TryHackMe — Advent of Cyber 2 — Day 11
Good afternoon all,
Today’s challenge will have a focus on privelege escalation. Reading through the learning portion we will be using the SUID bits and utilizing the GTFOBins site. Anyhow, today’s intro:
“This is it — the moment that Elf McEager has been waiting for. It’s the final exam of the Nmap course that he enlisted on during “Day 8 — What’s Under the Christmas Tree?”. It looks like all that hard work of hitting the books has paid off…”Success!” Elf McEager screams…”the exploit worked! Yippeee!”
Elf McEager has successfully managed to create a reverse shell from the target back to his computer. Little did he know, the real exam begins now…The last stage of the exam requires Elf McEager to escalate his privileges! He spent so much time studying Nmap cheatsheets that he’s now drawing a blank…Can you help Elf McEager?
To be the good guy, sometimes you gotta be the bad guy first…“
Alrighty, onto Question 1: What type of privilege escalation involves using a user account to execute commands as an administrator?
Here they are talking about vertical vs horizontal privilege escalation. Moving from a user account to a root/admin account would be vertical privesc.
Question 2: What is the name of the file that contains a list of users who are a part of the sudo group?
Well this one is only a quick google away, I’ll let you do that one.
Question 3: What are the contents of the file located at /root/flag.txt?
Now in between Question 2 and 3 includes some steps for getting into the machine(ssh) and looking the SUID files and the use of GTFOBins. We will use the automation scrip LinEnum.sh for this task.
When we get in, we have wget so we can easily get LinEnum.sh over to the machine.
Now that we got LinEnum.sh, just chmod the file to make it executable and let it run. Alrighty, we got this in the SUID section:
[-] SUID files:
-rwsr-xr-x 1 root root 26696 Sep 16 18:43 /bin/umount
-rwsr-xr-x 1 root root 43088 Sep 16 18:43 /bin/mount
-rwsr-xr-x 1 root root 44664 Mar 22 2019 /bin/su
-rwsr-xr-x 1 root root 30800 Aug 11 2016 /bin/fusermount
-rwsr-xr-x 1 root root 1113504 Jun 6 2019 /bin/bash
-rwsr-xr-x 1 root root 64424 Jun 28 2019 /bin/ping
-rwsr-xr-x 1 root root 40152 Jan 27 2020 /snap/core/10444/bin/mount
-rwsr-xr-x 1 root root 44168 May 7 2014 /snap/core/10444/bin/ping
-rwsr-xr-x 1 root root 44680 May 7 2014 /snap/core/10444/bin/ping6
-rwsr-xr-x 1 root root 40128 Mar 25 2019 /snap/core/10444/bin/su
-rwsr-xr-x 1 root root 27608 Jan 27 2020 /snap/core/10444/bin/umount
-rwsr-xr-x 1 root root 71824 Mar 25 2019 /snap/core/10444/usr/bin/chfn
-rwsr-xr-x 1 root root 40432 Mar 25 2019 /snap/core/10444/usr/bin/chsh
-rwsr-xr-x 1 root root 75304 Mar 25 2019 /snap/core/10444/usr/bin/gpasswd
-rwsr-xr-x 1 root root 39904 Mar 25 2019 /snap/core/10444/usr/bin/newgrp
-rwsr-xr-x 1 root root 54256 Mar 25 2019 /snap/core/10444/usr/bin/passwd
-rwsr-xr-x 1 root root 136808 Jan 31 2020 /snap/core/10444/usr/bin/sudo
-rwsr-xr-- 1 root systemd-resolve 42992 Jun 11 2020 /snap/core/10444/usr/lib/dbus-1.0/dbus-daemon-launch-helper
-rwsr-xr-x 1 root root 428240 May 26 2020 /snap/core/10444/usr/lib/openssh/ssh-keysign
-rwsr-xr-x 1 root root 110792 Nov 19 17:07 /snap/core/10444/usr/lib/snapd/snap-confine
-rwsr-xr-- 1 root dip 394984 Jul 23 15:09 /snap/core/10444/usr/sbin/pppd
-rwsr-xr-x 1 root root 40152 May 15 2019 /snap/core/7270/bin/mount
-rwsr-xr-x 1 root root 44168 May 7 2014 /snap/core/7270/bin/ping
-rwsr-xr-x 1 root root 44680 May 7 2014 /snap/core/7270/bin/ping6
-rwsr-xr-x 1 root root 40128 Mar 25 2019 /snap/core/7270/bin/su
-rwsr-xr-x 1 root root 27608 May 15 2019 /snap/core/7270/bin/umount
-rwsr-xr-x 1 root root 71824 Mar 25 2019 /snap/core/7270/usr/bin/chfn
-rwsr-xr-x 1 root root 40432 Mar 25 2019 /snap/core/7270/usr/bin/chsh
-rwsr-xr-x 1 root root 75304 Mar 25 2019 /snap/core/7270/usr/bin/gpasswd
-rwsr-xr-x 1 root root 39904 Mar 25 2019 /snap/core/7270/usr/bin/newgrp
-rwsr-xr-x 1 root root 54256 Mar 25 2019 /snap/core/7270/usr/bin/passwd
-rwsr-xr-x 1 root root 136808 Jun 10 2019 /snap/core/7270/usr/bin/sudo
-rwsr-xr-- 1 root systemd-resolve 42992 Jun 10 2019 /snap/core/7270/usr/lib/dbus-1.0/dbus-daemon-launch-helper
-rwsr-xr-x 1 root root 428240 Mar 4 2019 /snap/core/7270/usr/lib/openssh/ssh-keysign
-rwsr-sr-x 1 root root 102600 Jun 21 2019 /snap/core/7270/usr/lib/snapd/snap-confine
-rwsr-xr-- 1 root dip 394984 Jun 12 2018 /snap/core/7270/usr/sbin/pppd
-rwsr-xr-x 1 root root 37136 Mar 22 2019 /usr/bin/newgidmap
-rwsr-sr-x 1 daemon daemon 51464 Feb 20 2018 /usr/bin/at
-rwsr-xr-x 1 root root 149080 Jan 31 2020 /usr/bin/sudo
-rwsr-xr-x 1 root root 76496 Mar 22 2019 /usr/bin/chfn
-rwsr-xr-x 1 root root 40344 Mar 22 2019 /usr/bin/newgrp
-rwsr-xr-x 1 root root 59640 Mar 22 2019 /usr/bin/passwd
-rwsr-xr-x 1 root root 75824 Mar 22 2019 /usr/bin/gpasswd
-rwsr-xr-x 1 root root 22520 Mar 27 2019 /usr/bin/pkexec
-rwsr-xr-x 1 root root 37136 Mar 22 2019 /usr/bin/newuidmap
-rwsr-xr-x 1 root root 18448 Jun 28 2019 /usr/bin/traceroute6.iputils
-rwsr-xr-x 1 root root 44528 Mar 22 2019 /usr/bin/chsh
-rwsr-xr-x 1 root root 436552 Mar 4 2019 /usr/lib/openssh/ssh-keysign
-rwsr-xr-- 1 root messagebus 42992 Jun 11 2020 /usr/lib/dbus-1.0/dbus-daemon-launch-helper
-rwsr-xr-x 1 root root 14328 Mar 27 2019 /usr/lib/policykit-1/polkit-agent-helper-1
-rwsr-xr-x 1 root root 10232 Mar 28 2017 /usr/lib/eject/dmcrypt-get-device
-rwsr-xr-x 1 root root 100760 Nov 23 2018 /usr/lib/x86_64-linux-gnu/lxc/lxc-user-nic
-rwsr-xr-x 1 root root 113528 Jul 10 14:00 /usr/lib/snapd/snap-confineAnd we also got this:
Going to run this down and see what we can do, I tested this: https://gtfobins.github.io/gtfobins/bash/#suid but it failed due to not being in the Sudoers file.
While I struggled for… too long... I was using the wrong option the whole time. I kept trying to use -c on /bin/bash and kept coming up as the same user. I should have been using -p. Below are the descriptions of each flag
-p works because the SUID is set, meaning the user ids won’t match when trying to run.
Whelp, that is it for today’s challenge. Sometimes you just need to google harder and take a second to read a little better. As always, best of luck. If you enjoy my content, feel free to add me on LinkedIn and let me know you saw the blog.
Until next time,
-3lduderino
