with the Linux Privilege Escalation room.
We we last left of we were on the Privilege Escalation: PATH section of the room.
We start by using the ‘echo $PATH’ command which shows us the locations of where we can launch binaries from.
We then check were we have writable access to within the file system
We then add /tmp to the path as seen in the section below.
We then find that is not where the box was intending for us to go so with checking the questions we find that /home/murdoch is the area which we needed to add to the $PATH variable, also within this folder we find a ./test file which we run and we are then escalate our prviledges with the use of the ‘thm’ file which we created which had /bin/bash echo’d into the file with the permissions set as 777.
Flag – THM-736628929
Will need to look into this privilege escalation technique more as I’m not 100% with the workings of this as of yet.
We check out the nfs shares which are within the /etc/exports we see there are three that we could use, in this instance we decide to use /tmp.
We use the showmount -e command just to double check from our attacking machine.
We use the C script that was previously used in order to escalate our privledges after creating a share on our local machine and then run the ./nfs script on the vulnerable box which allows use to gain root access (A few of the images are missing due to an issue with the box).
After this we are able to get the flag7.txt flag.
Flag – THM-89384012
Lastly, we move on to the CapStone Challenge!
In this section we ssh into the box using the username Leonard and the password is Penny123, I’m thinking this could be something Big Bang Theory related..
We see that Leonard does not have any ability to use sudo.
We run LinEnum.sh via wget’ing the file over from our machine to the box and find that Base64 has the SUID so we are able to leverage this with the help of https://gtfobins.github.io/.
We further check the standard sections of the system
Check -0400 files.
Check the capabilities
Check the env.
Checked /etc/crontab and there appears to be no cronjobs set on the machine so this does not appear to be the escalation vector we need to use.
Doesn’t appear to be any NFS shares which we can abuse either.
Restarted the machine –
This is where we are able to use Base64 to store a file variable which was the /etc/shadow file enabling use to get the hash of missy & root (we were unable to crack the root hash).
We crack missy’s hash (Password1) and we su to missy where we check is she has any sudo -L access which she does, this turns our to be able to use the find binary which enables us to locate the flag and furthermore we are able to use sudo su to root and we are able to solve this last challenge!
Flag 1 – THM-42828719920544
Flag 2 – THM-168824782390238
Overall, I found this quite a tough box but I feel as though I have learn’t alot during it and feel but I need to keep learning as there was quite a lot within this module that I didn’t understand 100% but feel quite proud I was able to finish this mostly without any help from the AI bot (which in this instance was quite handy)!
Until next time & don’t sleepwalk through life!
Bidāẏa