TryHackMe: Complete Beginner
author: Nathan Acks
Common Linux Privsec
Direction of Privilege Escalation
- HORIZONTAL PRIVILEGE ESCALATION is obtaining access to another user account with the same(ish) privileges as the compromised account.
- VERTICAL PRIVILEGE ESCALATION is obtaining access to another user account with higher privileges than the compromised account.
In general, vertical escalation involves obtaining root/SYSTEM access.
TryHackMe is going to focus on the use of the LinEnum script. Direct download via:
curl -O https://raw.githubusercontent.com/rebootuser/LinEnum/master/LinEnum.sh
Abusing SUID/GUID Files
# Find SUID/SGID binaries # find / -type f -perm -u=s # # ...or... # find / -type f -perm -4000
Recall that leading a permission specified with
find requires that all of the specified permission bits be set (but is agnostic as to the presence/absence of additional permissions); for numeric permissions 0 effectively acts as a wildcard.
Exploiting Writeable /etc/passwd
Strangely, it turns out that the
x in the password field for /etc/password isn’t just anachronistic - it still literally means “look in /etc/shadow”. If a password is present in that field instead… Well, the login process (at least on most Linux systems) will still use that!
Compliant password hashes can be created with the
openssl passwd command. For example, to create an MD5 hashed password:
openssl passwd -1 -salt $SALT $PASSWORD
It’s also possible to have multiple users with the same UID and GID in /etc/passwd (wut?). So this is a way of “cloning” the root account.
Escaping the Vi Editor
sudo -l command will helpfully tell us what we can run as the superuser without a password.
Expanding Your Knowledge
Linux privilege escalation checklists: